Newly introduced bill could provide for additional protections for biological data collected by non-covered entities

Over the past few years, genetic testing services have become a widespread phenomenon. Companies providing these services gather certain biological data from consumers who sign up for their services and then analyze this data to ascertain information about the consumer’s ancestry and/or genetic traits, among other things. These companies, however, are typically considered “non-covered entities” (NCEs), meaning the Health Insurance Portability and Accountability Act (HIPAA) generally does not apply to nor protect the collected biological data. This presents a whole host of issues, particularly with respect to the question of how we ensure the data remains protected. Biological data of this nature is susceptible to breaches in light of the format in which it is stored, and some genetic testing companies are disclosing this data to pharmaceutical companies to facilitate research and the development of new drugs.

In July of 2016, the Department of Health and Human Services (DHHS) issued a report entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA” in which it highlighted this gap in the current legal landscape—the gap where HIPAA ends and modern technology begins. The report focused on two categories of NCEs: “mHealth technologies” and “health social media”:

“The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.”

Relevant here, the report specifically examined the differences in the security and disclosure standards applicable to covered and non-covered entities, such as the “mHealth technologies” and “health social media” organizations.

Now we fast-forward to June of 2019. Just last month, Senator Amy Klobuchar introduced the Protecting Personal Health Data Act (S. 1842, 116th Congress). The Act specifically applies to “consumer devices, services, applications, and software,” which include “direct-to-consumer genetic testing services.” The Act calls for the Secretary of HHS to “promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.” It also explicitly requires that, in promulgating these regulations, the Secretary keep a number of enumerated considerations in mind, as well as those points outlined in the initial 2016 DHHS report, which is referenced in the Act. If passed, the Act would also provide for the creation of a 15-member task force to monitor and contribute to the development of such regulations and standards.

While it is still very early on in the legislative process, the Act’s introduction will (hopefully) further a very important conversation among legislators regarding the current state of the protections afforded to biological data, and the protections that still need to be implemented to keep up with the modern age. The Act was referred to the Committee on Health, Education, Labor, and Pensions. You can track the Act’s progress here.

HIPAA-Regulated Entities Take Notice – States are Teaming Up on Enforcement

In an unprecedented settlement arising from a federal lawsuit in the U.S. District Court for the Northern District of Indiana, a medical software provider agreed to pay $900,000 to 16 state attorneys general (AGs) for alleged violations of a conglomerate of state and federal privacy laws. The settlement represents the resolution of the first-ever multistate data breach suit based on alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The matter arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the electronic protected health information (“ePHI”) of approximately 3.5 million individuals whose health care providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.

Continue Reading

Join Us: Free CLE Webinar on U.S., German Approach to Trade Secrets Protection

Reed Smith will be hosting an upcoming CLE webinar, “Germany discovers trade secret protection! A comparative dive into the German and U.S. approach” on Tuesday, June 25, 2019 at 12 p.m. BST and again at 12 p.m. ET.

Trade secrets and technical know-how represent valuable assets, especially for industries like the life sciences. Until recently, the legal protection afforded to these assets was inconsistent or inadequate. The U.S. Federal Defend Trade Secrets Act and the European Trade Secret Directive are a testament to the fact that legislators finally recognized the problem and took action.

In the wake of the new German Trade Secrets Act, our partners Anette Gärtner and Jennifer Yule DePriest will ask:

  • Do you have adequate measures in place to safeguard confidentiality of your secrets?
  • If a third party nonetheless misappropriates them, which remedies will be available to you?

This webinar takes a comparative German/U.S. approach and is relevant for all companies that do business in either of these jurisdictions.

This program is presumptively approved for 1.0 general CLE credit in California, Illinois, New Jersey, Pennsylvania, Texas and West Virginia. For lawyers licensed in New York, this course is eligible for 1.0 credit under New York’s Approved Jurisdiction Policy.

You can register by clicking here.

DOJ Issues Opinion on FDA Jurisdiction Over Articles Used in Lawful Executions

The Department of Justice’s (DOJ) Office of Legal Council (OLC) released an opinion in May 2019 addressing the Food and Drug Administration’s (FDA) jurisdiction over drugs used in capital punishment. A result of a request by the U.S. Attorney General’s Office, the OLC issued an opinion following years of conflict around the use of sodium thiopental in executions. Most importantly, the OLC concluded that the FDA does not have jurisdiction over such articles, and this opinion raises a number of questions regarding FDA’s jurisdiction in other contexts.

To continue reading, please visit reedsmith.com.

