![Page 1: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/1.jpg)
![Page 2: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/2.jpg)
2 © 2018 HITRUST Alliance
LEGAL AND REGULATORY CONSIDERATIONS IN THE US AND INTERNATIONALLY
Kirk J. Nahra Wiley Rein LLP
Washington, D.C. 202.719.7335
[email protected] @kirkjnahrawork
February 20, 2018
![Page 3: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/3.jpg)
MyPresentation § Discussthelatestdevelopmentsintheworldofprivacyandsecurity,fortheUSandinternationally
§ Discussmajorareasofchangeoverthenextfewyears
§ Lessonslearnedfromrecentenforcementactivity§ Discussthecurrentenforcementenvironmentatthestateandfederallevel
§ Answeryourquestionsaboutthefutureofhealthcareprivacyandsecurityenforcementandrelatedactivity
3 3
![Page 4: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/4.jpg)
GDPR§ Directregulation–processorsandcontrollers§ Transferimplications§ Contractingimplications
4
![Page 5: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/5.jpg)
GDPR§ Lotsofnervousness§ Lotsofuncertainty§ Expect“example”enforcementrelativelyearlyon(late2018?)
§ Expectcontractinguncertainty§ Theremaybeotherchangesaswell
5
![Page 6: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/6.jpg)
PrivacyShield/DataTransfer§ AsidefromGDPR,somecompanieshavetodealwithPrivacyShieldtobecomeappropriatedatatransferrecipients
§ Similarprogramsarisinginotherpartsoftheworld(e.g.,Asia-Pacific)
§ Requiresreasonablecomplianceactivity§ ExpectsomeenforcementinUS
6
![Page 7: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/7.jpg)
TheNewAdministration§ Wereallyknownothingaboutanyintentionsinthespecificworldofhealthcareprivacyandsecurity
§ Notafirst,secondoreventhirdtierissue§ Generalconsensusisthattherearefewstrongpolicypositionsbeyondfirsttierissuesandgeneralphilosophy
7
![Page 8: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/8.jpg)
TheNewAdministration§ Relevantphilosophicalpoints§ Overallconcernaboutcybersecurity§ Willingnesstoengageinbroadpersonaldatareviewsurveillanceandoversight
§ Presumablylessgovernmentregulation§ Perhapslessgovernmentalspending§ Perhapslessoverallgovernmentenforcement
8
![Page 9: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/9.jpg)
FTCEnforcement§ WholesalechangeinCommissionleadership(ongoing)
§ Hadbeenmovingtoamoreaggressiveviewon“consumerharm”(withthelikelyreductioninenforcement)
§ Willtherebeevenlessenforcement?
9
![Page 10: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/10.jpg)
OCRGenerally§ TwohighlevellossesinmainHIPAAenforcementleadership
§ NewOCRheadwithdifferentpriorities§ Realbudgetissueswithanew(non-HIPAA)officeaddedundersamebudget
§ Recentreductioninenforcement,notclearifthisisjusttransition
10
![Page 11: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/11.jpg)
Changestolaw/regulations§ Hardtoseeanypushtochangestatutorylanguage§ Unlikelytoseenewregulatoryproposals,atleastinearlyperiod(andlikelylonger)
§ Unlikelytoseepullingbackonprivacyrights§ UnlikelytoseenewHITECHrulesthathavebeenonhold(atleastinshortterm)
11
![Page 12: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/12.jpg)
Enforcement§ Enforcementcertainlyhasbeengrowing,butonaslowandsteadybasis
§ Mainlygrowingbecauseoflowlevelsofenforcementactivityinearlyyears
§ Noparticularreasontoexpectanyfundamentalchangeinenforcementphilosophy
12
![Page 13: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/13.jpg)
Enforcement§ Pendinginvestigationstakealongtimetofinish§ Sonoreasontothinkcurrentstaffwon’tfollowthosethroughtocompletion
§ Futureenforcementdependsprimarilyonbudgetandresourcesmorethanphilosophy
13
![Page 14: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/14.jpg)
Enforcement§ Casesinvolvingsignificantfailuresofcompliance§ Casesinvolvingrepeatedand/oruncorrectedproblems
§ Particularly“noticeable”problems/Highimpactcases/sendamessagecases(?)
14
![Page 15: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/15.jpg)
BusinessAssociates§ Littlerealenforcementinvolvingbusinessassociatesyet
§ ArealchallengeforOCR–howtotreatcompanieswhodealwithmuchmorethanhealthcare
§ Andtheenormousrangeofsize/sophisticationoftheseentities
15
![Page 16: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/16.jpg)
StateRole§ ExpectstateAGstobemoreactiveonprivacyandsecurity
§ SomerecentdatabreachcaseswherestateAGsareaggressive(e.g.,Equifax)orfillinggaps(NewYork)
§ Realquestionsastowhethertheywillunderstand/applynuanceorprovideexperiencedjudgmentonHIPAAissues
16
![Page 17: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/17.jpg)
Alternativeenforcement§ ThePlaintiffs’Bar§ TheyarewatchingforopeningsbecauseofdamagetheoriesANDexploringabroaderrolebothinclassactioncasesandin“sendingamessage”claims
17
![Page 18: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/18.jpg)
ThePlaintiffs’Bar§ Lookingforwaystoavoidtheneedtoprovespecificdamages
§ Classactionlawyerstryingtodefineharmacrossallindustries
§ Portionofpayments/premiums§ Overallweaksecuritypractices(anticipatoryclaims)
18
![Page 19: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/19.jpg)
DamagesareaRealHurdle§ Smithv.ChaseManhattanBank§ Financialinstitutiongavelisttothirdparty,receivedpaymentsonsales
§ Saiditdidn’tdothesethingsinprivacynotice§ Nodamagesalleged/nocauseofaction§ Onlyunwantedtelemarketing
19
![Page 20: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/20.jpg)
Smithv.Chase§ “The‘harm’attheheartofthispurportedclassaction,isthatclassmembersweremerelyofferedproductsandserviceswhichtheywerefreetodecline.Thisdoesnotqualifyasactualharm.”
