Summary
Global data privacy and cybersecurity regulations continue to evolve, with challenges to the EU-U.S. Data Privacy Framework and the introduction of the UK-U.S. Data Bridge raising questions about transatlantic data transfers and compliance standards. New frameworks, such as Canada’s guidance for machine learning-enabled medical devices and the American Telemedicine Association’s privacy principles, emphasize security and transparency in emerging technologies like AI and telehealth. Meanwhile, enforcement actions like penalties for information blocking, HIPAA violations, and lawsuits against companies like Medtronic highlight the growing scrutiny on data misuse, reinforcing the need for robust compliance measures in healthcare and beyond.
Regulations
The End Of The EU-U.S. Data Protection Framework?
French Parliament Member Philippe Latombe has submitted a direct citizen application which presents two challenges to the EU-U.S. Data Privacy Framework (DPF): one seeks to immediately suspend the agreement, while the other questions its content. The Parliament Member contends that the text breaches the EU’s Charter of Fundamental Rights and the GDPR due to U.S. mass surveillance and bulk collection of personal data. This action marks the beginning of a series of potential legal challenges.
A New Transatlantic Data Bridge: The UK-U.S. Data Bridge
The United Kingdom and the United States finalized an agreement on September 21st regarding the UK-U.S. Data Bridge, which will come into effect on October 12th and effectively extends the EU-US Data Privacy Framework to the UK.
However, this data bridge is in a delicate position. The challenge against the EU-U.S. DPF could prompt the UK to reassess its standards for the privacy of UK personal data in the U.S., potentially leading to the annulment of the data bridge.
Publication Of A Pre-Market Guidance For Machine Learning-Enabled Medical Devices
The Canadian Government has released a draft guidance document concerning medical devices that utilize machine learning (MLMD). This guidance aims to provide manufacturers with a clear framework for demonstrating the safety and effectiveness of MLMDs, whether it's for the initial application or amending a medical device license. It elucidates the application of essential principles, including transparency, and offers guidance on the implementation of machine learning-enabled medical devices.
Data Protection Principles For Telehealth
The American Telemedicine Association (ATA) has published Health Data Privacy Principles specifically tailored to telehealth utilization. These Principles comprise six key components: consistency, the definition of consumer health data, the Health Insurance Portability and Accountability Act (HIPAA), consumer rights, consumer consent, sale of data and opt-out, and enforcement. The aim of these Principles is to ensure that telehealth practices meet standards for patient safety, data privacy, and information security, all while advancing patient access and raising awareness of telehealth practices.
PETs - Privacy Enhancing Technologies
PETs Use In Healthcare Analysis
Protected Health Information (PHI) can be used for big data analytics with the aim of advancing medical research, but the security and access to these data must be guaranteed. Privacy-Enhancing Technologies (PETs) could potentially address this issue as they can assist in de-identifying the data, thereby ensuring privacy compliance and data security. Three types of PETs are recommended: algorithmic, architectural, and augmentation PETs. Among the algorithmic PETs, three are mentioned: homomorphic encryption, differential privacy, and zero-knowledge proofs.
Artificial Intelligence
The Necessity Of AI Incident Response Plans
Organizations can implement an AI Incident Response Plan. This plan assists in managing the consequences of AI failures. Failures can be categorized into one or more of the following categories: security, unauthorized outcomes, discriminatory outcomes, privacy violations, physical safety, and lack of transparency and accountability. To implement an AI Incident Response Plan, one needs to understand the AI system, how it works, and conduct an inventory of it. Afterward, the classical steps of a cybersecurity incident plan can be followed, but they must be adapted to the specifics of the AI system.
Cybersecurity
NIST's recommendations about the Security Rule of HIPAA
The U.S. National Institute of Standards and Technology (NIST) published a new draft of the “Cybersecurity Resource Guide for implementing the HIPAA Security Rule”. The guidance provides key elements for a risk assessment, which is required to identify conditions where electronic Protected Health Information (ePHI) could be used or disclosed without proper authorization, improperly modified, or made unavailable when needed. The guide also refers to the Security Risk Assessment (SRA) Tool to perform their risk assessment.
