In late June, Crowell & Moring partnered with Accenture to host a comprehensive one-day conference on legal issues affecting the digital health landscape. The program covered a wide range of topics, some of which you can read more about via the following links: Developing Digital Health Platforms; the Health Care Economy’s Internet of Things; and New Payment Models and Data. More information on the June 23rd “Fostering Innovative Digital Health Strategies Conference” can be found on Crowell.com.
One session touched upon privacy and cybersecurity issues regarding the usage of products and data in the digital health realm. This panel was moderated by Fauzia Zaman-Malik, Accenture’s Global Legal Lead for Health Industry Offerings and North America Legal Lead for Health and Public Services Operating Group; and featured Evan Wolff, partner at Crowell & Moring; Cora Han, FTC senior attorney, Division of Privacy and Identity Protection; and Hilary Weckstein, chief privacy officer at Inovalon, Inc.
This panel focused on methods and benefits of de-identification, HIPAA requirements, the FTC’s role in regulating big data and digital health technologies, and data breach preparation and response. Keep reading for four key takeaways from this session; the full panel session can also be accessed by video at this link.
- Ensure proper de-identification. De-identification refers to removing certain personal data from information so that it can no longer be tied back to the individual source of that data. As a general matter, companies dealing with identifiable and de-identified data should limit who can access identifiable data to a small number of people in the organization and establish strict policies and processes around de-identification. This may include use of a steering committee for de-identification methods and data uses.
- Policy is a moving target, but there is guidance. The newness and ever-expanding world of what constitutes health data has the potential for use and sharing of data in ways consumers cannot expect. Consumers want to share this information in certain contexts (e.g., disease communities) but not others (e.g., advertising, employment, insurance). The FTC’s guidance for mobile health app developers provides a great starting place for companies that want to know which laws may apply, and its big data report addresses how companies using such data can avoid inadvertently harming consumers.
- Incident response requires a defined governance structure. Cybersecurity incident response is a shared responsibility among technical personnel, a Chief Information Security Officer, human resources, counsel responsible for cyber issues, and any other personnel necessary to answer questions and provide press statements and notifications. Development of an operational structure to ensure proper management and oversight in the event of an incident and to facilitate appropriate communication between responsible positions (including regular meetings) is critical.
- Security is about risk mitigation. In the current climate, there are two types of companies: those that have been hacked and know it and those that have been hacked and don’t know it. Given the likelihood of a breach, it is critical for companies to identify their sensitive and regulated data and systems, to develop incident response plans (including a company-wide escalation process for various types of cyber events) and to conduct simulated exercises to test those plans well in advance of a breach.
Experienced legal counsel can help protect privacy of health information, develop compliance and risk management strategies, and deal with incident response. For more information, please contact the authors of this post or your regular Crowell & Moring contact.