Originally Published MX September/October 2001
GOVERNMENTAL & LEGAL AFFAIRS
Global Data Privacy and SecurityPart 1: An Overview of U.S. and International Laws
For medtech manufacturers, compliance with new laws on the privacy of patient data is key to bringing a new product to market.
Edward J. Green and Lisa J. Acevedo
Fueled by the Internet and advances in computer and electronic technology, the electronic communications age has given rise to public concern about the privacy of personally identifiable information—in
particular, health information. This public concern has translated into new laws and regulations in the United States and internationally, governing the use and disclosure of personal data.
Technology permits easy and rapid collection and disclosure of personal information, much of which can be profoundly personal—especially medical information. The public recognizes that, with literally the push of a key or click of a mouse, their most personal information could be disclosed to countless numbers of people.
Such fears are not just theoretical. Rather, they are based on significant and publicized violations of privacy. Several years ago, for example, a health system inadvertently posted a database containing the names, addresses, social security numbers, and diagnosis codes of its patients on the Internet.1 More recently, a pub in England received via facsimile the confidential medical records of patients, which included information on sexual abuse, intended for a local social services office.2
The public's concerns surrounding privacy do not focus solely on traditional healthcare providers. E-health has transformed the relationship between manufacturers and the patients and customers that use their products to a communicating, interactive relationship in which information is routinely exchanged. Many medical device manufacturers communicate with and collect personal information about patients to some extent, most commonly via the manufacturers' Web sites. New, state-of-the-art products allow patients and healthcare providers to communicate information, often personally identifiable health information, in new ways, often via the Internet. Manufacturers of such products frequently have access to the personal information their products communicate.
Manufacturers have found themselves facing the glare of negative pub- licity over privacy violations. Most recently, Eli Lilly (Indianapolis) found itself in the spotlight after it accidentally disclosed to all its registrants the e-mail addresses of individuals who had registered with the company to receive e-mail reminders about taking Prozac.3 The negative publicity created by this type of privacy violation can adversely affect the credibility of a business. Thus far, the medical device industry has remained relatively unscathed. Given the new generation of Web-enabled "smart" devices and recent increase in on-line activities, however, it may be only a matter of time before a member of industry finds itself in the news.
Governments, both in the United States and internationally, have responded to public concern by enacting laws to protect personal information. The laws and regulations governing data privacy can affect manufacturers' efforts to market their products via Web sites and on-line services. Such laws can also affect clinical trials and even influence the way that manufacturers design certain products. The legal requirements surrounding data privacy can also affect customer preference and willingness to acquire a product.
This article provides an overview of both U.S. and international laws governing data privacy and security, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the European Union's Data Privacy Directive, and Safe Harbor Principles. The article will describe pitfalls that can adversely affect a manufacturer's ability to bring a new product to market, as well as hinder marketing activities.
The second installment of this article, which will be featured in the November/December issue of MX, will provide practical tips on how to effectively meet data privacy and security legal challenges, avoid pitfalls, and use these legal requirements to meet patient and customer needs in order to successfully market and sell medical devices.
HIPAA Privacy and Security Standards
In December 2000, the U.S. Department of Health and Human Services (HHS) issued a final rule for protecting the privacy of personally identifiable health information as required by HIPAA.4,5 HHS stated that it intends the privacy regulations to "address growing public concerns that advances in electronic technology and evolution in the healthcare industry are resulting, or may result, in a substantial erosion of the pri-vacy surrounding individually identifiable health information." The compliance date for the privacy regulations is April 14, 2003.
HHS recognized that privacy cannot be protected without the support of security measures. As a result, HHS has also issued proposed Security and Electronic Signatures Standards of HIPAA.6 The security standards contain requirements for protecting the privacy of personally identifiable health information.
The standards are technology-neutral in that they do not require use of a specific technology. Rather, these standards recognize that security technology changes quickly, and that it would be unworkable to base a standard on a specific technology that may become obsolete. The security standards also do not detail the procedures that must be implemented. Rather, they require organizations to assess their own security needs and implement the necessary procedures and technology to meet those needs.
The security standards are still in a proposed form and it is not clear when they will be issued in final form. According to rumors, HHS intends to issue a final rule soon, but changes to the proposed rule are not expected to be significant.
 |
| Figure 1. Examples of protected health information (PHI) flows. Source: Foley & Lardner (Chicago). |
Although the privacy regulations and security standards primarily target the activities of healthcare providers, they also affect manufacturers. The greatest impact will be on the design of medical devices that collect, store, or otherwise communicate personal health information. Clinical trials, and the subsequent use or disclosure of personal information obtained from trial subjects, will also be affected. As described below, man-ufacturers may be drawn into HIPAA by virtue of activities in which they engage with their customers (see Figure 1).
