Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

‘Health data’ includes both regulated data under state and federal medical privacy laws and data which relate to the physical status of an individual protected under state privacy tort laws. In order to be regulated, data must be related to an identified person. However, this is changing with the passage of California, Virginia, and Colorado privacy laws that trigger protections when the individual is identifiable (ie, they don’t have to actually be identified). Anonymised data is data that cannot be related to either an identified or identifiable person. If it is possible to take anonymised data and ‘reverse engineer’ the characteristics of a unique person, then the data isn’t anonymised.

De-identified data is not anonymised data. In order for data to be anonymised, it must be practically impossible to associate the data with a specific person – identifiable or not.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

There is no singular data protection legislation in the US. The FTC may bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations. Health data is generally protected at a higher level than non-health data. This is because of the higher likelihood of adverse effects on the individual through the misuse of such data. These protections come from a variety of different sources. The US tends to use ‘sectorial’ or ‘context-specific’ data protection regulation. For example, health data that is processed by a doctor is protected under HIPAA. As such, the source of data protection is generally associated with the nature of the processor, and not the nature of the data.

Various states have passed medical information privacy laws, some of which are more rigorous that the federal HIPAA laws. Generally, these differ from HIPAA in how they define ‘covered entities’ and conduct that requires disclosure and authorisation, but not how they define health data v protected health information. Similarly, many states have updated their security breach notice laws to include an affirmative obligation to provide reasonable security for any data collected about the individual. This would also include health data.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

Generally, anonymised data is not subject to data protection regulations. However, it is difficult to have useful data that is anonymous. Usually, de-identified data is considered ‘pseudonymous,’ which is personal information that has been formatted to limit the risks to the individual. Pseudonymous data is still considered protected data, but the risks that can be attributed to the data are lower and thus the protections are fewer.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

At the federal level, health data protection laws are enforced by the OCR. The OCR has enforcement authority over ‘covered entities’ and business associates of those entities. For digital health technologies, if they are considered ‘medical devices,’ then the FDA has enforcement authority. For state medical privacy laws, the usual enforcement authority is the state Attorney General. Finally, where tort law can be implicated (under either a privacy tort or negligence per se theory), there is a private right of action for the individual. Additionally, some state law may provide for a private right of action for security breaches. The fact that the data is health data would be a factor in assessing damages.

OCR has investigated and resolved over 27,109 cases by requiring changes in privacy practices and corrective actions. As of July 2019, OCR has settled or imposed a civil money penalty in 65 cases resulting in a total amount of $102,681,582.

There are a number of regulations and guidelines which have been developed in the ‘medical device’ space. The federal government has developed several guidance documents around the privacy and security requirements for ‘connected medical devices’ and ‘software as a medical device.'

Additionally, there are some gaps in the coverage of the federal law, based on definitions in the federal law as to who is a ‘covered entity.’ States have addressed these gaps by attaching protections to the data instead of regulating the data processor. For example, Texas and California impose protections on health-related data for entities which are not traditionally considered ‘covered entities’ under the federal health privacy laws.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

Where HIPAA applies, the HIPAA Security Rule imposes specific information security obligations via a set of ‘required’ or ‘addressable’ implementation specifications. These are all based on the information security standards promulgated by the National Institute of Standards and Technology. The NIST standards are also useful where relevant law only requires ‘reasonable security’ for health data (eg, Cal Civ Code §1798.150 – permitting recovery for a failure to implement reasonable security). Similarly, the FDA’s guidance on cybersecurity for medical devices and ‘software as a medical device’ follow the NIST set of standards.

In addition to HIPAA, FISMA imposes the NIST standards directly onto any direct contractor or subcontractor to the US government. Additionally, by administrative act, several granting agencies in the US government are imposing FISMA/NIST requirements on recipients of federal grant money (eg, National Institutes of Health).

Generally speaking, US laws are ‘outcomes-based’, are technology-agnostic, and do not mandate a particular control set. However, they all require a risk assessment under which security controls are chosen and implemented. As such, it is important to ensure administrating and procedural controls are provided just as much priority as technological controls (eg, encryption).

Ransomware has been an explosive threat in the health care landscape in the last 12 months. From 1 January 2021 to 31 July 2021, there were 2,084 ransomware complaints, a 62 per cent increase over the same time period a year earlier, and more than $16.8 million in losses, a 20 per cent increase from the previous year. Consequently, security in the digital health ecosystem needs to be as focused on systems availability and integrity as it is on confidentiality. It must be remembered that all security breach notice obligations are triggered when there is a compromise of the integrity of data as well as a compromise of the confidentiality of data. Further, having EMR systems down for extended periods of time can have the effect of increasing mortality rates and decreasing quality of care in some of the health care operations that deal with acute patient encounters.

Cyber insurance is but one of several risk management strategies for a health organisation to address risk of loss through data classification, data retention, employee training, strong indemnification by third party vendors and regularly tested incident response plans. There is no ‘one size fits all’ policy, as each health care organisation is unique. With the recent and dramatic increase in malware attacks, it is likely there will be more rigorous underwriting. Most cyber insurance policies (through one or more policies) cover network (1) security, (2) business interruption, (3) media liability and (4) errors and omissions. Some policies cover cost of defence and remediation while others will pay out an amount for demonstrable loss up to a limit. Not covered are (1) lost profits, (2) lost value based on theft of IP/proprietary technology or (3) cost of improvements to security systems.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Handing anonymised data does not require any management under the various data protection laws, as anonymised data is not ‘personal’ and thus is not protected. ‘Raw’ data almost always has meta-data attached to it, which makes it at least re-identifiable (if the data is not already directly identifiable). As such, raw data should be treated with the level of protections that are consistent with the various laws that address health and personal data.

  • Vendors are often the source of a security breach. Develop and implement a vendor management process which has as information security as a central component. This includes regularly testing or vetting of vendors. This should be done not just for vendors that touch health information, but also any vendor that accesses systems which could touch health information.
  • Develop and test quick and resilient disaster recovery processes. Ransomware is an increasing threat that has been directly linked to at least one death in a hospital. This also is important for vendors to undertake.
  • Regularly perform and document risk assessments that cover all data uses, locations, processing activities, vendors, and technologies. Risk assessments must be done periodically and around significant events (eg, new technology deployments, new vendor acquisition, and breaches).
  • Information Security is a ‘state’ that is continually changing. As such, the information security program needs to be flexible and extensible to evolve with the risks.
  • Consent cures most ills, but consent must be informed and revocable.
  • Secondary use will be problematic unless it is for administrative, operational, or health care purposes.
  • Anonymised data is usually not really anonymised, so do not think you can use it for anything.