Data Transfers/Safe Harbor/Privacy Shield
Subscribe to Data Transfers/Safe Harbor/Privacy Shield's Posts

How Not to Lose $1 Million: Preparing for OIG’s Information Blocking Enforcement

OIG’s long-awaited final rule on investigating and imposing penalties for information blocking dropped in July 2023 and is effective as of Sept. 1, 2023 – almost three years after OIG released its proposed rule (April 2020) and two years after the start of information blocking compliance on April 5, 2021. The final rule codifies OIG’s authority to investigate information blocking complaints, including against developers of certified health IT and health information networks/health information exchanges (HIN/HIEs), and assess CMPs of up to $1 million per violation.

OIG defined a “violation” as a practice that constitutes information blocking as set forth in ONC’s information blocking regulations—a broad definition that is important because each distinct act or omission could be subject to a separate $1 million CMP. OIG also provided examples of what it would consider constituting a single violation versus multiple violations subject to multiple CMPs:

  • Single Violation: A certified health IT developer denies a single request by a healthcare provider to receive multiple patients’ EHI via an API and no legal requirement or information blocking exception applies. OIG would consider this a single violation even though it would result in preventing access to multiple patients’ EHI.
  • Multiple Violations: A certified health IT developer takes multiple separate actions to improperly deny multiple individual requests by a healthcare provider for EHI through an API. Each separate action would be considered a separate violation.

OIG has stated that while it does not intend to impose CMPs on conduct that occurred before Sept. 1, 2023, it may consider a regulated entity’s behavior from the April 2021 compliance date onwards in deciding if alleged information blocking conduct was part of a pattern of behavior. Other factors OIG anticipates considering when deciding penalty levels include the nature, circumstances, and extent of the information blocking and resulting harm, including the number of patients and/or providers affected and the number of days the information blocking persisted. OIG will also consider other factors, such as the degree of culpability, history of prior offenses, and other wrongful conduct.

When deciding whether to pursue a particular information blocking allegation, OIG indicated that it plans to prioritize enforcement for actions that:

  • Resulted in/had the potential to cause patient harm;
  • Significantly impacted providers’ ability to care for patients;
  • Are of long duration;
  • Caused financial loss to Medicare, Medicaid, or other federal healthcare programs or private entities; and
  • Were performed with actual knowledge.

Each allegation will require a facts and circumstances analysis, which OIG will conduct in coordination with ONC and other federal agencies as appropriate. Further, while OIG’s enforcement priorities may inform its decisions about which allegations to investigate, OIG states that the priorities are not dispositive, meaning it can investigate any allegations it chooses.

READ THE FULL ARTICLE ON THE HIMSS ELECTRONIC HEALTH RECORD ASSOCIATION BLOG HERE.




read more

Brexit/GDPR: European Commission Publishes Draft Adequacy Decision for Data Transfers

On 19 February 2021, the European Commission published the draft for an adequacy decision regarding transfers of personal data to the UK. For businesses in the European Union (and EEA) who transfer data to business partners and vendors in the UK, it will be crucial that the final decision is made before the end of June 2021.

Thanks to an additional transitional period for data transfers in the last-minute EU-UK Trade and Cooperation Agreement (TCA), the worst fears of data protection experts that the UK could become a “third country” overnight did not materialise. However, this period ends no later than in June 2021.

While the chances that final decision will be issued in time have now increased, companies in the EU/EEA should be aware that this is not guaranteed. In case the Commission fails to authorize data transfers to the UK, businesses should – if no other safeguards are present – be prepared enter into the standard contractual clauses (SCCs, aka Model Contracts) in order to comply with the GDPR.

McDermott can help you with identifying data transfers to the UK and choosing the right SCCs.




read more

California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to [...]

    Continue Reading



read more

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.
  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.
Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 [...]

Continue Reading




read more

Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor.

It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.

Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield self-certification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




read more

Schrems II Special Report: What Does the CJEU’s Decision Mean for Transfers From the EEA to the US?

For our Schrems II Practical Guidance special report, members of McDermott’s internationally recognized Global Privacy & Cybersecurity group have outlined practical guidance and next steps to ensure your business is prepared for what’s next following the final ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems.

As your organization navigates the post-Schrems II landscape following the CJEU’s recent decision, consider McDermott your first point of call. We have deep experience advising global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals.

Practical Guidance for Businesses (US Edition)

Practical Guidance for Businesses (Global – EEA/UK Edition)




read more

Preparing Your Data for a Post-COVID-19 World

The US healthcare system’s data infrastructure needs an overhaul to prepare for future health crises, streamline patient care, improve data sharing and accessibility among patients, providers and government entities, and move toward the delivery of coordinated care. With insights from leaders from Arcadia, Validic and McDermott, we recently discussed key analyses and updates on the interoperability and application programming interfaces (API) criteria from the 21st Century Cures Act, stakeholder benefits of healthcare data exchange and data submission facilitation for public health purposes. Click here to listen to the webinar recording, and read on for highlights from the program.