Munich Regional Court Clarifies When Claims for Transfers of Patents Become Time-Barred

Germany is one of the most important patent litigation jurisdictions in Europe, making developments in its patent law very important to life sciences companies operating globally. In recent years, the number of cases regarding claims for the transfer of patents has risen steadily in Germany. If an application is filed by someone who is not entitled to the patent, the inventor (or his successor) can demand that the application or granted patent be transferred to him.

When does that transfer claim become time-barred: Three years, or thirty years after the application has been published?  In a recent judgment, the Munich Regional Court discussed this question in considerable detail. The relevant period is just three years – a decision with significant implications. Life sciences companies need to be aware that they must enforce any such claims on an expedited time frame. Depending on the perspective (claimant or defendant?), this is good or bad news. In any event the Munich decision clarifies the legal situation. For more information, see our case note in the upcoming issue of Medizin Produkte Recht. Please note that the article is in German.

Five Key Takeaways from OCR’s Proposed Rule to Scale Back the Non-Discrimination Requirements Applicable to Health Care Entities

The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently issued a proposed rule (Proposed Rule) that would significantly scale back the non-discrimination regulations applicable to health care entities under the authority of Section 1557 of the Affordable Care Act (ACA). This Proposed Rule, issued on May 24, 2019 and scheduled to be published in the Federal Register June 14, 2019, would limit to whom and how Section 1557’s non-discrimination provisions apply, how they will be enforced, and what activities will be required to demonstrate compliance. Entities covered by Section 1557 will need to know what the Proposed Rule would change, what would remain the same, and what OCR may emphasize in the future as it takes a new position on nondiscrimination enforcement. Here are five key takeaways.

Continue Reading

OCR Clarifies Direct Liability of Business Associates Under HIPAA

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form of FAQs, the new fact sheet signifies another example of OCR’s recent efforts to clarify new and outstanding questions from the ever-evolving health care industry.

In the new fact sheet, OCR first recalls the procedural history by which the application of certain aspects of HIPAA extended to business associates – the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which dramatically extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since that time, business associates have made efforts to comply with these HIPAA requirements but with little insight as to whether OCR will come after them (as opposed to their covered entity counterparts) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.

Continue Reading

CNIL Imposes Penalty to Optical Center; French Highest Administrative Court Reduces Amount

Life sciences companies doing business in France will be interested in the recent results of Optical Center’s appeal of a penalty assessed by the Commission nationale de l’informatique et des libertés, the French data protection authority, surrounding a data breach. The data breach allowed access to invoices and purchases containing personal and sensitive customer data. Optical Center appealed the initial 250,000 euro penalty, and the French Highest administrative Court (Council of State) lowered the penalty fee to 200,000 euros. The possibility to file an appeal following a decision by the CNIL may be considered a strategic option for companies operating in France.

To read more on this recent update, please visit technologylawdispatch.com.

Health Apps and HIPAA – Recent FAQs Highlight Importance of Covered Entities and Business Associates Scrutinizing their Relationships with App Developers

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a health app developer must comply with HIPAA, but tackle a different question – when are covered entities or business associates liable under HIPAA for the subsequent misuse of electronic protected health information (ePHI) by a health app developer?

To answer questions about an app developer’s HIPAA obligations, OCR’s prior guidance focused on the direct-to-consumer nature of the app. OCR concluded that if the patient initiated use of the app, or brought the app to his or her health care provider (i.e., a covered entity), the app developer would not be considered a business associate of that covered entity. Notably, OCR also did not consider the existence of an interoperability agreement between the patient’s health care provider and the app developer to change this analysis. By contrast, in circumstances where a health care provider contracts with the app developer for purposes of patient management services, or for remote patient health counseling, monitoring, or messaging services, and the provider recommends its patients to download the app, then OCR considers the app developer a business associate of the covered entity.

OCR’s new FAQs extend upon this discussion of the business associate relationship between a covered entity and app developer, and highlight the vicarious liability faced by a covered entity if and when an impermissible use or disclosure of ePHI involves the app. The new FAQs reiterate that if the app was not provided by or on behalf of the covered entity, then the covered entity will not be liable for a breach of any information later experienced by the app. However, if the app was developed for, or provided for or on behalf of, the covered entity, then the covered entity could be held responsible for an impermissible use or disclosure of the ePHI in the app. In other words, if OCR determines that an app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity for its patients, then the app developer is a business associate of the covered entity, and the covered entity may be liable for an impermissible use or disclosure of ePHI in connection with the app. Importantly, according to the FAQs, the same logic applies to business associates who engage app developers on behalf of covered entities.

