Results for ""
Subscribe to Results for ""'s Posts

Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor.

It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.

Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield self-certification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




read more

After the Curve Podcast: Focus on Digital Health

COVID-19 has demanded a rapid shift in the world of telehealth and digital health, resulting in a global embracing of a telehealth and digital health system that is not yet fully developed. On this episode of the McDermott Health podcast, our digital health partners have joined to discuss the future of telehealth and use of digital tools to speed up care delivery and to improve outcomes in the wake of COVID-19, as well as the vital role of data readiness in reshaping the healthcare system. McDermott’s Chief Marketing Officer Leslie Tullio is joined by partners Stephen Bernstein and Lisa Mazur to examine current trends and potential changes to both telehealth as well as the broader digital health landscape, including:

  • The most impactful regulatory telehealth changes that have resulted from COVID-19
  • A look beyond telehealth to a paradigm shift in the broader digital health landscape
  • The impact that a more refined data exchange pathway could have on treatment during the next wave of COVID-19 or future pandemics
  • Meaningful collaborations that are currently happening in the digital health space
  • A look at innovations that are emerging from the demands of post-COVID-19 healthcare
  • Legal and regulatory compliance steps that still need to be taken to allow these telehealth programs to continue in the future

LISTEN NOW




read more

Data Protection During and After the Pandemic: Consolidate, Update and Innovate

Having adapted products, processes, services, facilities and IT systems in response to Coronavirus (COVID-19), businesses should now refocus on their legal and business fundamentals as they move towards returning to the office. Compliance policies should be updated, Brexit contingency plans reinvigorated, and upcoming legal and regulatory changes anticipated.

While taking these steps, businesses should bear in mind a number of key data protection and IT/cybersecurity fundamentals, and take the opportunities afforded by the return to work period to kick-start new initiatives.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.

 




read more

Brazil’s LGPD Takes Effect—With Early Enforcement

Brazil represents over half of all IT spend in Latin America, has the largest regional market for software outsourcing, employs a sizable IT workforce, manufactures consumer goods (including commercial airplanes and cars) and has an active consumer market of social media operated by global data aggregators. At a time when data privacy is becoming increasingly important to consumers, it seems only fitting that Brazil would adopt comprehensive privacy legislation to protect data privacy rights.

The General Data Protection Law, the first law of its kind in Brazil, is now in effect, and we are already seeing enforcement. Streamlining the legal framework on data protection, the law sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers.

Access the article.




read more

The Uncertain “State” of US Data Protection Law: California Leads the Way

The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework for the personal information of California residents, imposing a variety of new obligations on affected businesses. Although the interpretation of many of the CCPA’s provisions remains unsettled—and proposed regulations are still pending— the CCPA’s original architects have already advanced another proposed law, the California Privacy Rights Act (CPRA), which will be decided in a statewide referendum this November. If enacted, the CPRA would substantially amend the CCPA, granting consumers additional rights and imposing further liability on businesses.

Whether or not it passes, the proposed CPRA highlights the fluid state of the US legal environment for data protection, which has left businesses around the world struggling to account for the uncertain risks and compliance costs posed by these developments.

It did not have to be this way. The developments in California are due in part to the failure of the US Congress to enact comprehensive federal data protection legislation. Despite widespread support, compromise on a federal standard remains elusive, with legislators unable to agree on critical questions, such as whether or not the law will pre-empt state laws like the CCPA.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




read more

Privacy Considerations for COVID-19 Digital Contact Tracing

Generally, contact tracing refers to an effort by public health officials to identify individuals with whom a patient who has tested positive for an infectious disease has been in close proximity. Public health officials will inform these individuals that they were exposed to a contagious patient and encourage them to monitor their symptoms and quarantine for a period of time.

In response to COVID-19, governments around the world have explored using digital contact tracing, by which smartphone users download an application (app) to enable public health officials to track infected individuals’ contacts. In addition, private sector companies are exploring how digital technologies can be used for contact tracing on employees as they reenter the workplace.

(more…)




read more

Uber Criminal Complaint Raises the Stakes for Breach Response

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence.

At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.

