legal and regulatory considerations - …§ transfer implications § contracting implications 4 ....
TRANSCRIPT
2 © 2018 HITRUST Alliance
LEGAL AND REGULATORY CONSIDERATIONS IN THE US AND INTERNATIONALLY
Kirk J. Nahra Wiley Rein LLP
Washington, D.C. 202.719.7335
[email protected] @kirkjnahrawork
February 20, 2018
MyPresentation § Discussthelatestdevelopmentsintheworldofprivacyandsecurity,fortheUSandinternationally
§ Discussmajorareasofchangeoverthenextfewyears
§ Lessonslearnedfromrecentenforcementactivity§ Discussthecurrentenforcementenvironmentatthestateandfederallevel
§ Answeryourquestionsaboutthefutureofhealthcareprivacyandsecurityenforcementandrelatedactivity
3 3
GDPR§ Directregulation–processorsandcontrollers§ Transferimplications§ Contractingimplications
4
GDPR§ Lotsofnervousness§ Lotsofuncertainty§ Expect“example”enforcementrelativelyearlyon(late2018?)
§ Expectcontractinguncertainty§ Theremaybeotherchangesaswell
5
PrivacyShield/DataTransfer§ AsidefromGDPR,somecompanieshavetodealwithPrivacyShieldtobecomeappropriatedatatransferrecipients
§ Similarprogramsarisinginotherpartsoftheworld(e.g.,Asia-Pacific)
§ Requiresreasonablecomplianceactivity§ ExpectsomeenforcementinUS
6
TheNewAdministration§ Wereallyknownothingaboutanyintentionsinthespecificworldofhealthcareprivacyandsecurity
§ Notafirst,secondoreventhirdtierissue§ Generalconsensusisthattherearefewstrongpolicypositionsbeyondfirsttierissuesandgeneralphilosophy
7
TheNewAdministration§ Relevantphilosophicalpoints§ Overallconcernaboutcybersecurity§ Willingnesstoengageinbroadpersonaldatareviewsurveillanceandoversight
§ Presumablylessgovernmentregulation§ Perhapslessgovernmentalspending§ Perhapslessoverallgovernmentenforcement
8
FTCEnforcement§ WholesalechangeinCommissionleadership(ongoing)
§ Hadbeenmovingtoamoreaggressiveviewon“consumerharm”(withthelikelyreductioninenforcement)
§ Willtherebeevenlessenforcement?
9
OCRGenerally§ TwohighlevellossesinmainHIPAAenforcementleadership
§ NewOCRheadwithdifferentpriorities§ Realbudgetissueswithanew(non-HIPAA)officeaddedundersamebudget
§ Recentreductioninenforcement,notclearifthisisjusttransition
10
Changestolaw/regulations§ Hardtoseeanypushtochangestatutorylanguage§ Unlikelytoseenewregulatoryproposals,atleastinearlyperiod(andlikelylonger)
§ Unlikelytoseepullingbackonprivacyrights§ UnlikelytoseenewHITECHrulesthathavebeenonhold(atleastinshortterm)
11
Enforcement§ Enforcementcertainlyhasbeengrowing,butonaslowandsteadybasis
§ Mainlygrowingbecauseoflowlevelsofenforcementactivityinearlyyears
§ Noparticularreasontoexpectanyfundamentalchangeinenforcementphilosophy
12
Enforcement§ Pendinginvestigationstakealongtimetofinish§ Sonoreasontothinkcurrentstaffwon’tfollowthosethroughtocompletion
§ Futureenforcementdependsprimarilyonbudgetandresourcesmorethanphilosophy
13
Enforcement§ Casesinvolvingsignificantfailuresofcompliance§ Casesinvolvingrepeatedand/oruncorrectedproblems
§ Particularly“noticeable”problems/Highimpactcases/sendamessagecases(?)
