Health Care Entities Look to Trends for Privacy Law Compliance, Experts Say
Focusing on trends can be a helpful way for health care companies to anticipate coming privacy laws and future compliance needs, said Kyle Rene, Whiteford Taylor lawyer, at a Health Care Compliance Association event Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Not only are states “coming online with their own sets of data privacy laws" yearly, but statutes in individual states are "changing,” becoming “more complex” and “more demanding,” he said.
Accordingly, “It's helpful to understand ... trend lines" and what you can anticipate, both at the state level and globally, Rene added. This includes “keeping an eye out for new laws" as they're introduced. This could help anticipate "requirements that may apply" to your organization as laws “grow and evolve.”
Thresholds of applicability are important to track because they can provide an idea of what size businesses are the focus of regulation, he said.
“There are a lot of consistencies” in the concepts of HIPAA and other privacy laws as well, Rene added, which can help companies anticipate future compliance requirements.
On a separate panel, Iliana Peters, shareholder at the Polsinelli law firm, mentioned the “overlap” between state and federal laws. Companies must be ready to deal with “the challenges that that overlap creates," she said.
Peters said health care organizations must follow and comply with not only HIPAA but other laws to protect privacy properly.
These laws are important because some state and federal statutes, like those addressing wiretapping, “have more rigorous consent requirements than even HIPAA,” and can be “onerous” to implement.
For instance, “If you're undertaking activities with chatbots or videos on your website, be aware that there are separate requirements outside of HIPAA that are more stringent than HIPAA." Companies should insure “compliance with those requirements” and that they're “address[ing] data ownership, data privacy and data security.”
Rene noted that this is a “danger” companies should consider, as health care entities often assume that HIPAA covers "any sensitive information they have about individuals,” and therefore they're not subject to other data privacy laws.
HIPAA is “very definition-heavy,” Rene said, especially when it comes to outlining what counts as protected health information (PHI) and to whom it applies. Companies “really need to understand" how terms are defined in HIPAA and elsewhere.
Also a former U.S. Department of Health and Human Services (HHS) official, Peters said she expects state AGs "to sort of fill in where HHS may be dropping off a little bit.” Some states have “taken a very aggressive approach” when it comes to enforcement of HIPAA and other privacy laws, she noted, “particularly with regard to consumer rights.”
Rene agreed, noting aggressive enforcement specifically for adequate privacy notices and effective opt-out mechanisms.
In addition, Peters mentioned past FTC enforcement, but questioned whether enforcement will "continue in a meaningful way, given the priorities of this particular administration.”
Looking ahead, Rene noted California has regulations “coming down the pike” on cyber audits, risk assessments and notice of opt-in and opt-out rights, including in connection with automated decision-making.
He recommended companies conduct risk assessments using “data that [they] are actually holding,” and comparing it to “protecting assets that you have in a house.”
“You need to think about ‘What are the threats to data, both internally and externally?’ and ‘How can we customize our internal processes and policies in order to address those threats and risks?'"