2 © 2018 HITRUST Alliance

LEGAL AND REGULATORY CONSIDERATIONS IN THE US AND INTERNATIONALLY

Kirk J. Nahra Wiley Rein LLP

Washington, D.C. 202.719.7335

KNahra@wileyrein.com @kirkjnahrawork

February 20, 2018

MyPresentation §  Discussthelatestdevelopmentsintheworldofprivacyandsecurity,fortheUSandinternationally

§  Discussmajorareasofchangeoverthenextfewyears

§  Lessonslearnedfromrecentenforcementactivity§  Discussthecurrentenforcementenvironmentatthestateandfederallevel

§  Answeryourquestionsaboutthefutureofhealthcareprivacyandsecurityenforcementandrelatedactivity

3 3

GDPR§  Directregulation–processorsandcontrollers§  Transferimplications§  Contractingimplications

4

GDPR§  Lotsofnervousness§  Lotsofuncertainty§  Expect“example”enforcementrelativelyearlyon(late2018?)

§  Expectcontractinguncertainty§  Theremaybeotherchangesaswell

5

PrivacyShield/DataTransfer§  AsidefromGDPR,somecompanieshavetodealwithPrivacyShieldtobecomeappropriatedatatransferrecipients

§  Similarprogramsarisinginotherpartsoftheworld(e.g.,Asia-Pacific)

§  Requiresreasonablecomplianceactivity§  ExpectsomeenforcementinUS

6

TheNewAdministration§ Wereallyknownothingaboutanyintentionsinthespecificworldofhealthcareprivacyandsecurity

§  Notafirst,secondoreventhirdtierissue§  Generalconsensusisthattherearefewstrongpolicypositionsbeyondfirsttierissuesandgeneralphilosophy

7

TheNewAdministration§  Relevantphilosophicalpoints§  Overallconcernaboutcybersecurity§ Willingnesstoengageinbroadpersonaldatareviewsurveillanceandoversight

§  Presumablylessgovernmentregulation§  Perhapslessgovernmentalspending§  Perhapslessoverallgovernmentenforcement

8

FTCEnforcement§ WholesalechangeinCommissionleadership(ongoing)

§  Hadbeenmovingtoamoreaggressiveviewon“consumerharm”(withthelikelyreductioninenforcement)

§ Willtherebeevenlessenforcement?

9

OCRGenerally§  TwohighlevellossesinmainHIPAAenforcementleadership

§  NewOCRheadwithdifferentpriorities§  Realbudgetissueswithanew(non-HIPAA)officeaddedundersamebudget

§  Recentreductioninenforcement,notclearifthisisjusttransition

10

Changestolaw/regulations§  Hardtoseeanypushtochangestatutorylanguage§  Unlikelytoseenewregulatoryproposals,atleastinearlyperiod(andlikelylonger)

§  Unlikelytoseepullingbackonprivacyrights§  UnlikelytoseenewHITECHrulesthathavebeenonhold(atleastinshortterm)

11

Enforcement§  Enforcementcertainlyhasbeengrowing,butonaslowandsteadybasis

§ Mainlygrowingbecauseoflowlevelsofenforcementactivityinearlyyears

§  Noparticularreasontoexpectanyfundamentalchangeinenforcementphilosophy

12

Enforcement§  Pendinginvestigationstakealongtimetofinish§  Sonoreasontothinkcurrentstaffwon’tfollowthosethroughtocompletion

§  Futureenforcementdependsprimarilyonbudgetandresourcesmorethanphilosophy

13

Enforcement§  Casesinvolvingsignificantfailuresofcompliance§  Casesinvolvingrepeatedand/oruncorrectedproblems

§  Particularly“noticeable”problems/Highimpactcases/sendamessagecases(?)

14

BusinessAssociates§  Littlerealenforcementinvolvingbusinessassociatesyet

§  ArealchallengeforOCR–howtotreatcompanieswhodealwithmuchmorethanhealthcare

§  Andtheenormousrangeofsize/sophisticationoftheseentities

15

StateRole§  ExpectstateAGstobemoreactiveonprivacyandsecurity

§  SomerecentdatabreachcaseswherestateAGsareaggressive(e.g.,Equifax)orfillinggaps(NewYork)

§  Realquestionsastowhethertheywillunderstand/applynuanceorprovideexperiencedjudgmentonHIPAAissues

16

Alternativeenforcement§  ThePlaintiffs’Bar§  TheyarewatchingforopeningsbecauseofdamagetheoriesANDexploringabroaderrolebothinclassactioncasesandin“sendingamessage”claims

