*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
In almost the first three quarters of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has settled three cases related to alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”), totaling $1,165,000. These settlements underscore OCR’s continued focus on enforcement of the HIPAA Security Rule.
Sidley partnered with Aon’s Cyber Solutions for an exclusive webinar for life sciences organizations to address developments in digital health and cybersecurity in light of some key trends affecting the industry today.
The speakers discussed the latest in digital health and how to better understand and mitigate cyber risk, as well as protect life sciences organizations’ highly valuable and sensitive data.
On July 13, the Department of Health and Human Services’ Substance Abuse and Mental Health Services (“SAMHSA”) announced final revisions to the Confidentiality of Substance Use Disorder Patient Records regulation codified at 42 CFR Part 2 (so-called “Part 2” regulations). These regulations—which apply to certain information relating to patients being treated for substance use disorders (“SUDs”)—impose restrictions above and beyond those in the Health Insurance Portability and Accountability Act (“HIPAA”). While the final rule does not fundamentally change the basic requirements of the Part 2 regulations, it relaxes some of the restrictions the regulations impose on holders of Part 2 information, in particular, to facilitate care coordination.
*Article first appeared in The Hill on June 13, 2020.
Concerns over the use of location tracking and contact tracing of infected individuals to help mitigate the spread of COVID-19 have once again placed “privacy” at the forefront of public attention. And even though Congress declared privacy to be a fundamental right in 1974, it established no cabinet office or institutional framework to focus on the role of data protection and digital technology in our society. Consequently, during these days of COVID-19, there is no senior government official responsible for taking account of and balancing the trade-offs between privacy and public health.
The novel COVID-19 global pandemic continues to raise numerous issues for employers and consequences for employees across all industries. This situation is without precedent in modern times and is extremely dynamic with rapidly occurring new developments, guidance and issues that will impact employers. In this webinar, we consider the privacy and employment law issues for employees returning to work, and discuss strategies to deal with this situation in a holistic and coordinated manner.
On April 30, 2020, four Republican Senators announced plans to introduce the COVID-19 Consumer Data Protection Act. The four Senators, John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), are all Members of the Commerce Committee, with Wicker the Committee’s chair.
According to the April 30 Senate press release regarding the COVID-19 Consumer Data Protection Act, the legislation would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” for data processing related to fighting the COVID-19 pandemic. The press release also states that the bill would “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” Under the bill, covered purposes include “(1) collecting, processing, or transferring the covered data of an individual to track the spread, signs, or symptoms of COVID-19; (2) collecting, processing, or transferring the covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID-19 that are required by federal, state, or local government order; (3) collecting, processing, or transferring the covered data of an individual to conduct contact tracing for COVID-19 cases.” (more…)
Since COVID-19 was declared a pandemic, the U.S. Department of Health and Human Services (“HHS”) and its Office for Civil Rights (“OCR”) have taken a variety of steps to relax HIPAA restrictions particularly pertinent to the COVID-19 response.
First, as covered in an earlier posting, HHS took action to waive penalties and assure companies that it would exercise enforcement discretion with respect to the Privacy Rule’s application to telehealth services and certain limited communication activities related to COVID-19 treatment efforts. (more…)
Ongoing confusion about lawful basis for data processing in a clinical study environment: European Data Protection Board and European Commission on the one hand and certain Member States on the other differ on the correct approach. Swiss sponsors operating clinical studies in the EU face ongoing uncertainty around the appropriate lawful basis for processing study subject personal data in spite of guidance being published by the European Commission and the European Data Protection Board.