Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

‘Health data’ includes both regulated data under state and federal medical privacy laws and data that relates to the physical status of an individual protected under state privacy tort laws. In order to be regulated, data must be related to an identified person. However, this is changing with the passage of California privacy laws, which trigger protections when the individual is identifiable (ie, they don’t have to actually be identified). Anonymised data is data that cannot be related to either an identified or identifiable person. If it is possible to take anonymised data and reverse engineer the characteristics of a unique person, then the data isn’t anonymised.

In order for data to be anonymised, it must be practically impossible to associate the data with a specific person, identifiable or not.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

There is no singular data protection legislation in the US. The Federal Trade Commission (FTC) may bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations. Health data is generally protected at a higher level than non-health data. This is because of the higher likelihood of adverse effects on the individual through the misuse of such data. These protections come from a variety of different sources. The US tends to use ‘sectorial’ or ‘context-specific’ data protection regulation. For example, health data that is processed by a doctor is protected under the Health Insurance Portability and Accountability Act (HIPAA). As such, the source of data protection is generally associated with the nature of the processor, and not the nature of the data.

Various states have passed medical information privacy laws, some of which are more rigorous than the federal HIPAA laws. Generally, these differ from HIPAA in how they define ‘covered entities’ and conduct that requires disclosure and authorisation, but not how they define health data against protected health information. Similarly, many states have updated their security breach notice laws to include an affirmative obligation to provide reasonable security for any data collected about the individual. This would also include health data.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

Generally, anonymised data is not subject to data protection regulations. However, it is difficult to have useful data that is anonymous. Usually, de-identified data is considered pseudonymous, which is personal information, but which has been formatted to limit the risks to the individual. Pseudonymous data is still considered protected data, but the risks that can be attributed to the data are lower and thus the protections are fewer.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

At the federal level, health data protection laws are enforced by the Office for Civil Rights (OCR). The OCR has enforcement authority over ‘covered entities’ and business associates of those entities. For digital health technologies, if they are considered ‘medical devices’, then the Food and Drug Administration (FDA) has enforcement authority. For state medical privacy laws, the usual enforcement authority is the state attorney general. Finally, where tort law can be implicated (under either a privacy tort or negligence per se theory), there is a private right of action for the individual. Additionally, some state law may provide for a private right of action for security breaches. The fact that the data is health data would be a factor in assessing damages.

OCR has investigated and resolved over 27,109 cases by requiring changes in privacy practices and corrective actions. As of July 2019, OCR had settled or imposed a civil money penalty in 65 cases resulting in a total dollar amount of US$102,681,582.

There are a number of regulations and guidelines that have been developed in the ‘medical device’ space. The federal government has developed several guidance documents around the privacy and security requirements for ‘connected medical devices’ and ‘software as a medical device’.

Additionally, there are some gaps in the coverage of the federal law based on definitions in the federal law as to who is a ‘covered entity’. States have addressed these gaps by attaching protections to the data instead of regulating the data processor. For example, Texas and California impose protections on health-related data for entities that are not traditionally considered ‘covered entities’ under the federal health privacy laws.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

Where HIPAA applies, the HIPAA Security Rule imposes specific information security obligations via a set of ‘required’ or ‘addressable’ implementation specifications. These are all based on the information security standards promulgated by the National Institute of Standards and Technology (NIST). The NIST standards are also useful where relevant law only requires ‘reasonable security’ for health data (eg, Cal Civ Code section 1798.150, permitting recovery for a failure to implement reasonable security). Similarly, the FDA’s guidance on cybersecurity for medical devices and ‘software as a medical device’ follow the NIST set of standards.

In addition to HIPAA, the Federal Information Security Modernization Act (FISMA) imposes the NIST standards directly onto any direct contractor or subcontractor to the US government. Additionally, by administrative act, several granting agencies in the US government are imposing FISMA/NIST requirements on recipients of federal grant money (eg, National Institutes of Health).

Generally speaking, US laws are ‘outcomes-based’, are technology-agnostic, and do not mandate a particular control set. However, they all require a risk assessment under which security controls are chosen and implemented. As such, it is important to ensure administrating and procedural controls are provided just as much priority as technological controls (eg, encryption).

Cyber insurance is but one of several risk management strategies for a health organisation to address risk of loss through data classification, data retention, employee training, strong indemnification by third-party vendors and regularly tested incident response plans. There is no ‘one size fits all’ policy as each healthcare organisation is unique. With the recent and dramatic increase in malware attacks, it is likely there will be more rigorous underwriting. Most cyber insurance policies (through one or more policies) cover network security, business interruption, media liability and errors and omissions. Some policies cover the cost of defence and remediation, while others will pay out an amount for demonstrable loss up to a limit. Not covered are lost profits, lost value based on theft of IP or proprietary technology or the cost of improvements to security systems.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Handling anonymised data doesn’t require any management under the various data protection laws as anonymised data isn’t personal and thus isn’t protected. Raw data almost always has meta-data attached to it that makes it at least re-identifiable (if the data isn’t already directly identifiable). As such, raw data should be treated with the level of protection that is consistent with the various laws that address health and personal data:

  • regularly perform and document risk assessments that cover all data uses, locations, processing activities and technologies. Risk assessments must be done periodically and around significant events (eg, new technology deployments, new vendor acquisition, breaches);

  • information security is a ‘state’ – it is continually changing. As such, the information security program needs to be flexible and extensible to evolve with the risks;

  • consent cures most ills, but consent must be informed and revocable;

  • secondary use will be problematic unless it is for administrative, operational or healthcare purposes; and

  • anonymised data is usually not really anonymised, so don’t think it can be used for anything.

Law stated date

Correct on

Give the date on which the above content is accurate.

20 November 2020.