17

ThePlaintiffs’Bar§  Lookingforwaystoavoidtheneedtoprovespecificdamages

§  Classactionlawyerstryingtodefineharmacrossallindustries

§  Portionofpayments/premiums§  Overallweaksecuritypractices(anticipatoryclaims)

18

DamagesareaRealHurdle§  Smithv.ChaseManhattanBank§  Financialinstitutiongavelisttothirdparty,receivedpaymentsonsales

§  Saiditdidn’tdothesethingsinprivacynotice§  Nodamagesalleged/nocauseofaction§  Onlyunwantedtelemarketing

19

Smithv.Chase§  “The‘harm’attheheartofthispurportedclassaction,isthatclassmembersweremerelyofferedproductsandserviceswhichtheywerefreetodecline.Thisdoesnotqualifyasactualharm.”

20

IoTandUnregulatedData§  Increasingconcernsaboutbigdataenvironment§  Previousadministrationhadbeengivingthoughtfulandongoingconsiderationtoprosandconsofbigdataenvironment

§  Thoseactivitiesseemtohavestoppedforthetimebeing

21

Thebiggest“nextgeneration”issue§  HIPAAhasalwaysbeenalimitedscopeprivacy/securityrule

§  Itappliestohealthcareinformationonlywhereacoveredentityisinvolved.

§  Accordingly,therealwayshavebeengapswherevariousentitiescollectormaintainhealthcaredatabutarenotcoveredbytheHIPAArules.

22

Thebiggest“nextgeneration”issue§ Whatis“outside”ofHIPAAisgrowing§ Websitesgatheranddistributehealthcareinformationwithouttheinvolvementofacoveredentity.

§  Theserangefromcommercialwebsites(e.g.,WebMD)topatientsupportgroupstothegrowthofpersonalhealthrecords.

§  Nowaddmobileapps.andwearables

23

More“nextgeneration”issues§  Anemerging(andrelated)issue-bringing“outside”HIPAAinformation“inside”HIPAA

§  CEsaregatheringallkindsofdataabouttheirpatients/customers/insuredsfromoutsidethehealthcaresystemandusingitfor“healthcarepurposes”

24

RecentHeadlines§  “YourDoctorKnowsYou’reKillingYourself.TheDataBrokersToldHer.”(Bloomberg)

§  “Youmaysoongetacallfromyourdoctorifyou’veletyourgymmembershiplapse,madeahabitofpickingupcandybarsatthecheck-outcounterorbeginshoppingatplus-sizedstores.”

25

RecentHeadlines§  “WhenaHealthPlanKnowsHowYouShop.”(NewYorkTimes)

§  Healthplanpredictionmodelsusingconsumerdatafromdatabrokers(e.g.,income,maritalstatus,numberofcars),topredictemergencyroomuseandurgentcare.

26

TentativePredictions§  ThisHIPAA/non-HIPAAissueisnotgoingaway(althoughwemaybeonhiatusnow)

§  Thereistoomuchdatabeingusedbytoomanypeopleintoomanyriskycontexts

§  Lotsofpressurefrommanyfrontsto“dosomething”aboutthisnon-HIPAAhealthcaredata

27

TentativePredictions§  3MainOptions§  Somethingspecificforthisnon-HIPAAhealthcaredata

§  Somethingthatcoversallhealthcaredata§  Abroaderoverallprivacylaw(withorwithoutaHIPAAcarve-out)

28

Legislation§  Expectstatelegislationonavarietyofprivacyandsecuritytopics

§  Expectsomepressureatfederallevelfordatabreachnotificationlegislationoroverallsecuritylegislation

§  Don’tbetalotofmoneyonthosepassing

29

KeysforCEs/BAs1.   RiskAssessment2.   RiskAssessment3.   RiskAssessment4.   Seriously.Doariskassessment.

30

OtherKeys§  Beresponsivetoanyinquiries–thorough,timely,accurate

§  Fixyourproblems–bothimmediatemitigationofbreach-relatedissuesandlongertermprocessissues

§ MakesureyouhaveBAAgreementswitheveryoneyoushould

31

LessonsLearned§  BesmartandcarefulabouthowyouhandlePHI§  Trainyouremployees§  Bepreparedtoactquicklyifthereisaproblem§  Haveanoverallriskassessmentthatincorporatesyourbusinessactivities

32

Questions?

Forfurtherinformation,contact:

KirkJ.NahraWileyReinLLP202.719.7335knahra@wileyrein.com@kirkjnahrawork

33

34 © 2018 HITRUST Alliance

Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight