data privacy
Subscribe to data privacy's Posts

Access To Digital Health Applications And Digital Care Applications In Germany

On 20 January 2021, the German Federal Cabinet approved the draft law on the digital modernization of healthcare and nursing care. The draft has been criticized for not taking into account lessons learned from the implementation of the 2019 digital health applications law.

The legally enforceable right of patients insured in the Germany statutory healthcare system (SHI) to be able to access digital health applications (DiGAs) was included in the German SHI code (SGB V) at the end of 2019.

DiGAs are low-risk medical devices (risk class I and IIa) that are primarily based on digital technologies and support the detection, monitoring, treatment, or alleviation of diseases, injuries, or disabilities. Under the SGB V, DiGAs have to be approved by the German Federal Institute for Drugs and Medical Devices (BfArM) and included in the DiGA List before doctors can prescribe them to their patients on an individual basis and at the SHI’s expense. Among the DiGAs listed by BfArM since the first listing in October 2020, are those that support patients with light depression, insomnia, obesity, or tinnitus.

Read more in our latest edition of International News.




read more

Data Protection During and After the Pandemic: Consolidate, Update and Innovate

Having adapted products, processes, services, facilities and IT systems in response to Coronavirus (COVID-19), businesses should now refocus on their legal and business fundamentals as they move towards returning to the office. Compliance policies should be updated, Brexit contingency plans reinvigorated, and upcoming legal and regulatory changes anticipated.

While taking these steps, businesses should bear in mind a number of key data protection and IT/cybersecurity fundamentals, and take the opportunities afforded by the return to work period to kick-start new initiatives.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.

 




read more

Privacy Considerations for COVID-19 Digital Contact Tracing

Generally, contact tracing refers to an effort by public health officials to identify individuals with whom a patient who has tested positive for an infectious disease has been in close proximity. Public health officials will inform these individuals that they were exposed to a contagious patient and encourage them to monitor their symptoms and quarantine for a period of time.

In response to COVID-19, governments around the world have explored using digital contact tracing, by which smartphone users download an application (app) to enable public health officials to track infected individuals’ contacts. In addition, private sector companies are exploring how digital technologies can be used for contact tracing on employees as they reenter the workplace.

(more…)




read more

Vetting Relationships for Telemedicine Collaborations

As the telemedicine regulatory and reimbursement environment becomes more cohesive and providers and patients alike embrace technology, opportunities for telemedicine collaborations are likely to grow. Like any collaboration, finding the right partner is crucial for success, particularly at the highly-scrutinized intersection of healthcare and technology. This post explores the factors to address when evaluating service providers and vendors for your next telemedicine collaboration.

Service Provider Evaluation

  • Ask around “town” – What is the collaborator’s reputation? What independent feedback is provided in references?
  • Determine if the service provider’s stage in the organizational “life-cycle” and its affiliated relationships are the best fit for the strategic goals of your partnership (e.g. should you partner with an early-stage company or a longstanding organization?)
  • Assess the capabilities of potential collaboration partners for meeting your organization needs, and pressure test their ability to come up with back-up options, should the need arise throughout the course of the collaboration.
  • Determine whether collaborator has state specific and service specific policies and procedures governing the provision of telemedicine services, including: (more…)



read more

China Data Protection Enforcement Update – A Focus on Platform Content

Following the first enforcement actions by local authorities in Shantou and Chongqing for violations of the new Network Security Law that came into effect this year, authorities in China have recently shown a clear initial focus with several new cases targeting provisions of the law that require monitoring of platform content. As of the start of October 2017, enforcement actions by authorities in China have targeted platform content violations in nearly 70 percent of all actions under the new provisions of the data protection rules.

 

(more…)




read more

China’s Network Security Law Comes into Effect: What It Means for Your Company

Today, China’s much anticipated Network Security Law comes into effect after two years of review, revisions over three drafts and a public commenting process. The law is a historical development for China’s legislative coverage of information security and data protections. It also represents one of the strictest approaches in any jurisdiction worldwide, and a continuation of a broader effort at demonstrating the government’s cyber-sovereignty goals through control and regulation of data and the internet.

