Results for ""
Subscribe to Results for ""'s Posts

Brexit/GDPR: European Commission Publishes Draft Adequacy Decision for Data Transfers

On 19 February 2021, the European Commission published the draft for an adequacy decision regarding transfers of personal data to the UK. For businesses in the European Union (and EEA) who transfer data to business partners and vendors in the UK, it will be crucial that the final decision is made before the end of June 2021.

Thanks to an additional transitional period for data transfers in the last-minute EU-UK Trade and Cooperation Agreement (TCA), the worst fears of data protection experts that the UK could become a “third country” overnight did not materialise. However, this period ends no later than in June 2021.

While the chances that final decision will be issued in time have now increased, companies in the EU/EEA should be aware that this is not guaranteed. In case the Commission fails to authorize data transfers to the UK, businesses should – if no other safeguards are present – be prepared enter into the standard contractual clauses (SCCs, aka Model Contracts) in order to comply with the GDPR.

McDermott can help you with identifying data transfers to the UK and choosing the right SCCs.




read more

FDA Issues Artificial Intelligence/Machine Learning Action Plan

On January 12, 2021, the US Food and Drug Administration (FDA) released its Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. The Action Plan outlines five actions that FDA intends to take to further its oversight of AI/ML-based SaMD:

  1. Further develop the proposed regulatory framework, including through draft guidance on a predetermined change control plan for “learning” ML algorithms
    • FDA intends to publish the draft guidance on the predetermined change control plan in 2021 in order to clarify expectations for SaMD Pre-Specifications (SPS), which explain what “aspects the manufacturer changes through learning,” and Algorithm Change Protocol (ACP), which explains how the “algorithm will learn and change while remaining safe and effective.” The draft guidance will focus on what should be included in an SPS and ACP in order to ensure safety and effectiveness of the AI/ML SaMD algorithms. Other areas of focus include identification of modifications appropriate under the framework and the submission and review process.
  2. Support development of good machine learning practices (GMLP) to evaluate and improve ML algorithms
    • GMLPs are critical in guiding product development and oversight of AI/ML products. FDA has developed relationships with several communities, including the Institute of Electrical and Electronics Engineers P2801 Artificial Intelligence Medical Device Working Group, the International Organization for Standardization/ Joint Technical Committee 1/ SubCommittee 42 (ISO/ IEC JTC 1/SC 42) – Artificial Intelligence, and the Association for the Advancement of Medical Instrumentation/British Standards Institution Initiative on AI in medical technology. FDA is focused on working with these communities to come to a consensus on GMLP requirements.
  3. Foster a patient-centered approach, including transparency
    • FDA would like to increase patient education to ensure that users have important information about the benefits, risks and limitations of AI/ML products. To that end, FDA held a Patient Engagement Advisory meeting in October 2020, and the agency will use input gathered during the meeting to help identify types of information that it will recommend manufacturers include in AI/ML labeling to foster education and promote transparency.
  4. Develop methods to evaluate and improve ML algorithms
    • To address potential racial, ethical or socio-economic bias that may be inadvertently introduced into AI/ML systems that are trained using data from historical datasets, FDA intends to collaborate with researchers to improve methodologies for the identification and elimination of bias, and to improve the algorithms’ robustness to adapt to varying clinical inputs and conditions.
  5. Advance real world performance monitoring pilots
    • FDA states that gathering real world performance data on the use of the SaMD is an important risk-mitigation tool, as it may allow manufacturers to understand how their products are being used, how they can be improved, and what safety or usability concerns manufacturers need to address. To provide clarity and direction related to real world performance data, FDA supports the piloting of real world performance monitoring. FDA will develop a framework for gathering, validating and evaluating relevant real world performance parameters [...]

      Continue Reading



read more

Waiver of State Licensure Requirements for the Delivery of COVID-19 Countermeasures via Telehealth

In a fourth amendment to the March 17, 2020, Public Readiness and Emergency Preparedness Act (PREP Act), the US Department of Health and Human Services (HHS) has expanded access to COVID-19 Covered Countermeasures through telehealth and clarified the scope of liability protections provided by the PREP Act. In particular, the declaration is important to telehealth providers because it appears to preempt, under certain circumstances, state laws that have limited cross-border practice of medicine using telehealth. Healthcare providers should take note that the licensure exception and any immunity protections are limited to healthcare providers who are ordering or administering a Covered Countermeasure and there is no indication of intent to expand beyond these focused measures.

Access the article.




read more

California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to [...]

    Continue Reading



read more

Federal Agencies Partner to Warn Healthcare Systems of Imminent Cyber Threat

US hospitals and healthcare systems should be on high alert after a rare joint advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) warning all US hospitals and healthcare providers of an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The joint advisory can be found here.

Access the article.




read more

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.
  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.
Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 [...]

Continue Reading




read more

National Telehealth Takedown Highlights Opportunity for Providers to Enhance Compliance Efforts

The US Department of Justice and the US Department of Health and Human Services Office of Inspector General recently announced a significant healthcare fraud takedown involving $4.5 billion in allegedly false and fraudulent claims involving telehealth. The allegations involved telehealth executives paying healthcare providers to order unnecessary items and services, as well as payments from durable medical equipment companies, laboratories and pharmacies for those orders. While the alleged conduct is not representative of the legitimate and crucial telehealth services offered by the vast majority of healthcare providers, the government’s continued focus on telehealth arrangements, combined with the ongoing expansion of coverage for telehealth services, provides an important opportunity for healthcare providers to evaluate their telehealth service offerings and arrangements and to further enhance their related compliance activities.