Many manufacturers may initially believe that they already take steps to protect the privacy of personal information such that they do not need to worry about HIPAA. Many may also believe that HIPAA is not a concern for them because the information they possess does not name any person, but is coded or only uses initials. Many may believe HIPAA does not apply to their business activities. However, compliance with the privacy regulations requires a lev- el of attention to detail not found in most operations. In addition, from a practical perspective, many manufacturers' customers will have to comply with HIPAA and will, in turn, demand compliance from manufacturers.
Privacy Regulations
Following is a brief summary of the privacy regulations' key points. It is important to emphasize that this is only a high-level overview and that the regulations are extremely detailed and comprehensive.
Scope. The privacy regulations provide that covered entities and their business associates may not use or disclose protected health information except as set forth in the regulations. In order to determine who and what is affected by the regulations we have to understand these defined terms.
First of all, protected health information (PHI) is any personally identifiable information that relates to the physical or mental health or condition of an individual, or the provision of healthcare or the payment for the healthcare of an individual. Such information is considered to be personally identifiable if it either directly identifies the individual or could be used to identify the individual.
The privacy regulations do not apply to the entire universe of entities that use or disclose PHI. Only those individuals or entities that fall within the definition of a covered entity or the business associate of a covered entity must comply. The term covered entity is defined to include healthcare providers, health plans (including employers that operate self-funded health plans), and healthcare clearinghouses. The term healthcare provider is defined to include anyone who furnishes, bills, or is paid for healthcare services or supplies— a group that includes DME suppliers. Manufacturers are not considered covered entities simply because they are paid for their products. In order for manufacturers to be deemed such, they must conduct standard transactions such as healthcare payments, remittance advice, referral certifications and authorizations, and healthcare claims.
Business associates of covered entities also fall within the scope of the regulations. The definition of the term business associate is very complex but, in essence, means any individual or entity that performs or assists in the performance of a covered entity's function involving the use or disclosure of PHI. A covered entity may disclose PHI to a business associate or allow the business associate to create or receive PHI on its behalf, if the covered entity receives written assurances that the business associate will protect the PHI. Manufacturers will likely most frequently find themselves affected by HIPAA because they have a business associate relationship with a customer, such as providing service for devices where such service requires the manufacturer's technician to access PHI to perform the task.
The following sections describe HIPAA's requirements with regard to the use and disclosure of PHI. Although such requirements apply primarily to healthcare providers, they may also apply to manufacturers by virtue of their business relationships with providers.
Consent versus Prior Authorization. A primary focus of the privacy regulations is that individuals understand and agree to the use and disclosure of their PHI. The regulations have developed two separate concepts for obtaining an individual's agreement. The first type is the consent requirement and the second is the requirement for prior authorization.
The consent requirements only apply to healthcare providers using or disclosing PHI for the purposes of treatment, payment, or healthcare operations (e.g., quality assurance). A consent is broadly written, and re-fers the individual to the provider's privacy policy, which must contain information on how the provider will use or disclose PHI. The privacy regulations provide detailed requirements covering the information that must be present in the consent.
Subject to several exceptions, use or disclosure of PHI for all other purposes aside from treatment, payment, and healthcare operations requires the individual's prior authorization. Unlike the consent form, the authorization form must be very specific. The privacy regulations detail the information that must be contained in the authorization.
There are important exceptions to both the consent and authorization requirements, including uses or disclosures required by law, such as those to regulatory agencies.
Minimum Use or Disclosure. In an effort to limit the number of people with access to PHI and the amount of PHI that is shared with outside parties, the privacy regulations require that covered entities must make reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose. To comply with this requirement for uses of PHI within an organization, covered entities must implement procedures to limit access to PHI only to those employees who need access to carry out their duties. For routine, recurring disclosures of PHI, covered entities must implement policies and procedures or standard protocols that describe the PHI that can be released. For nonroutine disclosures, criteria must be developed and applied on a case-by-case basis to help ensure that only the minimum amount of PHI is disclosed.
Business Associates Agreements. In order for a covered entity to disclose PHI to a business associate, the covered entity must require the business associate to enter into an agreement specifying the manner in which the business associate can use or disclose the PHI. The regulations list the requirements that must be addressed in such agreements.