Contemporaneous with the filing of the complaint, the Department of Justice (DOJ) submitted a press release quoting US Attorney for the Northern District of California David L. Anderson:

“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

The press release also quoted Federal Bureau of Investigation (FBI) Deputy Special Agent in Charge Craig Fair:

“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Collectively, the case and statements from the DOJ are probably a unicorn based on, if the facts as alleged are true, a case involving a deliberate cover-up of a data breach in the course of an active FTC investigation. However, many of the statements from the DOJ and the specific allegations in the complaint appear to have potentially far-reaching implications (for companies, their executives and cybersecurity professionals) that breach response counsel must seriously consider in future incidents.

A common question when responding to a ransomware or other cyberattack is whether and when to inform law enforcement. The criminal complaint has the potential to make this an even more difficult decision for future cyberattack victims. Further, while the alleged conduct at issue may seem particularly egregious, the DOJ’s statements could cause a blurring of the lines between what the government may contend is illegal concealment of a security incident and activities generally thought to be legitimate security incident risk and exposure mitigation. We explore these and other key takeaways from the criminal complaint in more detail below.

[...]

Continue Reading



read more

The Toughest Problem Set: Navigating Regulatory and Operational Challenges on University Campuses

When the academic year ended in the spring of 2020, many US university students assumed that a return to campus would be straightforward this fall. However, it is now clear—at least in the near term—that a return to the old “normal” will not be possible. Some universities have concluded that their best course of action is to offer only distanced learning for the time being. Other universities, however, are welcoming students back onto campus, and into residence and dining halls, classrooms, labs and libraries. Each of those universities is developing its own approach to retain the benefits of on-campus student life while reducing risk to the greatest extent possible; nevertheless, some have had to adjust their plans to pivot to remote learning when faced with clusters of positive cases on campus. One thing is clear: The fall semester will be a real-time, national learning laboratory.

Because widespread, rapid testing remains unavailable in many locations, universities have had to find innovative ways to implement testing, tracing and isolation protocols to reduce the risk of transmission among students, faculty and staff. There is no one perfect protocol—all universities are in unchartered waters. But there are a few key components university administrators may want to consider and address:

  • Apps: Symptom checkers, contact tracing and other apps can be useful in identifying and focusing attention on the onset of symptoms, fostering accountability and identifying high-risk exposure. In considering whether to incorporate apps and related technologies into their back to campus plans, universities must anticipate and address considerations related to privacy, security and reporting of results, and will need to consider how such apps are hosted (for example, through Apple’s App Store) and whether any third parties will have access to the personal data collected.
  • Contact Tracing: In addition to the issues noted above, contact tracing efforts also present other challenges, including managing reliability, over/under inclusiveness and liability (for both false positives and false negatives). In addition, the effectiveness of contact tracing is closely tied to its speed and comprehensiveness; to implement a successful contact tracing program, universities will need to balance effectiveness with privacy and autonomy.
  • CLIA: The Clinical Laboratory Improvement Act (CLIA) will require that many of the tests be performed in CLIA-certified (and state-licensed, where required) space. Universities will need to consider how best to handle building out additional compliant space, creating additional “point of care” testing or specimen collection sites if needed to test students, faculty and staff where they are and validating the test(s) being offered. Tests that are not yet validated likely cannot be used to return patient-specific results that inform student and staff care or be used to prompt “official” testing.
  • FDA/Emergency Use Authorizations (EUA): In general, the Food and Drug Administration (FDA) expects developers of molecular, antigen and (in the case of test kit manufacturers) antibody tests to obtain an EUA. However, under FDA enforcement policies during the pandemic, many of these same tests—if validated and offered with appropriate agency-mandated disclaimers—can be offered before [...]

    Continue Reading



read more

Digital Health at Scale: The Payor Perspective

The COVID-19 pandemic has catalyzed efforts by health insurers to expand reimbursement for telehealth services and digital health tools, and develop and invest in their own digital health technology. Health insurers, who increasingly play a hybrid role of payor, innovator and provider, have a vested interest in helping consumers manage chronic diseases and engage in preventive care from home, both during the public health emergency and after.

Joined by leaders from Humana, Oscar, and Medorion, we discussed the role of health insurers in the evolving digital health market, reimbursement pathways for digital tools and innovative partnerships between technology companies and health insurers. Click here to listen to the webinar recording, and read on for highlights from the program.

