Health information privacy and security. Norton Rose Fulbright US LLP October 6, 2015

Transcription

1 Health information privacy and security Norton Rose Fulbright US LLP October 6, 2015

2 Speaker Mark Faccenda Mark Faccenda is a Partner in the Washington, D.C. office. As part of Norton Rose Fulbright's health care transactional group, Mark has represented health care industry clients on regulatory and transactional matters. Representative clients include pharmaceutical manufacturers, academic medical centers, health systems, physician groups, physician/hospital joint ventures, long-term care facilities and durable medical equipment suppliers. Prior to joining, Mark worked for the Pennsylvania House of Representatives Legislative Office for Research Liaison where he conducted economic and health care regulatory research in support of prospective legislation. As part of his work for the Legislative Office for Research Liaison, Mark authored and contributed content to the University of Pittsburgh Institute of Politics' quarterly Institute of Politics Report and its annual policy briefing, the Institute of Politics Status Report. Mark also worked for payer and provider sides of an integrated health system where he drafted corporate policies and provided legal research focusing on HIPAA, ERISA, EMTALA, same-sex benefit coverage and the Peer Review Protection Act. 2

3 Speaker Kimberly Gold Kimberly Gold is a Senior Associate in Norton Rose Fulbright's New York Office. Her practice focuses on healthcare transactions, regulatory compliance, and privacy and security matters. Kimberly has extensive experience in the areas of privacy, information security, cybersecurity and information management. She regularly advises clients on matters involving privacy and security of patient information under HIPAA and state laws. She also represents clients in the health information technology area and has counseled pharmaceutical and mobile app companies on privacy and FDA regulatory issues. Kimberly is currently working on-site with the Global Privacy Office of a global pharmaceutical company on various legal matters, including negotiating vendor agreements, providing advice on marketing and clinical trial initiatives, and developing privacy notices, consent documents, and internal policies. Kimberly's transactional experience includes mergers and acquisitions, joint ventures, and affiliations of hospitals, group practices and other provider entities. She also represents not-for-profit and tax-exempt organizations on a broad range of matters, and regularly advises clients on issues relating to accreditation by the Accreditation Council for Graduate Medical Education (ACGME) and the Liaison Committee on Medical Education (LCME). 3

4 Speaker Boris Segalis Boris Segalis is a US co-chair of Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group. He edits the practice's data protection blog, DataProtectionReport.com. Boris counsels clients regarding a broad range of privacy, information security, cybersecurity and information management issues. The practice addresses all aspects of information management lifecycle, including its collection, use, storage, disclosure and destruction, as well as the protection of the information and the infrastructure supporting the data. Boris advises clients on information law issues that arise in the context of databased products and services, big data programs, smart grid operations, marketing and advertising, corporate transactions (including M&A and bankruptcy), state and federal investigations and regulatory actions, cross-border data transfer, vendor management, cloud computing, technology transactions, incident and breach response and pre-response planning. Boris represents clients in a variety of industries, ranging from start-ups to Fortune 100 companies. His clients include companies in the consumer products and services areas, online retailers and media companies, pharmaceutical companies, utilities, travel-related businesses, B2B technology providers, payment processing businesses, and non-profit organizations. 4

5 Continuing education information We have applied for one hour of California and Texas CLE and New York non-transitional CLE credit. Newly admitted New York attorneys may not receive non-transitional CLE credit. For attendees outside of these states, we will supply a certificate of attendance which may be used to apply for CLE credit in the applicable bar or other accrediting agencies. Norton Rose Fulbright will supply a certificate of attendance to all participants who: Participate in the web seminar by phone and via the web Complete our online evaluation that we will send to you by within a day after the event has taken place 5

6 Administrative information Today s program will be conducted in a listen-only mode. To ask an online question at any time throughout the program, click on the question mark icon located on the toolbar in the bottom right side of your screen. Time permitting, we will answer your question during the session. Everything we say today is opinion. We are not dispensing legal advice, and listening does not establish an attorney-client relationship. This discussion is off the record. You may not quote the speakers without our express written permission. If the press is listening, you may contact us, and we may be able to speak on the record. 6

7 Internet of Things: connected medical devices and new compliance risks

8 Safe Harbor Invalidated Dataprotectionreport.com ECJ invalidates the Safe Harbor What s next? Derogations Model clauses Local requirements Commission action Safe Harbor renegoation DPA coordination 8

9 Safe Harbor - Derogations Allow the transfer of personal data from Europe to the US. The most commonly used are set out below: If the individual has given his unambiguous consent to the transfer; If the transfer is necessary for the performance of a contract between the individual and the business (which is the data controller ); If the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the business (again, the data controller ) and a third party; If the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims; or If the transfer is necessary in order to protect the vital interests of the data subject. 9

