During a much anticipated Open Commission Meeting announced by Commission Chair Lina M. Khan, the Federal Trade Commission (“FTC”) voted in favor of issuing one new policy statement and one new report to Congress. Continue Reading
California Privacy Protection Agency Released Proposed CPRA Regulations
The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended by CPRA. Continue Reading
Department of Health and Human Services Issues Request for Information on Cybersecurity Standards
The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6, 2022 to submit comments.
HHS seeks this information to be better informed when making determinations regarding fines, audits, and remedies after a potential violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The request for information was issued by HHS’s Office for Civil Rights (“OCR”), which enforces the privacy and security rules for health providers and insurers that hold health data.
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act requires that HHS consider industry recognized security practices during enforcement, and does not require nor prohibit rulemaking based on the same. The HITECH Act defines “recognized security practices” as (i) the standards found in section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act, (ii) the approaches found in section 405(d) of the Cybersecurity Act of 2015, and (iii) “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities”. OCR seeks information in order to improve guidelines about these standards.
Uncorrected violations under the HITECH Act can carry a minimum of $50,000 per violation in civil penalties. Enforcement actions are initiated by OCR through investigating complaints alleging violations of HIPAA Rules, as well as compliance reviews conducted by OCR following a breach report. Covered entities are required to submit breach reports after cybersecurity incidents under certain circumstances.
The request for information, found here contains specific prompts on the topic.
U.S. and EU Agree in Principle on New Trans-Atlantic Data Privacy Framework
In a joint press conference on March 25, 2022, U.S. President Joseph Biden and European Commission President Ursula von der Leyen announced an agreement “in principle” on a framework, called the Trans-Atlantic Data Privacy Framework (“Privacy Shield 2.0”), to replace the U.S.-EU Privacy Shield. The EU General Data Protection Regulation (“GDPR”) places restrictions on personal data transfers to countries outside of the European Economic Area (“EEA”). Privacy Shield 2.0 is designed to replace the original Privacy Shield which allowed companies that had self-certified to lawfully transfer personal data from the EEA to the U.S. However, the Court of Justice of the European Union (“CJEU”) in the so called Schrems II decision in 2020 invalidated the original Privacy Shield as a mechanism for such lawful transfers. Continue Reading
Growing Risks to Corporate Groups and the Global PE Industry from Robust European Privacy and Cybersecurity Enforcement
Since the EU General Data Protection Regulation (“GDPR”) came into effect in May 2018 there have been numerous high-profile enforcement actions (~US$880m is the largest GDPR fine to-date) and private litigation (including class-action type claims). Notable fines have included the ~US$25m fine levied in October 2020 by the UK’s GDPR regulator against Marriott International for alleged cybersecurity failures in connection with its acquisition of Starwood Hotels. Still, the GDPR exposure for corporate groups and the private equity (“PE”) industry (whether or not established in Europe) continues to expand – notably, from a growing focus on so-called “parental GDPR liability”. Continue Reading
ONC Releases Interoperability Frameworks
The 21st Century Cures Act directed the National Coordinator to “develop or support a trusted exchange framework, including a common agreement among health information networks nationally.” Fulfilling that mandate, the Office of the National Coordinator (“ONC”) for Health Information Technology released the “Trusted Exchange Framework and the Common Agreement” for health record interoperability. The two documents, titled “Trusted Exchange Framework, Common Agreement – Version 1” (“TEFCA”), and “Trusted Exchange Framework: Principles for Trusted Exchange” (“Principles”) were published on January 18, 2022. The purpose of the Principles is to create a non-binding set of common principles for the exchange of health information and the TEFCA memorializes the technical infrastructure and governance for the different networks and their users to securely share information with each other – all under a common framework. By signing the TEFCA and adhering to the Principles, entities can be designated as Qualified Health Information Networks (“QHIN”). A QHIN is a network of organizations certified by the ONC to work together to share data. QHINs will connect directly to each other to ensure interoperability between the networks they represent. With the release of these two documents, entities can now begin reviewing the requirements and considering whether to apply.
In addition, the TEFCA Health Level Seven (“HL7”) Fast Healthcare Interoperability Resource (“FHIR”) Roadmap (“TEFCA FHIR Roadmap”) has been released, which sets forth how TEFCA will accelerate the adoption of FHIR-based exchange across the industry.
Principles
Following are the seven principles that will help facilitate the exchange of information among health networks:
- Standardization. Health information networks should prioritize federally recognized and industry recognized technical standards, policies, best practices, and procedures.
- Openness and transparency. Health information networks should conduct activities openly and transparently, wherever possible.
- Cooperation and Non-discrimination. Health information networks should collaborate with stakeholders across the continuum of care to electronically exchange digital health information, even when a stakeholder may be a business competitor.
- Privacy, Security, and Safety. Health information networks should exchange digital health information in a manner that supports privacy; ensures data confidentiality, integrity, and availability; and promotes patient safety.
- Access. Health information networks should ensure that Individuals and their authorized caregivers have easy access to their digital health information and understand how it has been used or disclosed and HINs should comply with civil rights obligations on accessibility.
- Equity. Health information networks should consider the impacts of interoperability on different populations and throughout the lifecycle of the activity.
- Public Health. Health information networks should support public health authorities and population-level use cases to enable the development of a learning health system that improves the health of the population and lowers the cost of care.
Common Agreement
The TEFCA operationalizes the principles above by binding its signatories to a detailed infrastructure which allows different networks to securely share basic clinical information with each other. The major obligations of the agreement are demonstrating the ability to send and receive information with various upstream and downstream entities. Affirmative covenants in the agreement include security, privacy, and respecting data rights of individual patients. There are also negative covenants such as non-exclusivity and non-discrimination with respect to the sharing of data. By signing the 63-page agreement and following its obligations a health information network becomes designated as a Qualified Health Information Network.
Proskauer attorneys are following the developments related to the sharing of health information amongst the various healthcare stakeholders and are here to assist organizations navigate this complicated and important landscape.
Noteworthy Trends in Privacy and Data Security
Reports of sophisticated cyberattacks and ransomware threats dominated 2021 headlines, along with evolving state data privacy laws in the absence of comprehensive federal data protection regulation. Cross-border data transfers between the EU and US still lack a clear, streamlined mechanism while national authorities continue to negotiate an EU-US Privacy Shield replacement. The past year also showcased the ongoing cyber risks of remote and hybrid working due to COVID-19 measures and the continued rise of ransomware attacks.
Looking ahead, organizations must keep up with the dynamic and increasing legal obligations governing privacy and data security, understand how they apply, monitor cyber risks and attack trends, and manage their compliance to minimize exposure.
Read our Practical Law article for an overview of the past year’s privacy and data security legal developments and predictions for issue to look out for 2022.