PROGRAM INSIGHTS

  • COVID-19 has accelerated the integration of digital health into the traditional health insurance framework. Pre-COVID-19, health insurers were using digital health tools to help their members find providers, access care and manage health conditions. COVID-19 has hastened health plans’ efforts toward vertical integration of digital health technology. Health insurers at the forefront of this effort are focused on creating a consumer-centric, digitally enabled and fully integrated healthcare ecosystem to enhance the member experience, bend the cost curve and carve out an essential (and expanded) role for themselves in the future of healthcare. As consumer behavior continues to change as a result of COVID-19, health insurers will have to be responsive to the way their members are getting care and interacting with the healthcare system.
  • Health insurers are uniquely situated to leverage digital health technologies. Data-driven technology is only as good as the data behind it. Due to the critical role health insurers play in paying for healthcare services, they have insight into member patterns of care and utilization that can be used to target interventions, influence member decision-making and improve health. Investments in digital tools and analytics, as well as strategic partnerships with technology companies, will allow for increased leverage of this valuable data, improved integration of member health information and enhanced member engagement.
  • Interoperability with existing health IT systems is crucial to break down barriers to digital health implementation. Healthcare has been grappling with data interoperability challenges for decades. To scale and make the information from digital tools actionable as part of a larger care plan, digital health platforms must also be interoperable with existing health IT systems. Interoperability will also allow insurers to gather a more complete picture of a member’s longitudinal health data and enable them to better support member health.
  • Health insurers and their legal teams will need to remain nimble amidst the rapidly changing regulatory environment. Keeping up with changing regulations during the COVID-19 public health emergency while planning to scale up in terms of technology implementations is a delicate balance. Though federal, state and local agencies appreciate that digital health tools and telemedicine have much potential in terms of patient care, health insurance companies remain vigilant of privacy and security risks and continue to be constrained in their [...]

    Continue Reading



read more

Remote Care Providers Await Final New Jersey Registration and Reporting Regulations

In 2017, the New Jersey legislature passed the New Jersey Telehealth and Telemedicine Act (codified at N.J.S.A. 45:1-61 et seq.), which established registration and reporting requirements for “telemedicine and telehealth organizations.” After a multi-year wait for details regarding the registration process, the New Jersey Department of Health (NJ DOH) published a proposed rule in April 2020 that brought providers of telehealth services in New Jersey one step closer to the implementation and enforcement of the registration requirements. A final rule is expected by April 2021.

New Jersey providers are also expecting the publication of a proposed rule detailing the reporting requirements for registered organizations. While the coronavirus (COVID-19) public health emergency has led many states to implement waivers and other measures to allow for the expansion of remote healthcare services within their states, telehealth and telemedicine organizations operating in New Jersey should prepare to comply with additional requirements and the outlay of annual registration fees if the state finalizes the registration requirements as proposed.

Background: The 2017 Telemedicine and Telehealth Act

For purposes of the Act, a “telemedicine or telehealth organization” is defined as a corporate entity “that is organized for the primary purpose of administering services in furtherance of telemedicine or telehealth.” The Act differentiates telemedicine from telehealth: “telehealth” is the use of information and communications technologies (including telephones, remote patient monitoring devices or other electronic means) to support clinical healthcare, provider consultation, patient and professional health-related education, public health, health administration and other services, whereas “telemedicine” is the delivery of healthcare services using electronic or technological means (not including the use, in isolation, of audio-only telephone, electronic mail, instant messaging, phone text or facsimile transmission) to “bridge the gap” between a healthcare provider located at a distant site and a patient located at an originating site.

In addition to establishing requirements for providers’ use of telemedicine and telehealth, the Act requires telemedicine or telehealth organizations to register with the NJ DOH annually, and to submit annual reports to the NJ DOH that include data elements established by the NJ DOH commissioner and, at a minimum, the following de-identified encounter data:

  • The total number of telemedicine and telehealth encounters conducted
  • The type of technology utilized to provide services using telemedicine or telehealth
  • The category of medical condition for which services were sought
  • The geographic region of the patient and the provider
  • The patient’s age and sex
  • Any prescriptions issued.

The Act did not establish any enforcement mechanism for the registration and reporting requirements, and because the NJ DOH has not yet implemented criteria for registering or reporting, New Jersey providers of remote health services have generally operated without regard to these statutory requirements.

Implementation of the Registration Requirement

The April 2020 proposed rule would implement the registration requirement for telemedicine or telehealth organizations and establish enforcement mechanisms available to the NJ DOH against any telemedicine or telehealth organization that fails to comply.

The proposed rule would require telemedicine and telehealth organizations to register with the NJ DOH [...]

Continue Reading




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law