Business associates agreements will require manufacturers acting in a business associate role to implement many of the same types of policies, procedures, and safeguards that their customers must implement.
Deidentification Requirements. If information is deidentified, it is not within the scope of HIPAA and can be used or disclosed in any way. In the clinical trials context, manufacturers often use initials or keys to identify subjects and believe the information is deidentified. However, HIPAA considers PHI to be deidentified only if a list of 19 identifiers (e.g., name, initials, birth date, and Web site address) are removed, or if a person knowledgeable about statistical principles determines the risk is very small that the individual could be reidentified. As a result, manufacturers may find that they do collect information that falls within the scope of HIPAA.
Additional Rights of Individuals. The regulations provide individuals with several other rights regarding their PHI. Individuals have the right to receive notice from covered entities about how their PHI will be used or disclosed, as well as receive information about covered entities' obligations regarding the treatment of PHI. In addition, individuals have the right to request that the covered entity restrict its uses or disclosures of their PHI.
Individuals also have the right to access and copy their PHI and, in some cases, to request that the covered entity correct or amend the PHI. Moreover, individuals have the right to an accounting of any disclosures the covered entity has made of their PHI during the 6 years prior to the date of the request.
Manufacturers acting in a business associate role may be compelled to comply with many of these requirements additional through the business associates agreement.
Failure to Comply. Noncompliance with HIPAA can result in civil monetary penalties of up to $25,000 per person. Possible criminal penalties include fines of up to $50,000 and one year in jail. Penalties are more severe if the government can prove false pretenses or intent to use PHI for commercial gain.
Proposed Security Standards
The
requirements of the proposed security standards are grouped into four categories:
administrative procedures, physical safeguards, technical security services,
and technical security mechanisms. Each category contains core requirements
and implementation features.
Administrative Procedures. The administrative procedures target requirements that must be incorporated into the day-to-day operations of the organization and govern how the organization's personnel handle PHI. These procedures are intended to help organizations prevent and detect security violations. Among other operations, the requirements include information access control, internal audit, personnel security, security configuration management, security incident procedures, and training.
Physical Safeguards. The physical safeguards are intended to secure the physical environment where PHI is maintained from fire and other environmental hazards, as well as from unauthorized access. Requirements include implementation of physical access controls, assignment of security responsibilities, and security awareness training.
Technical Security Services. The section on technical security services addresses standards within an organization's information system to control and monitor information access. Requirements include implementation of passwords, audit trails, data integrity controls, and automatic log-offs.
Technical Security Mechanisms. The proposed standards have requirements for technical security mechanisms, which are controls implemented to protect against unauthorized access as data is transmitted over a communications network. The technical security mechanisms require implementation of communications network controls, that is, controls that protect data from unauthorized access during electronic transmissions. Such controls must include, among other things, authentication and implementation of either access controls or encryption. The secur-ity standards indicate that if PHI is being transmitted over an open network, then some form of encryption should be employed. The security standards also indicate that use of less-open systems like those provided by a value-added network would be an acceptable alternative to use of encryption.
The security standards contain an HIPAA security matrix that lists each requirement and references the standards with which organizations must comply. If an organization implements encryption, for instance, then its encryption technology must comply with the ANSI X3.92 data-encryption standard.
Most manufacturers have security measures in place. However, many may not have formal policies and procedures as required by the proposed security standards. Some manufacturers may have to upgrade their existing systems to comply with these requirements.
Children's On-Line Privacy Protection Act
The Children's On-Line Privacy Protection Act (COPPA) is a U.S. law that is targeted at commercial Web sites or on-line services that are directed toward and intended for collecting personal information from children under the age of 13.7 COPPA also targets general-audience Web sites that knowingly collect personal information from children under age 13.
COPPA contains numerous and complex requirements, including what must be included in a children's privacy policy. COPPA also contains detailed requirements regarding the manner in which companies handle children's information and the steps they must take to obtain parental consent. Many sites that are not directed to children may fall within the scope of COPPA if they collect age, grade, or school information, or if a portion of their content could be deemed to be directed to children based on their graphics or subject matter. Failure to comply with COPPA is actionable by the Federal Trade Commission (FTC) as an unfair and deceptive trade practice subject to fines.
Compliance with COPPA has been considered so onerous that many children's Web sites no longer allow children to submit any personal information via the site. Given that a site could inadvertently trigger COPPA, companies should analyze their U.S. sites to rule out application of COPPA.
