Data is currently one of the most valuable assets in today’s economy. For example, in the health care industry, the volume of “health data”—which includes patient’s health, personal, and financial information—has been increasing by approximately 48 percent annually. That growth is being driven by major advances in the production and collection of health data; the wider adoption of novel technologies; the demand for personalized, high-quality care; and the need for health data analyses. Using health data to reduce costs, improve efficiency of operations, or enhance the quality and safety of patient care has become an escalating priority for health care organizations and industry stakeholders.
Data acquisition and governance is also growing in importance in human resource organizations. Employers are gathering data from employees (and consumers) at a rapid rate. Personal data, biometric data, performance management, and employee engagement inputs provide great opportunities to help companies manage their workforces, and the urge to use the data grows every day. Policies and procedures to protect and determine the appropriate use of data must keep pace with the newest technologies and methods. One mistake can lead to a breach, litigation, or damaged reputation in the marketplace.
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group has substantial experience advising human resource clients, clinical laboratories, payors, technology and digital health companies, physician practices, and health care systems with issues of data governance (i.e., the management of the availability, usability, integrity, and security of data) to meet compliance standards, while improving cost and efficiency.
Data Analytics & Data Sharing
The use of “data analytics” (which focuses on examining large data sets to gather useful information to help organizations make more educated business decisions) holds great promise to inform health care stakeholders about the quality and cost of a patient’s treatment journey. However, legal issues could prove to be a significant impediment. For instance, identifiable health data is typically treated as a sensitive class of information warranting protection. Depending on how the identifiable health data is being collected, health care stakeholders may be subject a wide array of legal obligations under the laws and regulations governing the use and disclosure of that data. Also, obligations under upstream and downstream agreements could affect rights to collect, use, or disclose the data through the chain of custody.
In addition, predictive analytics are now commonplace in human resources. Who will be the best candidate to hire or promote? Who will succeed in your company? Who is most likely to leave and go to a competitor? These are all important questions—some of which might be answered by predictive data analysis. But these inquiries must be crafted carefully with legal guidance to prevent biased or discriminatory outcomes. Legally defensible outcomes may be unwittingly sacrificed to the latest technology fad unless they are tested and validated. This is both an exciting and potentially dangerous time for human resource management.
Our Privacy, Cybersecurity, and Data Asset Management Group has the knowledge and experience necessary to effectively guide employers through the laws and regulations affecting data analytics, predictive analytics, and data sharing—including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Federal Policy for the Protection of Human Subjects (also known as the “Common Rule”), the European Union’s General Data Protection Regulation (GDPR), 42 C.F.R. Part 2, emerging state data protection and breach laws and regulations, Food and Drug Administration (FDA) regulations, and/or Federal Trade Commission regulations—and to ensure that proper contractual protections relating to data collection, aggregation, use, and disclosure are in place.
Precision Medicine: A Case in Point
Precision medicine—a dynamic approach to the diagnosis, treatment, and prevention of disease that takes into consideration individual genetic variation, environment, and lifestyle—uses patient data (existing or created) to design patient-focused diagnoses and treatment plans. This new level of health care can only be achieved through the use of big data and continual development of more sophisticated bioinformatics and artificial intelligence. Collaborations between laboratories and diagnostics developers working in the precision medicine area are becoming more common, as companies explore innovative business models to speed development and share risks and rewards. But governmental oversight is also common, especially FDA oversight of medical devices, laboratory developed tests (LDTs), and Clinical Laboratory Improvement Amendments (CLIAs).
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group is comprised of attorneys with training and experience in many of the areas related to precision medicine, including genetics, public health, neuroscience, chemistry, clinical trials monitoring, Institutional Review Board (IRB) oversight, bioinformatics, next-generation sequencing testing, and human subjects’ protection regulations, as well as with all relevant FDA laws, regulations, and guidance.
Members of the Privacy, Cybersecurity, and Data Asset Management Group regularly provide clients with a full range of services relating to data governance, which includes, but is not limited to:
- Providing workforce management policies and training designed to protect organizations from loss of proprietary, competitive business information
- Advising on the international, federal, and state laws and regulations concerning data privacy, security, and breaches
- Reviewing vendor and contractor relationships and agreements for key protections
- Assisting clients with responses to government audits/investigations or private litigation
- Negotiating and drafting contracts with purchasers, sponsors, providers, contract sites, and principal investigators
- Counseling clients using data analytics on developing mechanisms to obtain appropriate data rights and safeguard all sensitive information they receive
- Advising clients on patient privacy and security laws and rules at the federal and state levels
- Advising clients on human research and privacy rules at the federal and state levels
- Advising clients on FDA laws, regulations, and data integrity guidance; the Common Rule; the GDPR; and CLIA oversight as applied to medical devices and LDTs
- Drafting IRB protocol and patient release and informed consent forms
- Counseling clients on business arrangements to offer profit sharing from intellectual property created due to participants’ samples and data
- Representing clients during EHR Incentive Program audits by the Centers for Medicare & Medicaid Services
- Researching the regulatory environment surrounding bioinformatics