To learn more about the “Around the Corner” webinar series and attend an upcoming program, click here.

PROGRAM INSIGHTS

  • COVID-19 is reshaping healthcare through technology. Hospitals, clinicians and payors need to use digital health tools to address the challenges of the coronavirus (COVID-19) public health pandemic. How COVID-19 data and health information are captured, and then move through electronic systems, will form the foundation by which digital health tools can become effective in identifying cases, treating them and ensuring favorable outcomes.
  • API certification requirements under the 21st Century Cures Act are designed to enhance the accessibility of electronic health information. The 21st Century Cures Act’s purpose is to advance interoperability, address information blocking, support seamless exchange of electronic health information and promote patient access. Putting data from electronic health records (EHRs) into patients’ hands through consumer-facing apps will empower them to understand and take control of their health.
  • EHR vendors will be required to offer APIs that comply with the Fast Healthcare Interoperability Resource (FHIR) standard by May 1, 2022. The 21st Century Cures Act Final Rule will require EHR vendors to offer FHIR based APIs that make electronic health information more readily available to third-party applications (apps) of patients’ and providers’ choosing. API standardization will make it easier for third-party developers to build these apps, and for patients and providers wishing to use third-party apps to leverage their electronic health information for various purposes, including health information exchange and population health management.

 

  • Interoperability refers to the standards that make it possible for different EHR systems to exchange patient medical records and information between providers. Increased interoperability between EHR systems using harmonized standards allows for a more seamless transfer of patient data between providers. The interoperability requirements in the 21st Century Cures Act have the potential to advance patient access to their data and the use of information among physicians.
  • Both providers and patients can drive data exchange. One challenge impacting data exchange between patients and providers is that providers cannot always access or integrate data that patients have created with third-party tools (e.g., fitness trackers). However, there is emerging technology designed to aggregate and standardize consumer-generated health information, [...]

    Continue Reading



read more

Future Forward: Data Arrangements During and After COVID-19

The need for speedy and more complete access to data is instrumental for healthcare providers, researchers, pharmaceutical, biotech and device companies and public health authorities as they work to quickly identify infection rates, disease trends, outcomes, including antibodies, and opportunities for treatments and vaccines for COVID-19.

A variety of data sharing and collaborations have emerged in the wake of this crisis, such as:

  • Requests and mandates by public health authorities, either directly or via providers’ business associates requesting real time information on infections and bed and equipment availability
  • Data sharing collaborations among providers for planning, anticipating and tracking COVID-19 caseloads
  • Data sharing among providers, professional societies and pharmaceutical, biotech and medical device companies in search of testing options, treatment and vaccine solutions, and evaluation of co-morbidities

CLICK HERE TO VIEW THE FULL INFOGRAPHIC.




read more

Consumer Demand in Digital Health Data and Innovation

Digital health companies are producing increasingly innovative products at a rapidly accelerating pace, fueled in large part by the expansive healthcare data ecosystem and the data strategies for harnessing the power of that ecosystem. The essential role data strategies play make it imperative to address the data-related legal and regulatory considerations at the outset of the innovation initiative and throughout the development and deployment lifecycle so as to protect your investment in the short and long term.

The Evolution of Digital Health

Digital health today consists of four key components: electronic health records, data analytics, telehealth, and patient and consumer engagement tools. Electronic health records were most likely first, followed very closely by data analytics. Then telehealth deployment rapidly increased in response to both demand by patients and providers, the improved care delivery and access it offers, and more recently, the expanded reimbursement for telehealth solutions. Each component of digital health was developed somewhat independently, but they have now converged and are interrelated, integral parts of the overall digital health ecosystem.

The patient and consumer engagement dimension of digital health has exploded over the last five years. This is due, in large part, to consumer and patient demand for greater engagement in the management of their healthcare, as well as the entry of disruptors, such as technology service providers, e-commerce companies, consumer products companies and entrepreneurs. At this point in the evolution of the digital health landscape, the patient and consumer engagement tool dimension pulls in all other key components and no digital health consumer engagement tool is complete without the full package.

Data Strategies and Collaborations as Key Innovation Ingredients

No digital health initiative can be developed, pursued or commercialized without data. But the world of data aggregation and analytics has also changed significantly and become immensely complex in recent years. Digital health innovation is no longer working exclusively within the friendly confines of the electronic health record and the carefully regulated, controlled and structured data it holds. Today, digital health innovation relies on massive amounts of data in a variety of types, in various forms, from a wide variety of sources, and through a wide variety of tools, including patient and consumer wearables and mobile devices.

(more…)




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law