U.S. Safe Harbor Principles and the EU Privacy Directive
In the European Union (EU), an individual's privacy is protected by means of the European Data Privacy Directive, which was enacted by the European Commission in 1995.8 The EU directive sets forth specific conditions for legally processing personal information in EU countries, and prohibits transfers of personal information from the EU to other countries that do not provide adequate levels of privacy protection. In response to these requirements, the United States joined with the EU to develop a set of safe harbor principles that would enable U.S. companies to continue transmitting personal information from EU countries to the United States.9
In accordance with this intent, the European Commission has found that the U.S. safe harbor principles provide adequate levels of privacy protection for personal information.
The critical difference between HIPAA and the EU directive and its counterpart safe harbor principles is that the latter apply to all personally identifiable information, whereas only health information falls within the scope of HIPAA. However, the safe harbor principles do contain special requirements for sensitive information (e.g., health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and sexual orientation).
Another critical difference is that compliance with the safe harbor principles is voluntary, unlike HIPAA. However, if a company chooses not to comply with the safe harbor principles, it will have to obtain EU member state approval prior to transferring personal information to the United States. In addition, any privacy enforcement actions against it will take place in the EU rather than in the United States.
Manufacturers with business operations in EU member states will have to comply with the directive. In addition, if they transfer personal information to the United States, their U.S. operations may have to incorporate the requirements of the safe harbor principles.
It is important to emphasize that information transfers may not always be obvious. For example, manufacturers may collect personal information from the EU via their Web sites. Such information may be immediately transmitted directly to the United States to be stored on servers. Many manufactureres transmit information about employees located in EU countries to their corporate headquarters in the United States for human resource purposes. Consequently, manufacturers should closely examine their business operations to identify information transfers that could trigger enforcement of the directive and safe harbor principles. To comply with the safe harbor principles, manufacturers must incorporate the elements summarized below into their operations via policies and procedures.
Notice. Manufacturers must provide individuals with the company's privacy policy at the time they provide personal information. The policy must explain how the company will use and disclose personal information and protect the privacy of that information. It is important to note that personal information can be used only for the purposes disclosed in the privacy policy, and not for any other purpose without the individual's prior consent. Changing the use or disclosure of personal information requires the organization to obtain a new consent from the individuals who provided their information under the original terms of the policy.
Choice. Individuals must be able to opt out, or elect not to allow their personal information to be used for different purposes. Individuals must also have the ability to opt out of having their information disclosed to a third party. For sensitive information, like health information, individuals must opt in, or affirmatively give permission for different uses or for disclosure to third parties.
Company personnel often share information with other functions, business divisions, or affiliates in the belief that such intracompany sharing is not true disclosure. However, it is important to remember that intracompany disclosures may be no different, for purposes of compliance with the safe harbor principles, from disclosure to an outside third party.
Onward Transfers. Individuals must have been given the opportunity to opt out of disclosures to third parties (or to opt in if the information is sensitive information). Moreover, companies can disclose personal information only to individuals or organizations that agree, in writing, to comply with the principles set forth in the safe harbors.
Security. Safe harbor principles require that security measures be implemented to reasonably assure the reliability and integrity of personal information and to protect it from misuse, unauthorized access, disclosure, alteration, and destruction. Unlike HIPAA, the safe harbor principles do not specify the steps that must be taken to protect security.
Data Integrity. Safe harbor principles require companies to collect, use, or disclose only relevant personal information. Therefore, if a person registers via a company's Web site to receive a newsletter from the company, under the data integrity principle the company should not ask for information about household income or health status.
In addition, companies must take reasonable steps to ensure that personal information is appropriate and reliable for its intended use, as well as accurate, complete, and up to date.
Access. This principle requires companies to provide individuals with reasonable and appropriate access to their personal information so that they can request that it be corrected, amended, or deleted, if necessary. It is important to note that this principle does not mandate permitting individuals to directly access the company's databases or files.
With regard to blinded clinical studies, companies do not have to provide access to the study participants during the course of the study. However, this restriction must be explained to participants in the privacy policy or informed consent form.
Enforcement. This principle of the safe harbor includes three requirements: dispute resolution, verification, and remedy. To meet the dispute resolution requirement, companies must provide individuals with a readily available and affordable mechanism to investigate and resolve complaints and disputes about privacy.
To meet the verification requirement, companies must audit their com- pliance with safe harbor principles and sign a statement certifying compliance on an annual basis.
This principle also requires companies to take steps to reverse or correct noncompliance and to ensure that the noncompliance does not recur.
