What are the major risks and rewards of artificial intelligence’s healthcare transformation? In this AHLA podcast episode, Alya Sulaiman offers insight into how healthcare organizations should manage AI governance and examines related legislative and regulatory issues.
We expect to see continued focus on privacy and security at the federal and state level. For example, California, Virginia, Colorado, Utah and Connecticut have new privacy laws coming into effect in 2023. As part of our State Law Privacy Video Series, McDermott described how these laws will affect health data and healthcare entities—in particular, those entities that are regulated by HIPAA.
In addition, at the end of 2022, the US Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the confidentiality of substance-use disorder patient records under Part 2 of Title 42 of the Code of Federal Regulations (42 CFR Part 2, or Part 2). Specifically, the proposed rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which required HHS to align Part 2 with certain provisions of HIPAA and to make certain changes to the HIPAA Notice of Privacy Practices, the form given to patients and plan members that describes patient privacy rights, covered entity duties, and the covered entity’s uses and disclosures of protected health information.
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.
Critical provisions
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.
The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). (more…)
McDermott Will & Emery invites you to a webcast to hear how employers and third-party administrators protect the privacy of employee participants’ personal information. On March 23, 2016, Ann Killilea and Andrew Liazos will discuss complex issues faced by employers and the impact on employee benefit plan sponsors, and address the following topics related to managing data breaches:
Beyond HIPAA: Privacy and data security issues relevant to ERISA fiduciaries
Security threats to benefit plans
Fiduciary duties to protect regulated personal information
Ann Killilea is counsel in the law firm of McDermott Will & Emery LLP and brings to the Firm and to its Global Privacy and Data Protection Affinity Group more than 25 years of experience as senior in-house corporate counsel advising Hewlett-Packard Company (HP), and its predecessor companies Compaq Computer Corporation and Digital Equipment Corporation, all multinational companies in the information technology industry.
Andrew C. Liazos is a partner in the law firm of McDermott Will & Emery LLP and regularly represents Fortune 500 companies, public companies, large closely held businesses and compensation committees on all aspects of executive compensation; ERISA fiduciary and compensation plan governance; employee benefits in business transactions; initial public offerings and bankruptcy; international compensation planning and related litigation matters. He also counsels executives in employment agreement and joint-venture negotiations.
CLE credit for the live presentation of this program is pending in the states of California, Illinois, New York and Texas. A Uniform Certificate of Attendance will be made available to participants requesting CLE credit in all other states. Please be advised that CLE credit will not be approved for on-demand/recorded viewings of this program in the states listed above. Attendees seeking credit in other states should consult their state CLE accrediting agency to determine whether self-study credit can be earned for on demand/recorded viewing of this program.
A lot has happened in the area of UK employment law in 2011, and there are many issues to consider as we plan for 2012. We are pleased to provide a resource of information following a recent webinar, which reflects on key learning points from 2011, and discusses what to look forward to as an employer in the UK in 2012. Topics include:
"Holiday and sick pay"
"Abolition of Default Retirement Age"
"Recessionary Times"
"Did the Bribery Act Mean the End of the “Jolly” in 2011?"
Two weeks ago, we wrote about a decision from an Administrative Law Judge (ALJ) (available here) finding that the National Labor Relations Act (NLRA) protected an employee’s Facebook comments made about his employer. Last week, an ALJ issued another decision involving social media and the NLRA, finding that an employee had engaged in some protected activity, but that he was ultimately fired for other, unprotected activity. In Karl Knauz Motors, a former salesperson claimed that he was fired after he posted pictures and comments on Facebook criticizing his employer’s choice of serving hot dogs at a sales event introducing the new BMW 5-series. The National Labor Relations Board (NLRB) recently issued a report related to social media (found here), in which it noted the employee’s posts in the BMW case were protected activity because they related to the terms and conditions of employment.
While the ALJ agreed that the employee had engaged in protected activity in discussing the sales event, the Judge held that the employer actually terminated the employee for his other Facebook posts, which mocked a co-worker for allowing a teenager to test drive a Land Rover, who ultimately drove the car into a nearby pond. The Judge found that the NLRA did not protect such a posting because it had no connection to the terms and conditions of employment, and was posted solely by the employee, not as part of a discussion with other employees. Therefore the employer did not violate the NLRA when it fired the employee.
In addition to the Facebook postings, the Judge also considered whether four provisions of the employer’s handbook violated Section 7 of the NLRA. The Judge dismissed the complaint regarding a provision that encouraged employees to have a good attitude at work, because it could be read to protect the relationship between the dealer and its customers, rather than to restrict employees’ Section 7 rights. However, the Judge held that the three remaining provisions, which each limited employees’ right to speak about employment, violated the NLRA because they all could be read as curtailing employees’ Section 7 rights, and if employees complied with these restrictions, they would not be able to discuss working conditions with union representatives or lawyers.
Based on this ALJ decision, employers should continue to exercise caution when making employment decisions based on social media comments. There continues to be a fine line between protected activity and unprotected activity when it comes to employees’ social media comments about their employers. In addition, employers should review and possibly revise their handbooks to ensure they cannot be read as restricting employees’ Section 7 rights.