20
![Page 21: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/21.jpg)
IoTandUnregulatedData§ Increasingconcernsaboutbigdataenvironment§ Previousadministrationhadbeengivingthoughtfulandongoingconsiderationtoprosandconsofbigdataenvironment
§ Thoseactivitiesseemtohavestoppedforthetimebeing
21
![Page 22: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/22.jpg)
Thebiggest“nextgeneration”issue§ HIPAAhasalwaysbeenalimitedscopeprivacy/securityrule
§ Itappliestohealthcareinformationonlywhereacoveredentityisinvolved.
§ Accordingly,therealwayshavebeengapswherevariousentitiescollectormaintainhealthcaredatabutarenotcoveredbytheHIPAArules.
22
![Page 23: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/23.jpg)
Thebiggest“nextgeneration”issue§ Whatis“outside”ofHIPAAisgrowing§ Websitesgatheranddistributehealthcareinformationwithouttheinvolvementofacoveredentity.
§ Theserangefromcommercialwebsites(e.g.,WebMD)topatientsupportgroupstothegrowthofpersonalhealthrecords.
§ Nowaddmobileapps.andwearables
23
![Page 24: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/24.jpg)
More“nextgeneration”issues§ Anemerging(andrelated)issue-bringing“outside”HIPAAinformation“inside”HIPAA
§ CEsaregatheringallkindsofdataabouttheirpatients/customers/insuredsfromoutsidethehealthcaresystemandusingitfor“healthcarepurposes”
24
![Page 25: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/25.jpg)
RecentHeadlines§ “YourDoctorKnowsYou’reKillingYourself.TheDataBrokersToldHer.”(Bloomberg)
§ “Youmaysoongetacallfromyourdoctorifyou’veletyourgymmembershiplapse,madeahabitofpickingupcandybarsatthecheck-outcounterorbeginshoppingatplus-sizedstores.”
25
![Page 26: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/26.jpg)
RecentHeadlines§ “WhenaHealthPlanKnowsHowYouShop.”(NewYorkTimes)
§ Healthplanpredictionmodelsusingconsumerdatafromdatabrokers(e.g.,income,maritalstatus,numberofcars),topredictemergencyroomuseandurgentcare.
26
![Page 27: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/27.jpg)
TentativePredictions§ ThisHIPAA/non-HIPAAissueisnotgoingaway(althoughwemaybeonhiatusnow)
§ Thereistoomuchdatabeingusedbytoomanypeopleintoomanyriskycontexts
§ Lotsofpressurefrommanyfrontsto“dosomething”aboutthisnon-HIPAAhealthcaredata
27
![Page 28: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/28.jpg)
TentativePredictions§ 3MainOptions§ Somethingspecificforthisnon-HIPAAhealthcaredata
§ Somethingthatcoversallhealthcaredata§ Abroaderoverallprivacylaw(withorwithoutaHIPAAcarve-out)
28
![Page 29: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/29.jpg)
Legislation§ Expectstatelegislationonavarietyofprivacyandsecuritytopics
§ Expectsomepressureatfederallevelfordatabreachnotificationlegislationoroverallsecuritylegislation
§ Don’tbetalotofmoneyonthosepassing
29
![Page 30: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/30.jpg)
KeysforCEs/BAs1. RiskAssessment2. RiskAssessment3. RiskAssessment4. Seriously.Doariskassessment.
30
![Page 31: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/31.jpg)
OtherKeys§ Beresponsivetoanyinquiries–thorough,timely,accurate
§ Fixyourproblems–bothimmediatemitigationofbreach-relatedissuesandlongertermprocessissues
§ MakesureyouhaveBAAgreementswitheveryoneyoushould
31
![Page 32: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/32.jpg)
LessonsLearned§ BesmartandcarefulabouthowyouhandlePHI§ Trainyouremployees§ Bepreparedtoactquicklyifthereisaproblem§ Haveanoverallriskassessmentthatincorporatesyourbusinessactivities
32
![Page 34: LEGAL AND REGULATORY CONSIDERATIONS - …§ Transfer implications § Contracting implications 4 . ... § Requires reasonable compliance activity ... § This HIPAA/non-HIPAA issue is](https://reader033.vdocuments.site/reader033/viewer/2022051509/5ae53d2b7f8b9a8b2b8b90ee/html5/thumbnails/34.jpg)
34 © 2018 HITRUST Alliance
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight