LS&HC Horizons 2022 - Flipbook - Page 27
Hogan Lovells | 2022 Life Sciences and Health Care Horizons
27
Privacy and Cybersecurity
What can I do?: With shifts in U.S. legal landscape, use of clinical data for R&D is a big question
Clinical data maintained by U.S. health care providers (Providers)
has significant value, but how can it be used for research and product
development? The answer to that enduring question continues to get
more complicated and there are no one-size-fits-all answers.
Consider consent. With notable exceptions, Providers may use and
share patient health information for treatment, payment, and certain
operational purposes without obtaining consent. However, the rules
for using that same data for research can be stricter, often requiring
consent or institutional review board approval, sometimes even for
de-identified data. This can raise issues for Providers wishing to
perform research using data originally obtained for treatment. In
some cases, obtaining consent may be near-impossible. For example,
indirect Providers, such as laboratories, encounter additional
challenges, as they rarely have the opportunity to obtain consent
directly from a patient.
To unlock the promise of clinical data, Providers must adeptly
navigate consent and other issues under rapidly shifting federal
and state privacy, consumer protection, and research laws. Beyond
longstanding laws like the Health Insurance Portability and
Accountability Act (HIPAA) and state health privacy laws, Providers
need to assess compliance obligations under a growing patchwork
of state consumer privacy laws. These include generally applicable
laws, such as the California Consumer Privacy Act (CCPA), and more
narrowly targeted laws, such as those regulating genetic testing
information. Further complicating matters, the Department of Health
and Human Services is evaluating potential updates to HIPAA and the
Federal Trade Commission has signaled that it will begin enforcing
its long dormant breach notification rule for incidents involving nonHIPAA covered data.
Donald DePass
Senior Associate,
Washington, D.C.
Scott Loughlin
Partner, Washington, D.C.
