August 22, 2019

August 22, 2019

Subscribe to Latest Legal News and Analysis

August 21, 2019

Subscribe to Latest Legal News and Analysis

August 20, 2019

Subscribe to Latest Legal News and Analysis

Free the Data! . . . Better Think Twice . . . . Legal Issues regarding Data Sharing and Secondary Data Use

Data is king!  A robust privacy, security, and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time.  To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.”  This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 quintillion bytes of data per day.

This same trend has taken hold in the healthcare industry as it seeks to rapidly digitize and learn from data in order to bend the cost curve down, increase the quality of outcomes, and improve overall population health.  Specifically, there is certainly an ever-growing pool of health data being generated by providers, payors, life sciences companies, digital health companies, diagnostic companies, laboratories, and a cornucopia of other entities.  Recent estimates indicate that the volume of healthcare data is growing rapidly as evidenced by 153 exabytes produced in 2013 and an estimated that 2,314 exabytes will be produced in 2020.  This translates to an overall rate of increase at least 48 percent annually.  But, to what end?

The rapid production and aggregation of data is being met with increasing demand to access and analyze this data for a variety of purposes.  Life sciences companies want access to conduct pre-market analysis, clinical trials, and post-market surveillance.  Providers want access to conduct population health research.  AdTech and marketing companies want it to . . . you guessed it . . . sell more things.  These examples are just the tip of the proverbial iceberg when it comes to the secondary data analytics market.

Nevertheless, there are various issues that must be addressed before aggregating, sharing and using such data.

First and foremost, identifiable health data is typically treated as a sensitive class of information warranting protection.  As such, entities should consider whether their intended activities must comply with applicable privacy and security regulations.  Depending on the data being collected, the use and disclosure of such data, and the jurisdictions within which data is stored and processed, entities may be subject a wide array of legal obligations, including one or more of the following:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

  • the Common Rule

  • the EU General Data Protection Regulation (“GDPR”)

  • 42 C.F.R. Part 2

  • State data protection and breach laws and regulations

  • Food and Drug Administration (“FDA”) regulations; or

  • Federal Trade Commission (“FTC”) regulation.

Second, entities must consider contractual obligations, including property rights governing data collection, aggregation, use, and disclosure.  The contractual obligations that should be evaluated will depend largely on the nature of the data collected, contemplated uses and disclosures of such data and the applicable laws and regulations relative to such collection, use, and disclosure.  Accordingly, entities should also consider the impact of upstream agreements and downstream agreements on rights to collect, use or disclosure data through the chain of custody.  Agreements that warrant considering may include:

  • Master Services Agreements

  • Data Use Agreements

  • Business Associate Agreements

  • Data Sharing Agreements

  • Confidentiality/Non-disclosure Agreements

  • Terms of Use/Privacy Policies (and other representations made to consumers).

Third, even if collection, aggregation, and analysis is possible under law/regulation and contract, companies must still consider whether additional data governance principles should be implemented to guide responsible data stewardship.  It is critical to remember that businesses that mishandle personal data can lose the trust of customers and suffer irreparable reputational harm. To mitigate against such issues, entities should consider developing data governance principles guided by fair information practices including openness/transparency, collection limitation, data quality, purpose specification/use limitation, accountability, individual participation, and data security.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

202-861-4182
Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling of health care entities on legal and regulatory compliance issues. He has extensive experience with legal issues related to health information technology, HIPAA, HITECH, anti-kickback laws, the False Claims Act, breach of contract issues, business torts, and a variety of unfair competition laws. He has established compliance programs, conducted privacy and security risk assessments, established trust networks, responded to data breaches, and managed e-discovery issues.

Mr. Shah is a Certified CSF Practitioner, a designation given by the Health Information Trust Alliance (HITRUST), an organization that provides training to develop and maintain effective security programs for health care and life sciences companies that comply with security laws, regulations, and standards, including HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements. He is also recognized by the Healthcare Information and Management Systems Society (HIMSS) as a Certified Professional in Healthcare Information and Management Systems (CPHIMS).  Mr. Shah is also recognized by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States.

Mr. Shah began his legal career at Epstein Becker Green. Before rejoining the firm in October 2017, he served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society where he strengthened enterprise-wide privacy and security, helped establish a big data initiative focused on improving quality of care by harnessing cancer patient medical information, and built data sharing trust networks among the oncology community.

During law school, Mr. Shah worked with the U.S. Department of Health and Human Services (DHHS), Office of General Counsel, where he provided legal counsel and support to all agencies and programs under the Public Health Division of DHHS. Prior to law school, Mr. Shah worked as a research technician at cancer treatment and research institution in New York City, where he helped manage a laboratory and conducted cancer immunology research, and his contributions led to the publication of 13 journal articles.

202-861-5320