Overview of the Network Security Law

Commonly referred to as the “Cybersecurity Law,” the new piece of legislation has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers, including:

  • Increasing security measures and strengthening data security through a variety of specific obligations
  • Ensuring consent for collection of personal information through the principles of legality, proper justification and necessity
  • Screening equipment and products for security testing and certification
  • Ensuring real-name registration for users
  • Strengthening requirements to cooperate with government agencies during criminal investigations or to protect national security
  • Requiring personal information to be stored in China under some circumstances
  • Increasing confidentiality measures for user information
  • Setting up a complaint and reporting platform for network security

(more…)




read more

CNIL Announces Inspection Program—Focus Will Be on BCR Compliance and Treatment of Psychosocial Data, Among Others

The mission of the French data protection authority—the Commission Nationale Informatique et Libertés (CNIL)—is “to protect personal data, support innovation, [and] preserve individual liberties.”

In addition to its general inspections, every year the CNIL establishes a different targeted-inspection program. This program identifies the specific areas that CNIL’s controls will concentrate on for the following year. The 2014 inspection program was focused on everyday life devices, such as online payment, online tax payment and dating websites, among other things.

On May 25, 2015, the CNIL announced its 2015 inspection program and identified a focus on six issues in particular: contactless payment, Driving Licenses National File (Le Fichier National des Permis de Conduire), the “well-being and health” connected devices, monitoring tools used for attendance in public places, the treatment of personal data during evaluation of psychosocial risks and the Binding Corporate Rules.

The last two issues caught our attention:

  • Treatment of personal data during evaluation of psychosocial risks: Since 2008, many companies have been investigating psychosocial risks within the workplace in order to provide a more stress-free environment. This practice, however, raises issues concerning the employee’s right not to share private information with the employer. The CNIL will try to identify which prior investigations may have jeopardized (or may still be jeopardizing) the employee’s rights to privacy.
  • Binding Corporate Rules: Companies seeking to export data outside of the European Union (EU) may adopt a voluntary set of data-protection rules within their corporate group called Binding Corporate Rules (BCR). These BCRs are intended to provide a level of privacy and data protection within the entire corporate group equivalent to the one found under EU law. So far, 68 companies have adopted BCRs. Through its 2015 inspection program, the CNIL wants to give the BCRs a closer look, making sure that the means and devices used are in compliance with French law.

In addition to focusing its 2015 inspection program on BCR compliance, the CNIL also announced, earlier this year, the simplification of intra-group data transfers. Prior to simplification, companies whose BCRs had been approved by the CNIL were also required to obtain the CNIL’s approval for each new type of transfer. The CNIL has since declared that a new, personalized “single decision” will be given to companies with approved BCRs. In return, the companies must keep an internal record of all transfers detailing certain information (the general purpose of each transfer based on the BCR; the category of data subjects concerned by the transfer; the categories of personal data transferred; and information on each data recipient) in accordance with the terms of the single decision issued.

With respect to its targeted inspection program, the question still remains: How many inspections will the CNIL conduct in 2015? In 2014, the CNIL performed a total number of 421 inspections. The CNIL declares that, in 2015, the objective is to achieve 550 inspections. However, only 28 percent of the CNIL’s inspections typically result from the annual inspection program. Forty percent are initiated by the [...]

Continue Reading




read more

Employers with Group Health Plans: Have You Notified State Regulators of the Breach?

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.




read more

C-Suite – Changing Tack on the Sea of Data Breach?

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach.  This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals.  Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years.  The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place.  Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement.  Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout.  He advised that each customer or employee with data at risk was being personally and individually notified.  In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership.  Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks.  As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach?  Only time will tell but we will be certain to watch with interest.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law