06 Feb Part 3 – Top Legal Considerations for Health Tech Digital Solutions: Data Security & Privacy

techThe NOLA Health Innovators Challenge concludes in March with a pitch competition during New Orleans Entrepreneur Week. As judges from around the country are selecting finalists, Parker N. Smith & David C. Rieveschl of Stone Pigman Walther Wittmann L.L.C. explain how data strategies are important for health tech startups. (Part 1 focuses on intellectual property, and part 2 dives deeper with copyrights, patents and trademarks).

The Health Tech sector is growing at an extraordinary pace, with more than $4.5 billion in venture capital invested in 2017 alone. This growth is expected to continue as demographic shifts, evolving patient expectations, labor cost increases and a growing prevalence of chronic diseases drive the need for innovation. Businesses, from IBM Watson Health to local startups, are looking to meet this need through the application of emerging technologies such as artificial intelligence, Big Data analytics, Internet of Things applications, point-of-care diagnostics and telehealth, to name a few. These businesses are not only set to improve their bottom lines but, also, are benefiting patients with improved healthcare delivery, consumption and payment solutions.

Businesses should consider the myriad legal issues that may come into play as they seek to make their mark on the Health Tech sector. This installment of “Top Legal Considerations for Health Tech Digital Solutions” focuses on using data the right way.

Data Security & Privacy Generally

Data is increasingly recognized as a key business asset in today’s digital economy, as advances in analytics drive the utilization of the quintillions of bytes of data produced every day. Specifically, companies are utilizing data to: (1) improve decision making (e.g., behavioral targeting); (2) drive operational improvements (e.g., “smart” products); and (3) generate value directly (e.g., licensing).

Data’s potential importance is readily apparent in the Health Tech space. Data is an essential ingredient for, among other things, machine learning applications that improve diagnostics, Electronic Health Records (EHR) systems that facilitate communication efficiency, and telehealth services that provide for remote personalized care.

Although such advances have the potential to benefit a variety of businesses in the Health Tech sector, each company must consider data opportunities in light of its specific resources and business needs. As a result, before jumping into the mechanics of a data policy (and the data security and privacy issues that come with it), a company should outline the goals it hopes to achieve by leveraging data.

Data Capture

Once a Health Tech company outlines its goals, it can begin to identify data sources and collection methods to meet such goals. In doing so, the company should take a strategic approach to the data it collects, focusing on the right data (not all data). By taking such an approach, the company may both lessen its operational costs and avoid unnecessary legal risks associated with data security and privacy laws.

Legal risks associated with data capture largely depend on the kind of data captured. Such category-specific risks are more noteworthy in industries that involve sensitive consumer or end-user information (e.g., health data), because that type of information is often heavily regulated.

In the U.S., one of the most significant laws affecting Health Tech companies’ captured data is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, among other things, requires certain persons who create, receive, maintain or transmit electronic protected health information to comply with privacy, security and data breach notification obligations. Although significant, such obligations are only some of the various laws Health Tech companies need to consider before capturing end-user data.

Often, when capturing end-user data (for example, through a website or mobile app), a Health Tech company needs to make available a privacy policy that explains to such persons: (1) what information it collects; (2) how it collects that information; (3) how it uses that information; (4) how it shares that information with third persons; and (5) how it protects that information. A privacy policy may also contain certain notices and information mandated by law as well as contractual protections for the company.

Importantly, Health Tech companies should not view their privacy policies as a mere technicality. Instead, they should make sure any privacy policies are accurate and are being followed by their personnel, especially while any applicable data is stored on company systems.

Data Storage

In addition to legal risks associated with capturing specific data, Health Tech companies need to consider special issues surrounding data storage. Most notably, regardless of whether data is stored on local hardware or through cloud services, companies need to determine the security measures to put in place to reduce the risk that stored data will be compromised.

Data storage should be in line with appropriate data security standards. While data security standards are often set by contract or to mitigate risk exposure, some standards are imposed by applicable laws, like HIPAA. Such laws may not only tell a company how to protect sensitive data but, also, may instruct a company on what to do if its data security is breached. For this reason, companies should create a comprehensive written information security policy (WISP), including a breach response plan, that takes into account related legal requirements.

 

The next post will explore data retention, analytics and transfers.