Health Privacy

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August

On Tuesday, February 9, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a proposed rule to update regulations at 42 C.F.R. Part 2 that protect the confidentiality of alcohol and drug abuse patient records.  The regulations were originally promulgated in 1975 and last substantively updated in 1987.  SAMHSA intends for these updates to better align the regulations with advances in the U.S. health care delivery system, such as health information technology.

Background

The regulations at 42 C.F.R. Part 2 (“Part 2 regulations”) protect the confidentiality of patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.

The goal of the regulations is to ensure that individuals are not deterred from seeking treatment for substance abuse disorders out of concern about the potential disclosures of these records.  SAMHSA notes that unauthorized disclosure has the potential for significant negative consequences for patients, such as: loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

To safeguard substance abuse treatment records, Part 2 regulations require that a patient consent to the disclosure of individually identifiable information related to diagnoses, treatment, or referrals by federally assisted substance abuse programs, except in certain limited circumstances, such as a bona fide medical emergency, for research purposes, for audit and evaluation activities, and pursuant to a court order.

SAMHSA proposes the following changes to the regulations:
Continue Reading SAMHSA Proposes Changes to Confidentiality Rules

On Tuesday, the FTC announced the agenda for PrivacyCon, which is being billed as a “first-of-its-kind event” that will facilitate discussions between researchers and academics about privacy and security.  The FTC also released abstracts for the research that will be presented at the conference, scheduled for January 14.  PrivacyCon follows a call from the FTC last summer to “white hat” researchers and academics for papers on new vulnerabilities and how they might be exploited to harm consumers, as well as research in the area of big data, the Internet of things and consumer attitudes towards privacy.
Continue Reading FTC Releases Agenda for First-Ever PrivacyCon

On Friday, November 13, Federal Trade Commission (FTC) Chief Administrative Law Judge Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD, on the ground that the Commission’s staff had failed to carry its burden of demonstrating a “likely substantial injury” to consumers resulting from LabMD’s allegedly “unfair” data security practices. While Judge Chappell’s decision represents a victory for LabMD as the first company to successfully challenge an FTC Section 5 data security enforcement proceeding, the ruling may prove short-lived, as staff likely will appeal the case to the full Commission, which will review the decision de novo. Nevertheless, the Commission’s eventual handling of this proceeding could articulate a more precise standard for likely substantial injury that could guide future Section 5 “unfairness” jurisprudence.
Continue Reading Administrative Law Judge Dismisses FTC’s LabMD Complaint, Finding Insufficient Evidence of “Substantial Injury” to Consumers

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. 
Continue Reading UK Government Launches Cybersecurity Service For Healthcare Organizations

On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct secondary research using collected data.
Continue Reading Proposed Rule Would Amend Federal “Common Rule” Requirements

May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention.  The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier.  In parallel, the French data protection authority announced a possible crackdown on mHealth app non-compliance with European data protection legislation.  This post briefly summarizes these developments.
Continue Reading May 2015 EU mHealth Round-Up

The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s  mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps.  (See more here, and here for our blog post on the European Commission’s Summary Report of the mHealth consultation.)

In its latest paper on health data in apps and devices, the Working Party supports a broad definition of health data, distinguishing the following three categories of health data:

  1. The data are inherently/clearly medical data, especially those generated in a professional, medical context.
  2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate, legitimate or otherwise adequate or not).
    Continue Reading Article 29 Working Party Clarifies Scope of Health Data in Apps and Devices

Just two days after disclosing publicly that it was “the target of a very sophisticated external cyber attack” in which the personal information of over 80 million customers was compromised, officials of Anthem Inc., the nation’s second largest health insurance company, are to brief staffers of the House Energy and Committee on the security breach.