Regulations

The End Of The EU-U.S. Data Protection Framework?

French Parliament Member Philippe Latombe has submitted a direct citizen application which presents two challenges to the EU-U.S. Data Privacy Framework (DPF): one seeks to immediately suspend the agreement, while the other questions its content. The Parliament Member contends that the text breaches the EU’s Charter of Fundamental Rights and the GDPR due to U.S. mass surveillance and bulk collection of personal data. This action marks the beginning of a series of potential legal challenges.

Click to read more

A New Transatlantic Data Bridge: The UK-U.S. Data Bridge

The United Kingdom and the United States finalized an agreement on September 21st regarding the UK-U.S. Data Bridge, which will come into effect on October 12th and effectively extends the EU-US Data Privacy Framework to the UK.

However, this data bridge is in a delicate position. The challenge against the EU-U.S. DPF could prompt the UK to reassess its standards for the privacy of UK personal data in the U.S., potentially leading to the annulment of the data bridge.

Click to read more

Publication Of A Pre-Market Guidance For Machine Learning-Enabled Medical Devices

The Canadian Government has released a draft guidance document concerning medical devices that utilize machine learning (MLMD). This guidance aims to provide manufacturers with a clear framework for demonstrating the safety and effectiveness of MLMDs, whether it's for the initial application or amending a medical device license. It elucidates the application of essential principles, including transparency, and offers guidance on the implementation of machine learning-enabled medical devices.

Click to read more

Data Protection Principles For Telehealth

The American Telemedicine Association (ATA) has published Health Data Privacy Principles specifically tailored to telehealth utilization. These Principles comprise six key components: consistency, the definition of consumer health data, the Health Insurance Portability and Accountability Act (HIPAA), consumer rights, consumer consent, sale of data and opt-out, and enforcement. The aim of these Principles is to ensure that telehealth practices meet standards for patient safety, data privacy, and information security, all while advancing patient access and raising awareness of telehealth practices.

Click to read more

PETs - Privacy Enhancing Technologies

PETs Use In Healthcare Analysis

Protected Health Information (PHI) can be used for big data analytics with the aim of advancing medical research, but the security and access to these data must be guaranteed. Privacy-Enhancing Technologies (PETs) could potentially address this issue as they can assist in de-identifying the data, thereby ensuring privacy compliance and data security. Three types of PETs are recommended: algorithmic, architectural, and augmentation PETs. Among the algorithmic PETs, three are mentioned: homomorphic encryption, differential privacy, and zero-knowledge proofs.

Click to read more

Artificial Intelligence

The Necessity Of AI Incident Response Plans

Organizations can implement an AI Incident Response Plan. This plan assists in managing the consequences of AI failures. Failures can be categorized into one or more of the following categories: security, unauthorized outcomes, discriminatory outcomes, privacy violations, physical safety, and lack of transparency and accountability. To implement an AI Incident Response Plan, one needs to understand the AI system, how it works, and conduct an inventory of it. Afterward, the classical steps of a cybersecurity incident plan can be followed, but they must be adapted to the specifics of the AI system.

Click to read more

Cybersecurity

NIST's recommendations about the Security Rule of HIPAA

The U.S. National Institute of Standards and Technology (NIST) published a new draft of the “Cybersecurity Resource Guide for implementing the HIPAA Security Rule”.  The guidance provides key elements for a risk assessment, which is required to identify conditions where electronic Protected Health Information (ePHI) could be used or disclosed without proper authorization, improperly modified, or made unavailable when needed. The guide also refers to the Security Risk Assessment (SRA) Tool to perform their risk assessment.

Click to read more

Update Of The Security Assessment Tool (SRA)

The SRA Tool, provided jointly by the Office of the U.S. National Coordinator for Health Information Technology and the Department of Health and Human Services' Office for Civil Rights, is designed to assist healthcare providers in conducting security risk assessments as mandated by the HIPAA Security Rule. However, it's important to note that this tool is meant solely for informational purposes and should not be the sole basis for conducting a comprehensive risk assessment. Notably, the SRA Tool has been updated to include a glossary, tooltips, and the latest 2023 edition of Health Industry Cybersecurity Practices.

Click to read more

The Influence Of SEC's Cyber Incident Disclosure Rule On The Healthcare Industry

The Securities and Exchange Commission (SEC) has finalized its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This rule impacts public entities, including organizations in the healthcare sector. Within four business days, these entities will need to assess the significance of cybersecurity incidents to shareholders and be able to describe the nature, scope, timing, and likely impact of the incident. The deadline can only be extended if the U.S. Attorney General deems the incident to be a risk to national security.

Click to read more

Data Privacy Enforcement

Info Blocking Enforcement For Health IT Entities

As of September 1st, penalties have been imposed for information blocking practices by Health IT entities. Information blocking practices refer to actions taken by entities that impede the access, exchange, or utilization of electronic health information. These entities encompass health IT developers with certified health IT, entities providing certified health IT, health information exchanges, and health information networks. Complaints are reviewed by the Department of Health and Human Services (HHS) Office of Inspector General (OIG), and penalties for violations can amount to as much as $1 million per violation.

Click to read more

Healthcare Plan's HIPAA Infringement

Following investigations by the HHS Office for Civil Rights (OCR), LA Care, a health plan based in Los Angeles, settled for $1.3 million and implemented a corrective action plan (CAP). The OCR identified several potential HIPAA violations, including a failure to implement adequate security measures to mitigate risks to electronic protected health information (ePHI) and a failure to conduct an accurate risk analysis. To address these potential shortcomings, the CAP mandates the completion of an accurate and thorough risk analysis and the implementation of a risk management plan.

Click to read more

Class-Action Lawsuit Arising From Data Sharing By Smart Health Devices

A class-action lawsuit is currently in progress against Medtronic. The complaint alleges that Medtronic unlawfully shared personal data collected by its app and smart insulin pens with third-party advertisers, including Google. The data in question includes personally identifiable information and protected health information. The lawsuit contends that this data was shared for marketing and analytics purposes without obtaining the express and informed consent of the users.

Click to read more

Home

Discover our latest newsletter

View All Newsletters
Apr 2024
AI
Biotech & Healthtech
Data Breach & Cybersecurity
Healthcare
Podcasts

Newsletter #12

Happy Easter! March turned out to be a notable month for AI, breaking the mold of the past year. The EU Parliament has officially passed the EU Act, NVIDIA has made significant announcements, and there have been substantial advancements in health data utilization. We're constantly enhancing our offerings, so don't forget to explore our most recent interview, recommended podcasts, and book recommendations!

Mar 2024
Regulations & Guidelines
AI
Data Privacy Enforcement
Data Governance
Biotech & Healthtech

Newsletter #11

As we kick off 2024, the eleventh edition of our newsletter zeroes in on the most recent developments in privacy regulations and guidelines. It also spotlights the latest happenings in the Biotech and Healthtech sectors related to data. Don't miss our podcast recommendations, featuring an enlightening interview with OWKIN's CEO and a compelling discussion on the intersection of developers and privacy. Enjoy!

Feb 2024
Regulations & Guidelines
PET
Data Privacy Enforcement
AI
Data Breach & Cybersecurity

Newsletter #10

2024 already delivers its promises - this month was stacked with guidelines, regulations, new. Here's your monthly digest !