10 Internet of Things (IoT) What is it? Direct connection of individual to network, exchanging data with the manufacturer, operator and/or other connected devices Smart watches already track heart rate, skin temperature, perspiration, and number of steps. Sports clothing and shoes with data collection and reporting capabilities are available in the marketplace today. Fitbit Insulin pump Prosthetic Pacemaker A pill 10

11 Internet of Things (IoT) Benefits Population health Proactive fulfillment Diagnostic care Lower cost Insights & research Prevention Unknowns Big Data possibilities/correlations 11

12 Internet of Things (IoT) Risks New, unknown space Nascent, inexperienced regulators Cybersecurity vulnerabilities Privacy concerns Commercial exploitation of data (v. PHI) Employee privacy Government access 12

13 Internet of Things (IoT) Enforcement FTC FDA State AGs Global -- DPAs Other regulators to jump in Public shaming Fairness & Transparency 13

14 Internet of Things (IoT) Guidance - FTC Build security into devices at the outset, rather than as an afterthought in the design process; Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization; Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers; When a security risk is identified, consider a defense-in-depth strategy whereby multiple layers of security may be used to defend against a particular risk; Consider measures to keep unauthorized users from accessing a consumer s device, data, or personal information stored on the network; Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks. 14

15 Management of vendors that access healthcare data

16 Vendor Management Programs Beyond the BAA Comprehensive program, not just a contract Risk based, scalable, consistent Multi-disciplinary Ties into broader risk assessment, privacy and security programs Goal: vendors as an extension of the organization with consistent risk profile and as much control/responsibility as possible 16

17 Vendor retention life cycle RFP Phase (competition over terms) Security, privacy and compliance due diligence Contract drafting Contract negotiation Contract enforcement Contract review and renegotiation 17

18 Key issues to address Security requirements Privacy and data ownership Processing location Subcontractor relationships System and data availability Data retention Incident response Liability / risk of loss 18

19 Key deliverables Vendor assessment questionnaire (VAQ) Security assessment questionnaire (SAQ) Data security and privacy terms/schedule Process documents Triggers Process flow chart FAQs Annotated terms schedule Negotiation points and fallback positions Training materials 19

20 Key contract terms Definitions Preventative Contract Terms Controls in place to prevent data breach Reasonable security Specific controls Audit and Enforcement Terms Assessment/scanning rights Non-compliance reporting Incident Response Contract Terms Notice and reporting Forensic investigation Risk of Loss Contract Terms 20

21 Data security incident preparedness and response

22 Data security incident preparedness and response Prevention v. response Assume a breach will occur Mistakes in the response cause the problems Reputation and direct business impacts at issue Increased risk of litigation and regulatory scrutiny Goal: reasonable incident response readiness 22

23 Incident response plan pre-cursors Data inventory and mapping Data types Data location (systems and offline) Data necessary to support forensic investigation Data risk assessment and classification Risk classification appropriate response Incident detection capabilities Technical detection capabilities Administrative Personnel and training Escalation protocols 23

24 Incident response planning key considerations Written incident response procedures and protocols Based on data risk classifications Scenario-based planning may be appropriate Key stakeholders Internal incident response team External incident response team Vendors Cyber insurers 24

25 Incident response planning key considerations Communication channels Internal: detection and escalation External: public relations External: patients, employees or affected individuals External: clients (for whom you hold sensitive data) External: regulators Others: law enforcement, boards, unions, etc. Investigative capabilities Determining the Ws (what, where, who, when) Locating, collecting and preserving evidence Internal investigative / forensic capabilities External investigative / forensic capabilities 25

26 Incident response planning key considerations Vendor management and incident response Containment, mitigation and recovery capabilities Cyber insurance availability and coordination Legal compliance and regulatory response Litigation readiness Testing, training and drilling 26

27 Handling data breaches - key considerations Immediate response needed Fast-moving and notification deadlines Difficult to understand tech and forensic issues Many vendors/services to coordinate Need to consider the fallout in the middle of the breach 27

28 Handling data breaches - activities Discovery Attorney-client privilege Incident response team formation / communications Investigation Remediation Legal Analysis Triggering of Breach Laws Legal Analysis Compliance with Breach Laws Customer and public relationship management Litigation risk and readiness Claim/regulatory action defense 28

29 Continuing education information If you are requesting CLE credit for this presentation, please complete the evaluation that you will receive from Norton Rose Fulbright. If you are listening to a recording of this web seminar, most state bar organizations will only allow you to claim self-study CLE. Please refer to your state s CLE rules. If you have any questions regarding CLE approval of this course, please contact your bar administrator. Please direct any questions regarding the administration of this presentation to Cristina De Los Santos at cristina.delossantos@nortonrosefulbright.com. 29

30

31 Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to Norton Rose Fulbright, the law firm and legal practice are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together Norton Rose Fulbright entity/entities ). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 31