Privacy and Security at the Leading Edge
(Note: this is an archive from our monthly Innovation Insights newsletter. Sign up here to get the next issue.)
If you're a healthcare innovator, then you'll frequently find yourself in a regulatory gray zone. The law and regulations do not always squarely govern what you are trying to accomplish. And that might be what's keeping you awake at night as you make business and product decisions without a clear roadmap as to what will be compliant and what won't, or what will be reimbursed (and when) and what won't.
The savviest healthcare innovators choose an experienced guide to help them anticipate, and in some cases shape, what's going to happen with law, policy, and reimbursement. (That's us!)
And while we can't give you a detailed, personalized roadmap in a newsletter, we can share how Privacy and Security are evolving in some innovative spaces. And…it's a lot. In fact, we've had to cut about 50% of our updates from this newsletter so it can fit in your inbox! If you'd like to learn more, look below for links to find out how to put our Privacy and Security talents toward growing your healthcare business.
Before we dive in, though, let's cheer Managing Partner Carrie Nixon's 2022 Telehealth Champion award for “Advancing Access to Virtual Care” at the American Telehealth Association's annual conference this month.
So much of the work Carrie does to advance healthcare innovation, access, and policy is behind the scenes—for clients and the industry—and we're thrilled to see this recognition for her significant and ongoing contributions. Congratulations, Carrie!
Now let's zoom in on what innovators like you need to know about the future of Privacy and Security.
FemTech
The data collected by FemTech applications and devices is some of the most sensitive health data available today. The expansion of FemTech has invited surveillance into the most intimate areas of the home and often results in quantifying personal and intimate experiences into data points.
Wondering about the impact of that leaked SCOTUS decision? We're putting together a Reproductive Task Force (RTF) for FemTech innovators. We'll explore how to respond to this pending decision for your business and the industry. Want to be part of it? Click here to join.
Studies show that most women are uncomfortable providing all of the data requested by FemTech apps and will often enter false data when they feel their privacy is not protected. This can undermine trust in the very industry that is expected to transform women's healthcare. It can also cause significant downstream impacts when research on women's health is conducted using this fake data. For a deeper dive on this topic, check out this episode of Legally FemTech on FemTech's Evolution and Social Harms—Designing for an Inclusive Future.
FTC
The Federal Trade Commission recently made clear its intention to revamp oversight of consumer data privacy and establish limits on commercial data collection and processing activities. This is due, in part, to a recognition that the U.S.'s notice and consent framework may not sufficiently protect consumer rights.
We anticipate these 3 things:
Increased focus from the FTC on online data collection and processing;
Efforts to give Americans more control of the data that they collect; and
Substantive limits of data collection, as opposed to merely implementing more procedural protections.
NGL team members presented a webinar on May 9th for the Health Care Compliance Association called "Privacy and Security for Connected Health: The Good, The Bad, and The Futuristic." Click here to find out how to access the recording.
International Data Privacy
More companies are expanding outside of borders because…why not? We're not confined to locations anymore, at least not physically.
When it comes to data privacy, there are some updates you should know:
Austria and France recently found the use of Google Analytics to facilitate insights about platform performance to violate the fundamentals of the GDPR. If you've noticed the changes in your Google Analytics account to Google Analytics 4, then you'll realize how quickly Google has responded to this ruling. That means if you're doing business in the EU, you should take it seriously, too.
As companies go international, it is important to note that some countries have strict data localization rules for health and other sensitive data. This means that when strategizing for a global expansion, depending on the nature of providers/customers with whom the platform will engage, it may be necessary to implement data centers in new countries. This is particularly true in Canada, Australia, Russia, and China.
Given the state of our current geopolitical climate, clients should be particularly cautious when developing their platforms to avoid exploitation by malicious foreign actors looking to take advantage of vulnerabilities experienced by US companies. Particularly, they should be aware of known and exploited vulnerabilities (as published by CISA) and should be careful to limit exposure of their platform to the open internet.
