Health Privacy

Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.


Continue Reading Digital Health Checkup: Key Questions to Consider in the Digital Health Sector

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

On our sister blog, CovingtonDigitalHealth, our global cross-practice digital health team has launched a three-part series on the key questions the technology, life sciences and communications industries should be considering as they fit together the regulatory and commercial pieces of the complex digital health puzzle.  Read the first post in
Continue Reading Digital Health Check-Up: Key Questions Market Players Should Be Asking

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and 
Continue Reading European Cloud in Health Advisory Council Calls For Review of eHealth Rules and Ethics of Medical Data Re-Use

By Denitsa Marinova

On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond.  The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies active in the technology and healthcare sectors.

In 2016, the DPC investigated a record number of complaints (1,479 in total, the majority involving data access requests); received 2,224 notifications of valid data security breaches (a decrease from 2015); carried out over 50 privacy audits and inspections; acted as lead reviewer in seven Binding Corporate Rules (BCR) applications; and held over 100 face-to-face meetings with multinational companies.
Continue Reading Irish Data Protection Commissioner Releases 2016 Annual Report

The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful.  With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services.

European healthcare is particularly affected by such restrictions.  This has motivated a significant group of organizations and policymakers to come together and launch a collective “call to action” to European policymakers, urging greater support and reforms to enable broader use of cloud computing in healthcare.  The Call to Action was previewed at eHealth Week 2016 in June.
Continue Reading EU Organizations Call for More Support for Cloud Computing in Healthcare

A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data.  To find out more about the proposals and the consultation, please click here
Continue Reading UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

Last month, the FDA released a draft guidance document on the sharing of patient-specific data associated with medical devices, including information recorded, stored, processed, retrieved, and/or derived from the device.  A new post on Covington’s Inside Medical Devices blog discusses the draft guidance and its implications for sharing patient information.
Continue Reading FDA Releases Draft Guidance on Dissemination of Patient-Specific Information by Device Manufacturers

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August