Update Of The Security Assessment Tool (SRA)
The SRA Tool, provided jointly by the Office of the U.S. National Coordinator for Health Information Technology and the Department of Health and Human Services' Office for Civil Rights, is designed to assist healthcare providers in conducting security risk assessments as mandated by the HIPAA Security Rule. However, it's important to note that this tool is meant solely for informational purposes and should not be the sole basis for conducting a comprehensive risk assessment. Notably, the SRA Tool has been updated to include a glossary, tooltips, and the latest 2023 edition of Health Industry Cybersecurity Practices.
The Influence Of SEC's Cyber Incident Disclosure Rule On The Healthcare Industry
The Securities and Exchange Commission (SEC) has finalized its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This rule impacts public entities, including organizations in the healthcare sector. Within four business days, these entities will need to assess the significance of cybersecurity incidents to shareholders and be able to describe the nature, scope, timing, and likely impact of the incident. The deadline can only be extended if the U.S. Attorney General deems the incident to be a risk to national security.
Data Privacy Enforcement
Info Blocking Enforcement For Health IT Entities
As of September 1st, penalties have been imposed for information blocking practices by Health IT entities. Information blocking practices refer to actions taken by entities that impede the access, exchange, or utilization of electronic health information. These entities encompass health IT developers with certified health IT, entities providing certified health IT, health information exchanges, and health information networks. Complaints are reviewed by the Department of Health and Human Services (HHS) Office of Inspector General (OIG), and penalties for violations can amount to as much as $1 million per violation.
Healthcare Plan's HIPAA Infringement
Following investigations by the HHS Office for Civil Rights (OCR), LA Care, a health plan based in Los Angeles, settled for $1.3 million and implemented a corrective action plan (CAP). The OCR identified several potential HIPAA violations, including a failure to implement adequate security measures to mitigate risks to electronic protected health information (ePHI) and a failure to conduct an accurate risk analysis. To address these potential shortcomings, the CAP mandates the completion of an accurate and thorough risk analysis and the implementation of a risk management plan.
Class-Action Lawsuit Arising From Data Sharing By Smart Health Devices
A class-action lawsuit is currently in progress against Medtronic. The complaint alleges that Medtronic unlawfully shared personal data collected by its app and smart insulin pens with third-party advertisers, including Google. The data in question includes personally identifiable information and protected health information. The lawsuit contends that this data was shared for marketing and analytics purposes without obtaining the express and informed consent of the users.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #23
Regulators in Europe and the UK advance AI governance, data protection, and cybersecurity, while healthtech innovations like Owkin and Apple reshape digital healthcare.
Newsletter #22
In this edition, we cover major regulatory shifts and AI advancements shaping healthcare and data security. The U.S. tightens HIPAA security rules, the EU rolls out the European Health Data Space (EHDS) for cross-border health data exchange, and new U.S. regulations restrict sensitive health data transfers to certain countries. Meanwhile, AI is revolutionizing healthcare, with Truveta’s 10M-volunteer Genome Project, Owkin’s AI-powered drug development, and AI-driven medical scribes making waves—though accuracy concerns remain. On the data privacy front, GDPR fines have soared to €5.88B, with Ireland leading at €3.5B, and the UK ICO reports 36K data complaints and £1.27M in fines, highlighting ongoing challenges in digital security.
Newsletter #21
Our latest newsletter highlights critical updates in data privacy and healthtech from 2024, including GDPR data sharing guidelines, AI advancements like Cleerly’s imaging solutions, and ongoing challenges in data security and environmental sustainability. As we look toward 2025, we’re excited to continue driving innovation and helping navigate the evolving landscape of regulations, AI, and healthcare data management.
