INTERNATIONAL HEALTH DATA BEYOND PATIENT RECORDS

Size: px

Start display at page:

Download "INTERNATIONAL HEALTH DATA BEYOND PATIENT RECORDS"

Anna Eaton
5 years ago
Views:

1 INTERNATIONAL HEALTH DATA BEYOND PATIENT RECORDS Physiological, Environmental and Behavioral Data Mobile Solutions Ashley Bashore, K Royal and Ronan Tigner February 27, 2018 Washington D.C.

2 Agenda 1. Speakers 2. Topics 3. Laws 4. Scenarios 5. Takeaways 1

3 Topics Beyond Patient Records Steps Diabetes Focus on items in white Social Listening Social Mood Quantified self Sleep Health apps Drugs Homecare Finance Food Fitness Heart rate Insurance AI Athletes Sensors Big data Digital medicine 2

Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA, student information) Federal Trade

4 Laws U.S. Privacy Framework Sectoral approach: no across-the-board data privacy law Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA, student information) Federal Trade Commission (FTC) Section 5 Renforcement Children s Online Privacy Protection Act (COPPA) Fair Credit Reporting Act (FCRA) Gramm-Leach Bliley Act (GLBA) Other regulatory schemes Food and Drug Administration State laws Human Subject Research 3

5 Section 5 of FTC Act Prohibits unfair or deceptive acts or practices Deceptive acts or practices include a material representation, omission, or practice that is likely to mislead reasonable consumers Example: using personal information in a manner inconsistent with a privacy policy or public statement Unfair acts or practices cause consumers harm that they could not have reasonably avoided, and are not outweighed by countervailing benefits to consumers or competition Do not require misrepresentation and can include failures to provide basic safeguards Example: inadequate data security that exposes personal information Enforcement typically triggered by media coverage or complaints Morrison & Foerster LLP 4

conditions, including limitations, [on] genetic

this stage, only two Member States have already

6 Laws EU GDPR 2016/679, Article 9.4 Member States may maintain or introduce further conditions, including limitations, [on] genetic data, biometric data or data concerning health >> At this stage, only two Member States have already adopted the relevant national legislation. >> - EU Commission, Clean up legislation, set up data protection authority, choose accreditation body, etc. MoFo GDPR readiness Center 5

Scenarios Eats n beats Battery (don t die

7 Scenarios Eats n beats Battery (don t die out before a workout) Track your food intake Match it with your workouts Link to media and friends Set objectives and get feedback Connect to other devices 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 6

8 1. Standalone app Medical data Playlist Medication Heart condition Calorie intake Heart rate Weight/height Feedback Battery level Name/ Weak ankle Distance, speed Duration, frequency Grey zone health-like data 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 7

9 1. Standalone app Grey zone Is it health data? EU: Article 29 Working Party letter and Nike case US: What type of data are you collecting? Where does it come from directly from consumers? From physicians? Why does it matter? EU: legal basis, security and breaches, Data Protection Officer and Impact Assessment, etc. US: FTC laws apply to data from consumers; HIPAA applies to data from physicians, pharmacies, health plans What to do about it? EU: mitigate, e.g., aggregate, generalize, wall-off(real-time only)/mere hosting (user empowerment), segregation/key coding, deletion (inertia) What of intent? Generally needed for regular data also (minimization, security, legitimate interest, etc.) 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 8

10 2. Doctor Involvement App allows access by family doctor Health data to some degree 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 9

11 2. BA v. Data Processor Responsibilities of end user vs. doctor vs. app developer U.S.: does HIPAA apply? EU: Controller vs. processor (e.g., mere tooling vs. own purposes) Legal ground: consent is not the holy grail (not a free pass, explicit, distinct, granular, phased, can be withheld/withdrawn, non conditional, as easy to withdraw as to give, clear correlation to deletion and portability, strict WP29 guidance, psychological effect, etc.) Systematic alternatives may exist: provision of health pursuant to a contract with a healthcare professional (Art. 9.2.h), cross-border threats and high quality and safety standards (Art. 9.2.j), scientific research (Art. 9.2.j) EU/EU Member State law required mostly Getting consent on behalf of can be tricky Streaming efforts, e.g., Lloyd s Market Association GDPR Core Uses Information Notice 10

12 Deletion 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 11

13 Explicit consent ICO (UK), Good and bad examples of privacy notices 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 12

14 3. Athletes Professional apps/ wearables / performance 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 13

Consent Medical secrecy Anonymization Algorithm AI

15 4. AI/Social Listening Company wants to train an AI based on doctor s insights Train to train AI Challenges Consent Medical secrecy Anonymization Algorithm AI builder 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 14

16 4. AI/Social Listening Social listening for cross-border threats Social listening 1. Standalone 2. Doctor 3. Athletes 4. AI/social listening 15

17 Individual Rights (GDPR) Key Rights Access Correction Portability (NEW) Deletion Individuals may request access to their personal information and ask for information about how their data are being used Individuals may request that company corrects inaccurate personal information about them Individuals may request a copy of their personal information in a standardized machine-readable format Individuals may request that company deletes their personal information Restriction (NEW) Individuals may request that company quarantines their personal information, i.e., that company ceases using the information other than storing it Other Rights Objection Individuals may object to the use of their personal information in certain cases Prohibition Not to be subject to automated decision making Individuals may request that decisions about them not be based solely on an automated process that has legal consequences for them 16

18 Some takeaways Complex environment Highly fact-dependent Understand data flows critical Consent is not the holy grail Mitigation and industry solutions Laws may still be in the making Nexus between different sets of laws (Business Associate - processor, HIPAA - FTC, individual rights, etc.) requires coordination 17

Data Privacy Novartis Corporation ashley.

19 Thank you for joining us Ashley Bashore Head U.S. Data Privacy Novartis Corporation K Royal Director, West Privacy Consulting TrustArc Ronan Tigner Attorney Morrison & Foerster LLP

20 Resources Regulatory guidance WP29 Guidance on GDPR (link) Article 29 Working Party letter on health data and Dutch Nike case WP29 Guidance under the Data Protection Directive 95/46 (link) FTC Mobile Health Apps Interactive Tool (link) OCR platform for mobile health developers (link) Additional reading MoFo GDPR readiness center (link) MoFo client alerts HIPAA and Health Care Apps: Is Your App Covered? (link) A look at new trends in 2017: Privacy Laws in Europe and Eurasia (link)