Medical data privacy has traditionally been subject to various state laws. This system made sense in a world of largely state-specific providers. However, the rise of national digital health providers makes it tough for these companies to adhere to both national and state regulations.
In a panel discussion at the Health Datapalooza conference last year, one attorney called attention to the complex web of privacy laws facing healthcare startups seeking to scale.
Integrated Enrollment Platforms and Consumer Assistance Centers: The Strongest Advantage for State-Based Exchanges
In the ever-evolving landscape of state-based health insurance exchanges, the convergence of technology and customer service is reshaping how these exchanges operate. The increasing advent of automation and artificial intelligence (AI) is rapidly dismantling the traditional business model that relies on the siloing of technology and customer service centers.
“We literally have thousands of state medical privacy laws. They are not well understood. If you try to research them you will fill up a bookcase,” she said. “The dirty little secret is that few people understand these laws and few people comply with them.”
Ryan Johnson and Sten-Erik Hoidal, partners at the law firm Fredrikson & Byron are well-acquainted with the challenge of helping startups navigate these diverse rules. In an interview with MedCity News, Hoidal and Johnson explained why that job is set to become even more challenging. California is leading the way with more restrictive privacy rules. But the consolidation trend in the digital health sector also means that when companies acquire rival or complementary businesses, they need to understand the data management requirements dictated by that company’s contracts and the states in which they are active.
“Each of the 50 states has its own unique data breach notification law and they are all a little bit different. So if you have a breach that involves personally identifiable info you will have to navigate through all of those laws,” Hoidal noted.
Read your contracts carefully
The Impact Brands: Empowering Wellness Through Natural and Holistic Solutions
In an era of escalating healthcare costs and a growing preference for natural, holistic approaches to health, The Impact Brands emerges as a collective of diverse brands dedicated to supporting overall wellness through natural means.
Johnson observed that a common problem he encounters is that some companies don’t pay enough attention to their contracts. Those contracts may have limitations or “handcuffs” that prevent those businesses from using the data or get access to the data they need to do what they want to from a digital health perspective.
In a business, someone might sign a business associate agreement without reviewing it make sure they have provisions that allow them to de-identify data, aggregate data, use certain data sets. Or there might be other limitations to what might appear to be boilerplate confidentiality provisions in an agreement.
“On top of the evolving state/federal/ international regulatory landscape, it is important for companies to pay attention to the basic contractual provisions governing data usage under the contracts.”
Organizations need to get a better grasp of the data they possess because how it is used and disclosed is central to developing a strategy for navigating these laws.
California Consumer Privacy Act and its ramifications
However complex the current landscape is for navigating data privacy concerns from state to state, California’s recently passed Consumer Privacy Act will produce a whole new paradigm for how companies use their customer data when the Act goes into effect in 2020. Although it started as a ballot measure, it later took the form of a bill as the result of a compromise with the PAC Californians for Consumer Privacy, which agreed to withdraw the ballot initiative. Both the state House and state Senate passed the compromise bill earlier this year.
It is currently the nation’s strictest consumer privacy and data protection legislation. It is also home to some of the technology companies that have come under the spotlight over how they have used patient data. The recent scandal involving Facebook and Google allowing third parties much greater access to user data than they have previously disclosed created more momentum for data privacy protections. This development is also significant because the state is the fifth largest economy in the world. Add to that a cybersecurity law for the Internet of Things, also passed by California lawmakers this Fall. It is designed to improve the protection of consumer data in their connected devices.
Hoidal observed that there are some similarities for what California seeks to achieve in the Act and the data protection laws enacted in Europe.
Consumers have the right to prohibit companies from selling personal information. They have to provide a way for their customers to opt out of the sale of their data to third parties.
Although the European Union passed the General Data Protection Regulation in 2016 after years of discussion, Hoidal contrasted that process with the Consumer Data Protection Act which happened “virtually overnight.”
There is also a right to erasure, which will require companies to delete personal information about users if they ask for it.
“That is a new concept in the U.S.,” Hoidal noted and pointed out that California’s law is similar in that respect to the EU’s GDPR. He added that the Act prohibits discrimination against individuals who have exercised their rights under the data protection law.
As the data protection rules become an increasingly challenging labyrinth to navigate, Johnson shared some insight on how he is working with entrepreneurs to better prepare them for this shifting landscape and to better manage risk:
- Understand my client’s business goals, both short-term and long-term, to make sure my advice and strategy help them achieve those objectives.
- Help them understand the evolving legal/regulatory barriers to entry (e.g. compliance burdens and risks) in the various expansion states under consideration, thus allowing them to make an informed decision about how and when to enter certain markets (and how to best leverage what they spend on legal/compliance matters).
- Help them design the legal structure and strategy that will help them best achieve their objectives, both short-term and long-term, always mindful of the amount they can spend on legal/compliance related matters.
It will be interesting to see how California’s approach to data protection plays out. The state’s close association with tech companies, many of them dependent on consumer data, could spur an exodus of companies. Google and Facebook have been lobbying members of Congress to consider passing legislation that could water down the effectiveness of California’s law. The impact of the midterm elections on the success or failure of those efforts obviously remains unknown. In any case, the debate over data privacy and protection is set to become a more high profile national conversation. Healthcare startups would do well to pay attention. And consider consulting with a lawyer.
Photo: Peter Howell, Getty Images
