Regulations

The End Of The EU-U.S. Data Protection Framework?

French Parliament Member Philippe Latombe has submitted a direct citizen application which presents two challenges to the EU-U.S. Data Privacy Framework (DPF): one seeks to immediately suspend the agreement, while the other questions its content. The Parliament Member contends that the text breaches the EU’s Charter of Fundamental Rights and the GDPR due to U.S. mass surveillance and bulk collection of personal data. This action marks the beginning of a series of potential legal challenges.

Click to read more

A New Transatlantic Data Bridge: The UK-U.S. Data Bridge

The United Kingdom and the United States finalized an agreement on September 21st regarding the UK-U.S. Data Bridge, which will come into effect on October 12th and effectively extends the EU-US Data Privacy Framework to the UK.

However, this data bridge is in a delicate position. The challenge against the EU-U.S. DPF could prompt the UK to reassess its standards for the privacy of UK personal data in the U.S., potentially leading to the annulment of the data bridge.

Click to read more

Publication Of A Pre-Market Guidance For Machine Learning-Enabled Medical Devices

The Canadian Government has released a draft guidance document concerning medical devices that utilize machine learning (MLMD). This guidance aims to provide manufacturers with a clear framework for demonstrating the safety and effectiveness of MLMDs, whether it's for the initial application or amending a medical device license. It elucidates the application of essential principles, including transparency, and offers guidance on the implementation of machine learning-enabled medical devices.

Click to read more

Data Protection Principles For Telehealth

The American Telemedicine Association (ATA) has published Health Data Privacy Principles specifically tailored to telehealth utilization. These Principles comprise six key components: consistency, the definition of consumer health data, the Health Insurance Portability and Accountability Act (HIPAA), consumer rights, consumer consent, sale of data and opt-out, and enforcement. The aim of these Principles is to ensure that telehealth practices meet standards for patient safety, data privacy, and information security, all while advancing patient access and raising awareness of telehealth practices.

Click to read more

PETs - Privacy Enhancing Technologies

PETs Use In Healthcare Analysis

Protected Health Information (PHI) can be used for big data analytics with the aim of advancing medical research, but the security and access to these data must be guaranteed. Privacy-Enhancing Technologies (PETs) could potentially address this issue as they can assist in de-identifying the data, thereby ensuring privacy compliance and data security. Three types of PETs are recommended: algorithmic, architectural, and augmentation PETs. Among the algorithmic PETs, three are mentioned: homomorphic encryption, differential privacy, and zero-knowledge proofs.

Click to read more

Artificial Intelligence

The Necessity Of AI Incident Response Plans

Organizations can implement an AI Incident Response Plan. This plan assists in managing the consequences of AI failures. Failures can be categorized into one or more of the following categories: security, unauthorized outcomes, discriminatory outcomes, privacy violations, physical safety, and lack of transparency and accountability. To implement an AI Incident Response Plan, one needs to understand the AI system, how it works, and conduct an inventory of it. Afterward, the classical steps of a cybersecurity incident plan can be followed, but they must be adapted to the specifics of the AI system.

Click to read more

Cybersecurity

NIST's recommendations about the Security Rule of HIPAA

The U.S. National Institute of Standards and Technology (NIST) published a new draft of the “Cybersecurity Resource Guide for implementing the HIPAA Security Rule”.  The guidance provides key elements for a risk assessment, which is required to identify conditions where electronic Protected Health Information (ePHI) could be used or disclosed without proper authorization, improperly modified, or made unavailable when needed. The guide also refers to the Security Risk Assessment (SRA) Tool to perform their risk assessment.

Click to read more

Update Of The Security Assessment Tool (SRA)

The SRA Tool, provided jointly by the Office of the U.S. National Coordinator for Health Information Technology and the Department of Health and Human Services' Office for Civil Rights, is designed to assist healthcare providers in conducting security risk assessments as mandated by the HIPAA Security Rule. However, it's important to note that this tool is meant solely for informational purposes and should not be the sole basis for conducting a comprehensive risk assessment. Notably, the SRA Tool has been updated to include a glossary, tooltips, and the latest 2023 edition of Health Industry Cybersecurity Practices.

Click to read more

The Influence Of SEC's Cyber Incident Disclosure Rule On The Healthcare Industry

The Securities and Exchange Commission (SEC) has finalized its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This rule impacts public entities, including organizations in the healthcare sector. Within four business days, these entities will need to assess the significance of cybersecurity incidents to shareholders and be able to describe the nature, scope, timing, and likely impact of the incident. The deadline can only be extended if the U.S. Attorney General deems the incident to be a risk to national security.

Click to read more

Data Privacy Enforcement

Info Blocking Enforcement For Health IT Entities

As of September 1st, penalties have been imposed for information blocking practices by Health IT entities. Information blocking practices refer to actions taken by entities that impede the access, exchange, or utilization of electronic health information. These entities encompass health IT developers with certified health IT, entities providing certified health IT, health information exchanges, and health information networks. Complaints are reviewed by the Department of Health and Human Services (HHS) Office of Inspector General (OIG), and penalties for violations can amount to as much as $1 million per violation.

Click to read more

Healthcare Plan's HIPAA Infringement

Following investigations by the HHS Office for Civil Rights (OCR), LA Care, a health plan based in Los Angeles, settled for $1.3 million and implemented a corrective action plan (CAP). The OCR identified several potential HIPAA violations, including a failure to implement adequate security measures to mitigate risks to electronic protected health information (ePHI) and a failure to conduct an accurate risk analysis. To address these potential shortcomings, the CAP mandates the completion of an accurate and thorough risk analysis and the implementation of a risk management plan.

Click to read more

Class-Action Lawsuit Arising From Data Sharing By Smart Health Devices

A class-action lawsuit is currently in progress against Medtronic. The complaint alleges that Medtronic unlawfully shared personal data collected by its app and smart insulin pens with third-party advertisers, including Google. The data in question includes personally identifiable information and protected health information. The lawsuit contends that this data was shared for marketing and analytics purposes without obtaining the express and informed consent of the users.

Click to read more

Home

Discover our latest newsletter

View All Newsletters
Nov 2024
Regulations & Guidelines
Podcasts
AI
Data Breach & Cybersecurity
Data Privacy Enforcement

Newsletter #19

In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.

Oct 2024
Data Privacy Enforcement
Healthcare
Regulations & Guidelines
AI
Biotech & Healthtech

Newsletter #18

Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.

Sep 2024
AI
Regulations & Guidelines
Biotech & Healthtech
Data Governance
Data Privacy Enforcement

Newsletter #17

August was a busy month for data protection in the life sciences—here's your summer recap!