Yet, OCR appears to miss a critical element in its analysis of liability to be imposed on a covered entity when a business associate runs afoul of its HIPAA obligations, or on the latter when a business associate subcontractor violates HIPAA. With the promulgation of the Health Information Technology for Economic and Clinical Health Act (HITECH) Final Rule, covered entities became liable for the actions of their business associates, but only so long as a federal common law relationship of agency exists between the two.1 As a result, HITECH made covered entities significantly more responsible for the actions of their business associates, but with careful consideration that not all business associates would be considered agents of covered entities. According to OCR, the agency relationship would be a fact-specific determination, taking into account the terms of the BAA as well as the totality of the circumstances of the relationship between the two entities.

Now, with its recently released FAQs, OCR has signaled its intention to pay closer attention to the fault attributable to a covered entity when a business associate breaches the integrity or security of a patient’s ePHI. The requirement for an agency relationship between the covered entity and business associate places some guardrails around the possibility of vicarious liability, but also makes the need to clearly define the relationship between the parties critically important. OCR’s new focus reflects the importance of covered entities identifying their business associates correctly and contracting with them appropriately.

From a practical perspective, this is not as easy as it may sound. Health care providers and other entities in the health care industry are becoming structurally more complicated as many such entities no longer act solely as HIPAA-covered entities or business associates. For example, health care providers may provide technology and related services as a business associate to other covered entities. Or, as another example, a covered entity could have a dual relationship with another covered entity: one relationship where they exchange ePHI to provide health care to mutual patients and another where they act as a business associate. Moreover, covered entities and business associates may be hybrid entities when they provide technology and related services as part of and separate from their HIPAA-regulated roles.

The technology arrangements may also be complicated and tangle the agency analysis assessing the potential risk of vicarious liability. Application developers may provide technology solutions with various levels of interaction with HIPAA-regulated entities, including off-the-shelf, configurable, or fully customized products and services. The technological details of the solution may be integral to the agency analysis for vicarious liability. For example, is an agency relationship created when an entity is providing a cloud-based platform that has a standard foundation for all customers but includes the ability for both the application developer and the covered entity to configure and customize some portions of it? Is a covered entity insulated from vicarious liability if it uses a technology solution that it can configure for its purposes, but exposed to vicarious liability if it requests customizations from an application developer that will have the exact same result? Should a covered entity use out-of-the-box technology solutions that may not ideally fit its business operations (possibly creating risk) rather than work with a third party to build a solution that better meets its operational objectives but increases the risk of vicarious liability?

We work with HIPAA-regulated entities to analyze how these relationships with technology providers can impact their HIPAA risk exposure. These FAQs seem to further muddy an already murky legal analysis by ignoring the critical agency element limiting the applicability of vicarious liability, and emphasize that HIPAA-regulated entities should pay close attention to whether they are creating an agency relationship with technology providers. Such entities may significantly increase their HIPAA-related risk if they treat technology-related agreements as business-as-usual deals. While the legal agency analysis can be complicated, they should thoroughly understand the parties’ roles, the technology involved, the actual tasks performed by the application developers, and other factors so they can accurately assess the potentially significant impact on their HIPAA risk exposure from using technology provided by third parties.


1 45 CFR 160.402(c)(1). Interestingly, in another FAQ that predates HITECH, but was reviewed by OCR subsequent to the HITECH Final Rule, OCR did not consider a covered entity to be liable for, or required to monitor, the actions of its business associates if the parties had signed a business associate agreement (BAA), and the covered entity took reasonable steps, to cure a breach in the event one occurred.

HHS Reconsiders Penalty Structure for HIPAA Violations, Imposes Annual Limits based on “Level of Culpability”

On Friday, April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”), confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. In doing so, HHS announced the abandonment of a previous annual penalty cap that did not vary based on an entity’s level of culpability.

Effective immediately, the maximum penalty that the HHS Office for Civil Rights (“OCR”) will impose for a particular violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that occur within a single calendar year has been generally, and significantly reduced. Except for violations that are due to a regulated entity’s willful neglect and have not been timely corrected (which maintain the annual penalty limit of $1.5 million), OCR will impose a lesser annual limit to violations that occur (a) without a regulated entity’s knowledge – and with reasonable diligence it would not have known about the violation; (b) due to reasonable cause and not willful neglect; and (c) due to willful neglect that is timely corrected.

Continue Reading

LexBlog