In Depth

On September 30, 2020, the US Department of Justice (DOJ) issued a press release describing the largest national healthcare fraud and opioid enforcement action in the DOJ’s history (the Takedown). The Takedown involved coordination with the US Department of Health and Human Services Office of Inspector General (OIG) and other federal and state law enforcement agencies, and resulted in cases against more than 345 defendants in 51 judicial districts. The government charged the defendants with participating in healthcare fraud schemes involving more than $6 billion in alleged losses to federal health care programs, with the vast majority of alleged losses ($4.5 billion) stemming from arrangements involving alleged “telefraud.”

According to the DOJ press release, a recently announced National Rapid Response Strike Force led the initiative focused on telehealth. The National Rapid Response Strike Force is part of the Health Care Fraud Unit of DOJ’s Criminal Division Fraud section, and its mission is to “investigate and prosecute fraud cases involving major health care providers that operate in multiple jurisdictions, including major regional health care providers operating in the Criminal-Division-led Health Care Fraud Strike Forces throughout the United States.”

Background

In recent years, the government has increasingly focused on alleged healthcare fraud schemes involving telehealth services. In connection with the Takedown, OIG issued a fact sheet and graphic highlighting the increase in “telefraud” arrangements leveraging “aggressive marketing and so-called telehealth services.” The individuals charged in the Takedown included telehealth company executives, medical providers, marketers and business owners who allegedly used telemarketing calls, direct mail, and television and internet advertisements to collect information from unsuspecting patients.

Many of the cases involved telehealth executives who allegedly paid healthcare providers to order unnecessary durable medical equipment (DME), genetic and other diagnostic testing, and medications, either without any patient interaction or with only a brief phone call. The government alleged that the arrangements involved kickbacks to telehealth executives after the DME company, laboratory or pharmacy billed Medicare or Medicaid for items and services that the government asserts were often not provided to beneficiaries or were “worthless to patients . . . and delayed their chance to seek appropriate treatment for medical complaints.”

DOJ provided a [...]

Continue Reading




read more

OFAC Advisory Warns of Civil Penalties for Ransomware Payments

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory alert that serves as a warning to entities who have been or will be the victim of a ransomware attack. As such, the crucial decision of whether to pay a ransom now comes with the additional risk of legal scrutiny by a powerful federal agency and the possibility of steep fines.

Access the article.




read more

CCPA Amendment Update: California Governor Approves CCPA Amendment with Exceptions for HIPAA De-Identified Information and Other Health Data

On September 25, 2020, Governor Gavin Newsom signed into law California AB 713, which amends the California Consumer Privacy Act (CCPA) to create expanded exceptions for: HIPAA business associates; information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and information collected, used or disclosed in certain human subjects research. AB 713 reflects an intense lobbying effort by medical technology, pharmaceutical, and other health and life sciences industry stakeholders. AB 713 became effective immediately following Governor Newsom’s signature, as the bill included an urgency clause calling for immediate action to mitigate the CCPA’s potential negative impact on health-related research.

AB 713 eases some of the CCPA compliance challenges experienced by the health care and life sciences industries by more closely aligning the CCPA with HIPAA and other laws governing human subjects research. However, AB 713 also creates new compliance obligations by requiring entities subject to requirements for “businesses” under the CCPA, as well as other entities residing or doing business in California, to include certain provisions in license agreements or other contracts for the sale or license of de-identified patient information. While AB 713 becomes effective immediately, as discussed below, it requires compliance with the new contracting requirement beginning January 1, 2021.

We summarize below the salient provisions of AB 713.

Exception for De-identified Patient Information

AB 713 provides relief to health care, life sciences and other organizations that have been grappling with how to achieve compliance with the previously inconsistent de-identification standards under HIPAA and the CCPA. Without AB713’s CCPA amendment, it was possible for data that has been de-identified under the HIPAA de-identification standard to constitute “personal information” under the CCPA because CCPA and the HIPAA Privacy Rule include different language for their respective de-identification standards. This has complicated CCPA-regulated businesses’ strategies for licensing or otherwise commercializing HIPAA de-identified data. For example, HIPAA protected health information that has been de-identified under HIPAA may still contain identifiers of California physicians or other individuals who serve patients. These identifiers may have constituted “personal information” under the CCPA when held by a CCPA-regulated business, creating a right under the CCPA for the individuals to opt out of sales of the personal information. For more information about the inconsistent HIPAA and CCPA de-identification standards, see our On the Subject.

AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification standards by expressly providing that the CCPA does not apply to information that meets the following conditions:

  • The information has been de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method).
  • The information was derived from patient information that was originally collected, created, transmitted or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA) or the Federal Policy for the Protection of Human Subjects (Common Rule). “Patient information” means protected health information or individually identifiable health information under HIPAA, identifiable private information under the [...]

    Continue Reading



read more

Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor.

It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.

Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield self-certification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law