Although privacy developments in the United States are progressing rapidly, health Data privacy is rapidly evolving. Companies that interact with consumer health data need to track and respond to a variety of trends. Most notable is Washington state's My Health My Data (MHMD) law, which is a similar law in Nevada.““confidential data”““Sensitive personal information” requirements under comprehensive state privacy laws and FTC enforcement actions and guidance asserting that a wide range of health data is confidential. Given the lack of clarity and harmonization of these requirements, and the significant resources required to implement changes, how companies respond to these developments can be iterative. It could become something.
On the tangible side, regulators expect companies to make detailed and specific disclosures and obtain opt-in consent for most health data collection, use, and sharing. However, successfully obtaining these disclosures and consents requires a lot of preliminary work, starting with identifying the health data that the company will manage.
Several steps can help manage this uncertainty. First, adopting a framework for classifying health data improves the consistency and efficiency of this underlying compliance activity. Second, a sober understanding of the difficulty of obtaining consent will help you set realistic business expectations for the use of health data in this difficult regulatory environment. Third, documenting your health data privacy program will help you maintain it over time and demonstrate compliance to regulators and commercial partners.
Data classification framework: Is it health data?
For many companies, determining whether to process health data and which elements of their data inventory constitute health data is a difficult task. This exercise may involve reviewing thousands of variables, segments, or personal data elements.
Currently, there is little regulatory guidance and no common taxonomy for defining health data, making benchmarking difficult. Additionally, definitions of health data vary by state and federal regulators, so adopting a national approach based on the broadest definition may not be feasible from a business perspective.
Several strategies can help manage uncertainty.
- Work based on explainable elements. Using elements that capture the overlap between different health data definitions can help establish a consistent classification and educate business stakeholders about when they encounter health data. Scope-based elements of the current health data definition include:
- Does the data reveal: specific Health condition?
- Does the data reveal: past or the current Health condition?
- Is the data related to something? specific consumer?
- Is the data related to something? sensitive Health issue?
- what kind of harm (If applicable) Uses or disclosures of data may be reasonably caused to individuals.
- Particularly important for Washington and Nevada: Is the data historical, current, or related to the consumer? future Health condition?
- Think comprehensively about classification. Categorizing health data alone can cause problems. Regulatory definitions are broad, so analyzing data elements in isolation may not be sufficient. Rather, you may need to consider the following: the purpose Whether we use or disclose a particular data element affects whether it is health data.The data element““Health Data” is used when it is under the control of one entity and not under the control of another entity. Therefore, it is important to understand business processes, contractual commitments, data sources, and other factors surrounding potential health data. In many cases, there is no clear answer as to whether a data element is health data. By clearly identifying what is and is not included in this category, companies can spend more time on truly controversial cases.
- Think about scalability and sustainability. A one-time classification task may be feasible for many companies, even if it involves thousands of variables. Maintaining these classifications over time is another story. For companies with relatively static data inventories, long-term maintenance may not be too difficult. However, if your inventory changes rapidly, reviewing data elements on a case-by-case basis may not be practical. Consider how to set review cycles and appoint a privacy advocate within your company to work with legal support to continually apply the framework.
After consent is given MHMD consent
While the FTC and states with comprehensive privacy laws are moving toward requiring opt-in consent for most health data processing, MHMD has particularly stringent consent requirements. The difference between MHMD and other health data regulations is action Consent requires consent, which must be voluntary and unambiguous, but the scope of consent permitted is limited and details must be disclosed to signal consent. (Other regulators are less explicitly restrictive, but there is a clear trend in this direction, as we discussed in our recent post on the FCC's one-on-one consent orders.)
Specifically, to obtain consent to collect or share consumer health data, businesses must disclose:
- Categories of Consumer Health Data Collected or Shared.
- Purpose of collection (including specific methods of use)
- Categories of entities with which consumer health data will be shared.and
- How consumers can withdraw consent from future collection or sharing of consumer health data.
Meeting these standards may not be feasible for many companies, especially those that do not have a direct relationship with consumers.
MHMD requirements sell Consumer health data is becoming more stringent.The law requires a valid certificate authorization, include the purchaser's name and contact information, be signed by the consumer, and expire within one year of signature. Obtaining a license is not practical for most companies except in limited circumstances.
The primary alternative to consent or authorization is to limit the collection of health data under the MHMD to those that fall under the necessity exception. Although the Washington government has not provided further guidance on the scope of this exception, we expect regulators to interpret it narrowly.
Documentation is key
I understand that. Companies are reluctant to produce discoverable documentation that could be used to prove that they have misinterpreted health data regulations. But the alternative is far more egregious and could be used to support claims that companies are failing to systematically manage medical data in a reasonable way. It can also lead to inconsistent practices within the company and time-consuming back and forth between business and legal teams.
Key documents include health data definitions, consent requirements, partner evaluation processes, data subject request procedures, and model terms and conditions. Many of the consumer health data practices that should be documented are likely extensions of current privacy programs and processes, such as data protection assessments.
Of course, there are arguments that justify protections based on the attorney-client privilege. Maintaining clear boundaries between discussions that provide legal advice or operational guidance to business teams can help draw defensible boundaries regarding privilege.
* * *
Accelerating health data privacy regulations are placing even greater demands on already stretched privacy teams.confront the vastness of“Defining “health data” and the impact these regulations have on business operations is especially difficult in the absence of regulatory guidance. For better or worse, the boundaries of health data privacy regulations will become clearer through enforcement and his MHMD's private right of action. In the meantime, understanding the core purpose of these laws and closely monitoring regulators' statements can serve as a starting point for setting compliance priorities.
[View source.]