If you're curious about your privacy compliance, you may be interested in our low-investment high-impact Digital Health Privacy Exposure Audit. Also, are you getting our biweekly Telehealth/Virtual Care Updates on LinkedIn? Subscribe to this newsletter for easy-to-understand law and policy changes that affect your business.
FDA
In April, the Food and Drug Administration released updated guidance on medical device cybersecurity called: "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions."
This document further emphasizes the importance of secure medical device design and the need to prioritize cybersecurity throughout the product life cycle. The draft guidance is available for comment by stakeholders until July 7, 2022.
(Are you a device maker who wants to advocate for your business and industry? We draft comments for clients wanting to impact policy with the FDA. Click here to book a 15-minute call and see if this service is right for you.)
Decentralized Clinical Trials (DCT)
For US-only DCTs, everyone involved, including investigators and vendors, needs to make sure their patient identification approaches are consistent with sponsor requirements (hence the need for numerical identifiers).
Outside the US, that issue remains. In addition, there may be issues related to data localization (whether the trial data can be exported out of the country in which it was collected). There may also be country-specific requirements. For example, in France, for a service provider (like a DCT software operator) to have access to both personal information and health information of an individual, the service provider must get authorization from the French data protection authority.
Click here to find out more about potential risks for DCT platform providers and investors.
Hospitals and Health Systems
Who better to ask about emerging Hospitals and Health Systems Privacy and Security concerns than the Chair of the Enterprise Risk Management Affinity Group for the AHLA's Hospitals and Health Systems Practice Group? Faisal Khan, Esq., shares that the major opportunity and best practice would be for a health system to adopt an Enterprise Risk Management approach to handling and minimizing privacy and security risks, particularly now since care has increased significantly through virtual care means and with vendors, meaning the risk has increased significantly.
Faisal recently spoke on “Emerging Issues in Healthcare, Technology, and Data Privacy & Protection” at the Journal of Law and Health at CSU Cleveland-Marshall College of Law, and he shared his insights on how the pandemic response led to healthcare innovation (and expanded privacy and security considerations) for the Boston Globe.
NGL's Hospitals and Health Systems Practice combines the best of healthcare innovation insight with in-house and operational experience from some of the largest hospital systems in the US. Click here if you want innovation, privacy, security, or enterprise risk management guidance from people who know what it's like to walk in your shoes.
Remote Patient Monitoring
The National Institute of Standards and Technology (NIST) recently released guidance on securing Remote Patient Monitoring platforms with connected devices. This is especially important because of the lack of control providers have over the use of devices to transmit data regarding the patient's health once it is outside of the clinical setting.
There may be incorrect data submissions (such as if data is entered about the health of someone else), and there is a particular risk for unauthorized access to patient data through displays and improperly secured devices.
During our assessment, we engage with key members of your executive and security teams to understand your business model, data lifecycle, privacy and security standards, and compliance goals. Through this process, we create/edit your data map, platform, and website privacy policies, platform and website terms of use, disclaimers, and consents. We'll also provide in-depth consultation regarding your data flow and best cybersecurity practices.
The Don’t Miss List
If you're even thinking about Telepharmacy, then you need to catch Reema Taneja's webinar replay. Bonus: You can get a checklist of the 5 areas you need to examine before you get into Telepharmacy. Check it out!
And that brings this issue to a close…
As always, we're thankful to earn a place in your crowded inbox every month. You're busy, and we aim to deliver the most immediately useful information in each issue. You can always reply to any of our emails with kudos, comments, questions, or constructive criticism—we read every response.
Next month we'll be talking about corporate documents and business models and how these decisions can impact your investing goals, the length of your sales cycle, and your ability to attract key vendors and clients. Don't miss it!
Until next time,
Carrie Nixon, Rebecca Gwilt
and the entire Nixon Gwilt Team