Joining the Safe Harbor. As discussed above, participation in the safe harbor is optional. To join the safe harbor, companies must self-certify compliance to the U.S. Department of Commerce. Companies do not need to self-certify for all information, but rather can limit participation to discrete types of information (e.g., marketing information). Companies must recertify compliance on an annual basis. (For a list of companies participating in the safe harbor, visit http://www.export.gov/safeharbor.)
Safe Harbor Enforcement. If a company joins the safe harbor and fails to comply with safe harbor principles, it could be subject to an action by the FTC for unfair and deceptive trade practices.
EU Privacy Directive and Member State Law
The EU's privacy directive applies to all processing of personal data, except for that used only for purely personal or household activities. It includes strict requirements governing all processing of personal information. Many of its requirements are similar to those contained in the safe harbor. However, it does have unique requirements. For example, it requires companies that process personal information to appoint a data controller to be responsible for all processing. The data controller must register with the member state authorities and notify them before processing data.
Not all member states have adopted the directive. Moreover, even those that have adopted the directive often have local laws that can affect a company's activities relating to personal information. It is important to understand all such requirements prior to engaging in activities where personal information collection or transmission is critical to the success of the project.
Canadian Law
Canada recently enacted the Personal Information Protection and Electronic Documents Act.10 Implementation of the act is broken down into three phases, of which only Phase I is currently in effect.
The first phase of the act became effective January 1, 2001, and only applies to non-health-related personal information collected, used, or disclosed by works or businesses regulated by the Canadian Parliament. Phase II will take effect January 1, 2002, and applies to health-related personal information not included in Phase I. Phase III will take effect January 1, 2003, and applies to all personal information used pursuant to any commercial activity.
The act's requirements are very similar to the requirements of the EU privacy directive and the safe harbor principles.
Other Laws
Other countries have also enacted legislation on the pri-vacy of personal information, much of which is modeled after the EU privacy directive and the safe harbor principles. In some countries, such as Brazil, privacy is a constitutional right.
In the United States, many states have separate laws related to privacy—especially medical privacy—which HIPAA does not preempt unless the law is contrary. As a result, prior to engaging in any transaction involving personal information, manufacturers must conduct due diligence to uncover legal or regulatory obstacles.
Conclusion
The recent increase in international laws and regulations governing data privacy can affect many aspects of a device manufacturer's operations. Whether they are dealing with personnel records or complaints from home-use customers, manufacturers may find themselves challenged to ensure that their handling of such personally identifiable information remains within the boundaries proscribed by this new body of laws.
Privacy requirements are also influencing the ways that manufacturers develop products to meet the needs of their customers. Beginning with the earliest design reviews and continuing through the marketing phase of a new product's life cycle, manufacturers are increasingly aware of the need to incorporate features that can make it easier for their customers to satisfy privacy and security regulations.
The second installment of this article, which will appear in the November/December issue of MX, will discuss how such laws are affecting manufacturers' development and marketing of medical products. It will provide practical tips on how company leaders can meet data privacy and security challenges and use the legal requirements to successfully market and sell medical devices.
REFERENCES 1. "Medical Industry Lax on Internet Security," The Detroit News, 12 February 1999. Edward J. Green is
a partner and Lisa J. Acevedo is a senior associate in the health law department
of the law firm Foley & Lardner (Chicago).
Copyright ©2001
MX
2. "Private Medical Records Faxed to Pub," BBC News, 12 April 2001.
3. "Lilly Released Patients' E-Mail Addresses,"Los Angeles Times, 5 July 2001.
4. Department of Health and Human Services, "Standards for the Privacy of Individually Identifiable Health Information," Federal Register, 65 FR:82461–82829, December 28, 2000.
5. Department of Health and Human Services, "Individually Identifiable Health Information; Privacy Standards," Health Insurance Portability and Accountability Act of 1996, PL 104-191, August 21, 1996.
6. Department of Health and Human Services, "Standards for Security and Electronic
Signatures," Federal Register, 63 FR: 43241–43280, August 12, 1998.
7. Children's On-Line Privacy Protection Act of 1998, U.S. Code, vol. 15, sec. 6501.
8. Directive on Data Protection, 95/46/EC, October 24, 1995.
9. Safe Harbor Privacy Principles (Washington, DC: Department of Commerce, 2000);
available from Internet: http://www.export.gov/safeharbor/sh_documents.html.
10. Personal Information Protection and Electronic Documents Act of 2000, c.5 (Canada).
