On October 29, 2024, the US Department of Justice (DOJ) issued a proposed rule to implement US President Joe Biden’s Executive Order (EO) 14117. This order aims to prevent countries of concern from accessing Americans’ sensitive personal data and US-government-related data. The proposal specifically includes health data as a category of sensitive personal data that could be exploited. Health insurers, service providers to health plans, and healthcare providers should review this proposed rule closely.
New state privacy laws regulating health data impose significant obligations and heightened litigation and regulatory risks. During this webinar, Elliot Golding and Sam Siegfried discussed how these laws apply, what they require, and practical tips to implement and operationalize compliance.
With the General Data Protection Regulation (GDPR) resulting in a rise in enforcement incidents, it is prudent for organizations operating in the health and life sciences industries across the United Kingdom, European Union (EU) and other European Economic Area (EEA) nations to assess their responsibilities regarding the gathering and handling of health data.
Major Points:
“Data concerning health” is a wide term; it doesn’t just apply to medical records. Policies and processing records should accurately capture all health data, including inference data.
Most EEA countries, and the United Kingdom, have national laws that supplement GDPR.
Consent is not the only legal basis for collecting, storing and using health data; there are other options available, but be aware that “insufficient legal basis for data processing” is a common type of GDPR violation.
If used, health data consents must be granular, specific and transparent, and they must break down all the purposes for which the data is being processed. Consent must be granted on an “opt-in” basis and not as a result of a pre-filled tick box.
Health data may be reused for genuine scientific research purposes provided the processing is compatible with the original use, appropriate safeguards are in place and any separate national law conditions are satisfied.
Privacy policies and transparency notices must be clear about the basis on which health data is processed.
Proceed carefully and consider reidentification risk when relying on anonymisation to process data; document any reidentification risk assessment and periodically review risk assessment in light of developments in publicly available data and evolving risk environment. Technical measures, such as evolving encryption standards, should be reviewed periodically.
The Office of the National Coordinator for Health Information Technology recently released a report detailing user experience research on patient access to health data. The Report sought to examine the experiences of individuals and processes of health systems, with commentary from medical record fulfillment administrators, to determine how the medical record request process can be improved for consumers.
As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.
One of the key questions raised during the FTC’s CHI seminar is: “what is consumer healthinformation”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.
Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”
The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.
The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, in [...]