October 15, 2019 Sharing Health Data: Challenges and Solutions Dan Guggenheim Hill Physicians Medical Group Raegan McClain OptiNose Sandra Parker Manifest Medex Facilitator: Deborah Gersh Ropes & Gray LLP
Sharing Health Data: Challenges and Solutions • This session will focus on the tension between sharing data to improve outcomes and quality and efficiency of care vs. protecting against re-identification or other inappropriate use • How do different stakeholders use and share data? What are the challenges faced by each? Providers • Payors • Pharmaceutical and Medical Device manufacturers • Health information exchanges (“HIEs”) •
Data Sharing Practices
Question 1 How do each of you use and share data in your respective roles as a provider, pharmaceutical manufacturer, and HIE?
Question 2 Under what circumstances do you share data with third parties? What are the biggest challenges and concerns you face in sharing data?
Question 3 As a HIE, how do you compile, use, and share data from different sources?
Question 4 How can we improve the way we share data for care coordination purposes? • Challenges in the value-based care context • Ensuring fewer restrictions on use of data for such purposes • Ability of patients to transfer and access data
Question 5 Marketing does not include a communication made: (i) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered In the context of entity in exchange for making the communication is reasonably related to the covered entity's cost of making the communication . sharing and using (ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication: data, where is the A. For treatment of an individual by a health care provider , including case management or boundary for what care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; constitutes B. To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the “marketing” for communication , including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health HIPAA purposes? plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or C. For case management or care coordination , contacting of individuals with information about treatment alternatives , and related functions to the extent these activities do not fall within the definition of treatment.
Data Sharing Challenges
Question 6 What new challenges will the California Consumer Privacy Act (“CCPA”) create for how companies share and use data? • Approach to care coordination when one party is subject to HIPAA and the other party is not • Impact on businesses that do business within and outside of California • Challenges with consumer rights provisions For additional information on the CCPA, see the Appendix at the end of this presentation
Question 7 What are the biggest challenges with digital health apps? • Privacy Terms and Conditions • Compliance with HIPAA and Applicable State Law • Sharing information with covered entities and business associates • Liabilities and risks
Panelists Sandra Parker Dan Guggenheim Raegan McClain Deborah Gersh General Counsel & Chief Privacy Deputy General Counsel Chief Compliance Officer Partner Hill Physicians Medical Group OptiNose Officer Ropes & Gray LLP Manifest Medex
Appendix
California Consumer Privacy Act Key Provisions Rights • Right to opt out of sales of personal information • Right to know • Right to access/portability • Right to erasure • Right to equal service • Disclosures • Update online Privacy Notice and provide consumers with information at point of • collection Disclose any “sale” of consumer personal information • Private right of action arising out of data breach •
California Consumer Privacy Act Key Definitions Consumer: a California resident • Personal Information: information that identifies, relates to, describes, is capable • of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household Sell, Selling, Sale, or Sold: selling, renting, releasing, making available, or • otherwise communicating a consumer’s personal information “for monetary or other valuable consideration”
California Consumer Privacy Act Application outside California Can apply to companies outside of California if the company “does business” in • California and meets one of three thresholds: Annual gross revenue exceeds $25 million; • Annually sells or receives for a commercial purpose, alone or in combination, • the personal information of 50,000 or more consumers, households, or devices; or Derives 50% or more of its annual revenues from selling consumers’ personal • information Also applies to any entity that controls or is controlled by a covered business and • shares common branding
New York SHIELD Act Key Provisions The SHIELD Act amends Article 39-F of the New York General Business Law (New York’s data • breach notification law) Key elements • Expanded scope • Applies to any business that owns or licenses certain categories of computerized data • More expansive definition of “private information” • Private Information means (i) personal information in combination with a specified data element that • is not encrypted or that is encrypted with an encryption key that has also been compromised or (ii) a username and password or security question that would permit access to an online account New data security requirements effective 3/21/2020 • Includes specific elements of a data security program that would meet the new requirements • Breach notification requirements effective 10/23/2019 • More expansive definition of “breach” • New breach notification requirements • Increased penalties for violations •
New York SHIELD Act Applicability • Under the SHIELD Act, requirements of Article 39-F apply to: “[a]ny person or business which owns or licenses computerized data which includes private information of a resident of New York Applies regardless of whether conducts business in the State of New York • No geographic limit •
Algorithmic Accountability Act Federal bill introduced in April 2019 • If passed, would require companies to regularly evaluate their computer • algorithms for bias and discrimination and correct any issues they discover Applies to any person or entity subject to the jurisdiction of the Federal Trade • Commission (“FTC”) that: Had more than $50 million in average annual gross receipts for the preceding three • taxable year period; Possesses or controls personal information on more than one million consumers or • consumer devices; or Acts as a data broker • Violations would be enforced by the FTC as an “unfair or deceptive” trade practice •
Recommend
More recommend
