Privacy Summer School: 10 Things You Should Know About Privacy, Consent, and HIPAA

July 10, 2024

Are you responsible for privacy compliance at your company? This alert summarizes key takeaways from Paul Rothermel's recent presentation 10 Things You Should Know About Privacy, Consent, and HIPAA. Be sure to check out the recording here, and don’t forget to register for the next two Privacy Summer School sessions on DPOs and Privacy Officers (July 18) and Website Privacy Requirements (August 8).

Background

Several federal laws govern the protection of personal information in the U.S. including Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Federal Trade Commission Act (FTCA), Children’s Online Privacy Protection Act (COPPA), CAN-SPAM Act, and Telephone Consumer Privacy Act (TCPA), among others.

Additionally, numerous states have enacted comprehensive privacy laws, each with unique provisions that organizations must navigate. Key states include California with the California Consumer Privacy Act (CCPA), which defines personal information broadly and provides extensive rights to consumers regarding their data. Other state laws, like Washington’s “My Health My Data” Act (MHMDA), offer specific protections for consumer health data.

Around the globe, laws such as the General Data Protection Regulation (GDPR) in Europe and other similar legislation directly impact the processing of personal data and impose further standards and requirements.

Below are key takeaways from the presentation. For the full, informative discussion, check out the recording here.

Key Takeaways

Navigating complexities of HIPAA vs. state privacy laws

  • HIPAA applies to covered entities (healthcare providers, health plans, health clearinghouses) and their business associates. State privacy laws may apply more broadly to personal information, including consumer data and health data. Carefully consider how to address these overlapping and at times (apparently) contradictory requirements.

Personal information that is regulated may vary

Understanding what constitutes personal information is crucial for compliance. The definitions can vary significantly across different laws, for example (paraphrased):

  • HIPAA: Defines individually identifiable health information as any information created or received by a healthcare provider that relates to the physical or mental health of an individual and can identify the individual.
  • CCPA: Broadly defines personal information to include any data that identifies, relates to, describes, or could be linked to a particular consumer or household. This includes identifiers, commercial information, biometric data, internet activity, geolocation data, and more.
  • GDPR: The General Data Protection Regulation (GDPR) of the EU defines personal data as any information relating to an identified or identifiable natural person, including (for example) names, identification numbers, location data, and online identifiers.

Clinical trial data is generally not protected by HIPAA

  • Generally, data collected by sponsors in clinical trials are not regulated by HIPAA or state privacy laws unless the sponsor is a covered entity or business associate. For instance, the MHMDA and CCPA contain exclusions for data collected in clinical trials meeting certain criteria.

Business associate agreements

  • HIPAA has exceptions for certain types of disclosures of protected health information (PHI), such as treatment-related disclosures and public health (i.e., FDA-regulated) activities. For companies operating in the life sciences sector, understanding when to sign a business associate agreement (BAA) is critical. BAAs are generally only required when a company handles PHI for the provision of services to a covered entity. Common scenarios requiring BAAs include providing cloud-based or other vendor-managed services that process PHI, operating reimbursement support programs, or other activities involving PHI under the control of the company on behalf of the customer.

The GDPR can apply to U.S. companies even if the company itself is not located in Europe 

  • U.S. companies conducting clinical trials or other data processing activities using personal data collected in the EU often must comply with GDPR. Personal data includes key-coded data in clinical trials, which GDPR considers personal data if it can be attributed to an individual using additional information. U.S. companies should evaluate their data processing to determine if they need to ensure GDPR compliance for any data collected from EU countries.

Privacy notice vs. consent

  • A privacy notice informs individuals about data collection practices, while consent is an affirmative agreement to allow a specific use of data. Many routine activities involving personal data do not require specific consent but understanding when consent is appropriate is important for compliance and avoiding government enforcement and litigation.

Privacy risk assessments

  • Privacy (or data protection) assessments help identify and mitigate risks to consumer privacy. California, Colorado, and Connecticut are among several states implementing regulations in this area, following in the footsteps of the EU.

Personal data inventory is essential for compliance

  • Companies need to understand what personal data they have, where it is stored, and who is responsible for it. Many privacy laws either directly require inventory of personal data (see GDPR for “record of processing activities)) or impose secondary requirements that necessitate inventory of personal data (see HIPAA, CCPA, and MHMDA, for example).

Breach notification standards

  • Numerous state laws as well as federal laws and rules provide for specific breach notification timing and criteria in the event of a data breach. Companies should be familiar with applicable laws and have plans to address data breaches. Note that it is not just state laws and HIPAA: regulators such as the Federal Trade Commission and Securities Exchange Commission have imposed various notification rules that may apply. Also, medical devices manufacturers should consider the impact of a breach on device safety and effectiveness, particularly for connected devices and software-based medical devices.

Implement privacy clauses in vendor agreements

  • Ensure your vendor contracts include appropriate privacy clauses to protect the company and comply with applicable laws, whether the CCPA, GDPR, MHMDA, or other laws and regulations.

Data deletion requests

  • Be prepared with procedures for data deletion requests from consumers. Consider whether you address this in your privacy policies and which laws and rules apply. Also be sure to consider any exceptions or exemptions that may apply before disposing of personal data.

Contact Us

Compliance with privacy laws requires a thorough understanding of both federal and state regulations, as well as international laws. Organizations must stay informed about the evolving legal landscape and implement robust privacy practices to protect personal data and avoid significant penalties. Gardner Law has extensive experience with applying data, privacy, and cybersecurity considerations to life sciences companies of all sizes. If you have questions, contact the team at Gardner Law or reach out to one of our attorneys directly.