In late June, Crowell & Moring partnered with Accenture to host a comprehensive one-day conference on legal issues affecting the digital health landscape. The program covered a wide range of topics, some of which you can read more about via the following links: Developing Digital Health Platforms; the Health Care Economy’s Internet of Things; and New Payment Models and Data. More information on the June 23rd “Fostering Innovative Digital Health Strategies Conference” can be found on

One session touched upon privacy and cybersecurity issues regarding the usage of products and data in the digital health realm. This panel was moderated by Fauzia Zaman-Malik, Accenture’s Global Legal Lead for Health Industry Offerings and North America Legal Lead for Health and Public Services Operating Group; and featured Evan Wolff, partner at Crowell & Moring; Cora Han, FTC senior attorney, Division of Privacy and Identity Protection; and Hilary Weckstein, chief privacy officer at Inovalon, Inc.

This panel focused on methods and benefits of de-identification, HIPAA requirements, the FTC’s role in regulating big data and digital health technologies, and data breach preparation and response.  Keep reading for four key takeaways from this session; the full panel session can also be accessed by video at this link.

  • Ensure proper de-identification. De-identification refers to removing certain personal data from information so that it can no longer be tied back to the individual source of that data. As a general matter, companies dealing with identifiable and de-identified data should limit who can access identifiable data to a small number of people in the organization and establish strict policies and processes around de-identification. This may include use of a steering committee for de-identification methods and data uses.
  • Policy is a moving target, but there is guidance. The newness and ever-expanding world of what constitutes health data has the potential for use and sharing of data in ways consumers cannot expect. Consumers want to share this information in certain contexts (e.g., disease communities) but not others (e.g., advertising, employment, insurance). The FTC’s guidance for mobile health app developers provides a great starting place for companies that want to know which laws may apply, and its big data report addresses how companies using such data can avoid inadvertently harming consumers.
  • Incident response requires a defined governance structure.  Cybersecurity incident response is a shared responsibility among technical personnel, a Chief Information Security Officer, human resources, counsel responsible for cyber issues, and any other personnel necessary to answer questions and provide press statements and notifications.  Development of an operational structure to ensure proper management and oversight in the event of an incident and to facilitate appropriate communication between responsible positions (including regular meetings) is critical.
  • Security is about risk mitigation. In the current climate, there are two types of companies:  those that have been hacked and know it and those that have been hacked and don’t know it.  Given the likelihood of a breach, it is critical for companies to identify their sensitive and regulated data and systems, to develop incident response plans (including a company-wide escalation process for various types of cyber events) and to conduct simulated exercises to test those plans well in advance of a breach.

Experienced legal counsel can help protect privacy of health information, develop compliance and risk management strategies, and deal with incident response. For more information, please contact the authors of this post or your regular Crowell & Moring contact.

Photo of Marisa E. Adelson Marisa E. Adelson

Marisa Adelson is an associate in Crowell & Moring’s San Francisco office, where she practices in the Health Care and Antitrust groups. In her health care practice, Marisa represents managed care payors and provides counseling on regulatory compliance. Marisa’s antitrust practice primarily involves complex antitrust recovery litigation. Marisa has an active pro bono practice and currently represents a client from South Asia seeking asylum in the United States.

Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care Group, where she provides strategic advice to clients navigating the legal and regulatory environments related to technology in the health care sector. Jodi is the former director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS). She served for a decade as the director at the ONC and 15 years at HHS, where she helped spearhead important changes in health information privacy and health information technology to improve health care for consumers nationwide.

For more than a decade, Jodi has been responsible for thought leadership, policy development, and identifying policy drivers for health IT activities within the federal government, and ultimately established the HHS’ national health IT policy. As former director at the ONC, she addressed privacy and security issues to ensure that there was clear guidance on how the initial Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules applied to health IT. Jodi set the strategic direction and set policy on consumer e-health and health IT safety. She is also credited with establishing the ONC’s regulatory capacity and led the development of all ONC regulations on health IT standards and certification.

As the first senior counsel for health information technology in the Office of the General Counsel (OGC) of HHS, Jodi developed HHS’s foundational legal strategies and coordinated all legal advice regarding health IT for HHS. She founded and chaired the health information technology practice group within OGC and worked closely with the Centers for Medicare and Medicaid Services in the development of the e-prescribing standards regulations and the Stark and anti-kickback rules regarding e-prescribing and electronic health records.