Big data holds commensurately large promise for medtech and digital health companies building tools to analyze that information and develop programs to improve patient health.
But these emerging technologies have run headlong into new privacy-oriented regulatory and legislative challenges.
At the AdvaMed Digital MedTech Conference in San Francisco, experts in data privacy explained how new legislation is shaping how the industry thinks about privacy and how to protect patient information and mitigate business risk in an uncertain environment.
Top of mind for the panelists was the California Consumer Privacy Act (CCPA), a state law going into effect in 2020 that enhances privacy rights and consumer protection standards for California residents.
While HIPAA has long been the acronym that has governed the use and collection of personal health data among “covered entities” like health plans and hospitals, CCPA takes on data governance by organizations including medical device makers, pharmaceutical companies and life science companies.
While the CCPA doesn’t directly govern to medical or personal health information, it does apply to any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Peggy Bodin, the global privacy officer at medtech company Zimmer Biomet, pointed to a “culture shift” in the U.S. driven by new privacy laws like the European Union’s General Data Protection Regulation (GDPR), which went into effect one year ago.
In fact, the CCPA is sometimes described as GDPR-light because it institutes many of the consumer protections and compliance requirements found in the European law.
“The concepts of data privacy and privacy by design has been around for decades, but now it’s really coming to the forefront and making us think more critically about how we collect and use data,” Bodin said. “It has really shifted the conversation in thinking about privacy in the EU context and brought it to the U.S.”
That change in conversation, according to Bodin, is part of a “domino effect” leading to privacy becoming a much more important component to consider in foundational product development.
Bodin described one useful exercise she uses that she dubbed a “data fantasy camp” where she takes representatives across different business divisions to have a frank conversation about what type of data usage they would prioritize given privacy issues weren’t a concern. That, in turn, helps map company data flows and quantify the value of various data usages to the company and patients.
The general consensus of the speakers are that CCPA will necessitate clarification by regulators and potential follow-up legislation from lawmakers as industry looks to remain compliant under the law.
One CCPA provision that industry groups like AdvaMed have worked to tamp down has been the “private right to action,” which would give plaintiffs the right to sue for all violations under the law.
As it stands now the legislation limits lawsuits to breaches of unencrypted or unredacted data caused by a business’s failure to implement and maintain reasonable data security practices.
Shannon Zeigler, the legal and compliance coordinator for industry group MedTech Europe, positioned GDPR as part of a larger movement on the continent towards data privacy protections.
“It’s important to remind ourselves that in the EU context, this isn’t new,” Zeigler said. “With GDPR you saw a recognition that technology has changed and the laws didn’t really work and keep up with technology and we needed to modernize the laws.”
She said that European regulation is about putting companies in specifically defined roles and laying out responsibilities and liabilities based on those roles.
That patchwork of policy offers differing views on data privacy protections like “the right to be forgotten” or inconsistent definitions on personal information, making compliance even more challenging for companies operating in the space. Reece Hirsch, a partner at the law firm Morgan Lewis pitched federal legislative action as one solution (while also admitting its low likelihood).
“It’s one thing to have 50 states with security breach notification laws, but that deals with a very specific subject,” Hirsch said. “But if you have 50 or even 10 states that have versions of the CCPA it’s going to become very complicated, very quickly and when the pain level reaches a certain point I think the federal government will need to step in just to create some rationality.”
The topic of federal action was also broached when it came to updating HIPAA to encompass new data types and data usages or replacing it with a new law. Some speakers viewed the law’s entrenchment in the healthcare system as a positive.
“There’s some degree of certainty and people know how to comply with HIPAA. The rules are flexible enough to allow healthcare organizations to do the things they need to do to manage care,” Hirsch said. “The problem is that it’s a little out of date, but the OCR has done a good job in using guidances to bridge that gap.”
In one amusing comment, Bodin described the law as a “friendly golden retriever” compared to the more stringent GDPR.
“In the U.S. if we were just wiping the slate clean and starting over from a privacy law standpoint a GDPR-like approach could make a lot of sense because it would cut across all industries, but we’re not there,” Hirsch said.
Photo: turk_stock_photographer, Getty Images