The document discusses the state of privacy management in healthcare and risks the industry faces in 2022. It notes the various entities that handle health data, from traditional providers to new digital technologies. Regulatory challenges are discussed, including HIPAA and different state laws. Enforcement trends seen in the US, Canada, and Europe are also summarized. The presentation recommends healthcare organizations implement a framework approach to privacy compliance to address these complex issues and risks.
3. 3
Agenda
● The state of privacy management in healthcare
● Enforcement trends
● Risks the industry is likely to face in 2022
● An approach to address the current environment
● Q&A
4. 4
State of Privacy: What is Healthcare?
● Traditional healthcare providers and payers
● Medical device and equipment
● Digital innovation
○ Patient Portals
○ Virtual healthcare / telehealth
○ Health apps
● Medical Cannabis Dispensaries
● Genealogy platforms (23&Me; Ancestry; Vitagene; etc.)
● One size compliance does not fit all.
5. 5
State of Privacy: Dobbs v Jackson
● No Constitutional right to privacy that protects abortions
● Post-Dobbs Activity:
○ HHS Guidance to both CEs and individuals
○ Letters to Data Brokers and Health Apps
○ EO on Protecting Access to Reproductive Healthcare Services
○ FTC Statement on Enforcement
○ SB 4408, the Health and Location Data Protection Act
6. 6
State of Privacy: U.S. Regulatory Challenges - HIPAA
● Privacy Rule - 2003; Security Rule - 2005; Breach Rule - 2009
○ Did not contemplate today’s digital world
● Applies to covered entities and business associates, as defined
○ Lack of understanding among business associates
○ Confusion regarding release of information
○ Numerous questions re digital apps
■ See OCR Guidance
○ Grey areas for medical devices
7. 7
State of Privacy: HIPAA (cont.)
● Proposed amendments to Privacy Rule
○ Comments requested - Dec. 2020 - May 2021
● Amendments to HITECH - Jan. 2021
○ Requires HHS to consider “recognized security practices” during
investigation.
● OCR Enforcement Discretion and Guidance during Covid Public
Health Emergency
○ Still in effect for now
8. 8
State of Privacy: Other U.S. Regulatory Requirements
● Information Blocking Rules
○ Applies to Healthcare providers, Certified Health IT developers
○ Prohibits practices that are likely to interfere with, prevent or
materially discourage exchange or use of electronic health
information.
○ Several exceptions.
○ Overlap with HIPAA Right to Access provisions and definition of
EPHI.
9. 9
State of Privacy: Other U.S. Requirements (cont.)
● FTC Health Breach Notification Rule
○ Applies to vendors of personal health records (PHR), related entities, and
third party services providers.
○ Does not apply to HIPAA covered entities or business associates (acting as
BAs)
○ PHR definition: electronic record of Individually identifiable health
information (as defined by HIPAA) that can be drawn from multiple
sources and is managed, shared, and controlled by or primarily by an
individual
○ Applies to developers of mobile health apps or connected devices as long
as app or devices are capable of drawing from multiple sources.
10. 10
State of Privacy: American Data Privacy & Protection Act
● DRAFT Federal Legislation.
● Would apply to healthcare data collected, processed or transferred by
organizations that are not HIPAA covered entities, business associates,
and/or do not comply with HIPAA.
● HIPAA covered entities and business associates deemed to comply to
extent that they comply with HIPAA but only for data regulated by
HIPAA.
11. 11
State of Privacy: U.S. Patchwork of State Laws
● Varying requirements re:
○ Breach reporting and notification
○ Medical record release
○ Minors
● New CA, CT, CO & VA privacy laws
○ Various exemptions re health data
○ Different definitions of sensitive information
○ B-to-B and employee data
● Laws on genetic and biometric information - ex. CA & IL.
● Security requirements - ex. MA
12. 12
State of Privacy: Don’t forget there are other countries
● Germany Patient Data Protection Act
● Draft European Health Data Space Regulation
● Bill 19 in Quebec, Canada
● Cybersecurity laws in Asia
13. 13
Enforcement and Litigation Trends
US:
● OCR - Right to Access initiative and continued focus on security
● FTC and Attorney General actions: Flo Health,
● Private Right of Action - CA
Canada:
● Individual enforcement
● Class action litigation - or not
Europe:
● DPA orders stem from misuse & data breaches
● Fines vary by volume of data, # of data subjects involved
14. 14
Risks in the Healthcare Industry
● Ransomware attacks
● Difficulty in obtaining cyber-liability insurance
● Multiple legal requirements and inconsistent definitions
● Human error
15. 15
Privacy Management in Healthcare
● Why is data privacy management particularly important for
the healthcare industry?
● A Framework approach to compliance:
○ TrustArc or Nymity frameworks;
○ NIST Privacy Framework
○ ISO 27701 or 27001/27002
○ GDPR, HIPAA
17. 17
Privacy Management: A Framework Approach
Devil is in the details: the more granular you break your topics down, the better able to identify gaps.
Individual Rights:
21. 21
Thank You!
See http://www.trustarc.com/insightseries for
the 2022 Privacy Insight Series and past
webinar recordings.
If you would like to learn more about how TrustArc can support
you with compliance, please reach out to sales@trustarc.com for a
free demo.