14
BusinessAssociates§ Littlerealenforcementinvolvingbusinessassociatesyet
§ ArealchallengeforOCR–howtotreatcompanieswhodealwithmuchmorethanhealthcare
§ Andtheenormousrangeofsize/sophisticationoftheseentities
15
StateRole§ ExpectstateAGstobemoreactiveonprivacyandsecurity
§ SomerecentdatabreachcaseswherestateAGsareaggressive(e.g.,Equifax)orfillinggaps(NewYork)
§ Realquestionsastowhethertheywillunderstand/applynuanceorprovideexperiencedjudgmentonHIPAAissues
16
Alternativeenforcement§ ThePlaintiffs’Bar§ TheyarewatchingforopeningsbecauseofdamagetheoriesANDexploringabroaderrolebothinclassactioncasesandin“sendingamessage”claims
17
ThePlaintiffs’Bar§ Lookingforwaystoavoidtheneedtoprovespecificdamages
§ Classactionlawyerstryingtodefineharmacrossallindustries
§ Portionofpayments/premiums§ Overallweaksecuritypractices(anticipatoryclaims)
18
DamagesareaRealHurdle§ Smithv.ChaseManhattanBank§ Financialinstitutiongavelisttothirdparty,receivedpaymentsonsales
§ Saiditdidn’tdothesethingsinprivacynotice§ Nodamagesalleged/nocauseofaction§ Onlyunwantedtelemarketing
19
Smithv.Chase§ “The‘harm’attheheartofthispurportedclassaction,isthatclassmembersweremerelyofferedproductsandserviceswhichtheywerefreetodecline.Thisdoesnotqualifyasactualharm.”
20
IoTandUnregulatedData§ Increasingconcernsaboutbigdataenvironment§ Previousadministrationhadbeengivingthoughtfulandongoingconsiderationtoprosandconsofbigdataenvironment
§ Thoseactivitiesseemtohavestoppedforthetimebeing
21
Thebiggest“nextgeneration”issue§ HIPAAhasalwaysbeenalimitedscopeprivacy/securityrule
§ Itappliestohealthcareinformationonlywhereacoveredentityisinvolved.
§ Accordingly,therealwayshavebeengapswherevariousentitiescollectormaintainhealthcaredatabutarenotcoveredbytheHIPAArules.
22
Thebiggest“nextgeneration”issue§ Whatis“outside”ofHIPAAisgrowing§ Websitesgatheranddistributehealthcareinformationwithouttheinvolvementofacoveredentity.
§ Theserangefromcommercialwebsites(e.g.,WebMD)topatientsupportgroupstothegrowthofpersonalhealthrecords.
§ Nowaddmobileapps.andwearables
23
More“nextgeneration”issues§ Anemerging(andrelated)issue-bringing“outside”HIPAAinformation“inside”HIPAA
§ CEsaregatheringallkindsofdataabouttheirpatients/customers/insuredsfromoutsidethehealthcaresystemandusingitfor“healthcarepurposes”
24
RecentHeadlines§ “YourDoctorKnowsYou’reKillingYourself.TheDataBrokersToldHer.”(Bloomberg)
§ “Youmaysoongetacallfromyourdoctorifyou’veletyourgymmembershiplapse,madeahabitofpickingupcandybarsatthecheck-outcounterorbeginshoppingatplus-sizedstores.”
25
RecentHeadlines§ “WhenaHealthPlanKnowsHowYouShop.”(NewYorkTimes)
§ Healthplanpredictionmodelsusingconsumerdatafromdatabrokers(e.g.,income,maritalstatus,numberofcars),topredictemergencyroomuseandurgentcare.
26
TentativePredictions§ ThisHIPAA/non-HIPAAissueisnotgoingaway(althoughwemaybeonhiatusnow)
§ Thereistoomuchdatabeingusedbytoomanypeopleintoomanyriskycontexts
§ Lotsofpressurefrommanyfrontsto“dosomething”aboutthisnon-HIPAAhealthcaredata
27
TentativePredictions§ 3MainOptions§ Somethingspecificforthisnon-HIPAAhealthcaredata
§ Somethingthatcoversallhealthcaredata§ Abroaderoverallprivacylaw(withorwithoutaHIPAAcarve-out)
28
Legislation§ Expectstatelegislationonavarietyofprivacyandsecuritytopics
§ Expectsomepressureatfederallevelfordatabreachnotificationlegislationoroverallsecuritylegislation
§ Don’tbetalotofmoneyonthosepassing
29
KeysforCEs/BAs1. RiskAssessment2. RiskAssessment3. RiskAssessment4. Seriously.Doariskassessment.
30
OtherKeys§ Beresponsivetoanyinquiries–thorough,timely,accurate
§ Fixyourproblems–bothimmediatemitigationofbreach-relatedissuesandlongertermprocessissues
§ MakesureyouhaveBAAgreementswitheveryoneyoushould
31
LessonsLearned§ BesmartandcarefulabouthowyouhandlePHI§ Trainyouremployees§ Bepreparedtoactquicklyifthereisaproblem§ Haveanoverallriskassessmentthatincorporatesyourbusinessactivities
32
34 © 2018 HITRUST Alliance
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight