Health Data Privacy Compliance Poses Unique Issues

August 26, 2019

A conversation with Corey Dennis, Director of Privacy and Counsel to PPD

As Director of Privacy and Counsel to PPD, Corey Dennis has been closely involved with the compliance tied to the company’s integrated drug development and life cycle management services. He shares his thoughts the industry’s unique requirements and the actions critical to minimize fallout from a data breach.

[Empower your entire in-house legal team. Learn how Bloomberg Law can transform your legal department. Request a demo.]

When dealing with a data breach, what key thing tends to get forgotten? In other words, what element or action is more critical than it may initially appear?

Data breaches and security incidents are challenging to handle from a legal, operational, and resourcing perspective. Significant incidents require cross-functional team efforts, typically including members of legal, privacy, IT/information security, and corporate communications departments. Some common missteps when managing security incidents include:

  1. Failing to notify insurance carriers and legal counsel promptly
  2. Issuing public statements or press releases (which may include inaccurate or incomplete information) either too soon or too long after the incident
  3. Underestimating the amount of time required to thoroughly investigate, engage forensics firms, and take other key steps, and as a result, failing to timely notify in compliance with laws

What are the best guidelines to avoid violating health care privacy regulations when sharing research results with pharma companies?

Good Clinical Practice requires that clinical trial subject data be key-coded (pseudonymized and non-identifiable) when disclosed from the research site to other parties involved in the research, including pharma companies and clinical research organizations, such as PPD. This is also consistent with the requirements of the EU’s Generalized Data Protection Regulation, as well as the data minimization principle, which is a best practice in relation to privacy/security and a requirement under some privacy laws as well.

How do you navigate cross-border privacy concerns as they relate to health data?

Within our industry, the most common mechanism to ensure cross-border transfer compliance is data transfer agreement, otherwise known as EU Model Clause or SCC, which is intended to ensure GDPR compliance. The SCC can be challenging to implement in the health research context because there are a limited number of official SCC templates available and they do not neatly fit every data transfer scenario, at times requiring that a practical approach be taken.

The Privacy Shield Framework does not technically apply to key-coded clinical trial data, making SCCs the preferred mechanism, though Privacy Shield may be relied upon in relation to identifiable health data. In some cases, subject consent may also be used as a fallback option.

Related Resources

  • A Conversation with Elizabeth O’Callahan: In her position as Vice President, Legal at NetApp, Elizabeth O’Callahan has overseen a team of professionals addressing matters ranging from M&A through intellectual property and data privacy compliance.
  • A Conversation with Heidi Maher: In her dual role as executive director of the Compliance and Governance Oversight Council and privacy lead for Hybrid Cloud, IBM, Heidi Maher has gained considerable insight into some of the critical issues that surround data use  and the protection of personal information.