Top Life Sciences Concerns: Do You Know When Regulatory Frameworks Apply?

Q) I am conducting clinical trials in the US and Europe, working with identifiable information, and I’m sharing that information with a physician to help with treatment plans for specific patients. Because I am based in the U.S., I do not have to be concerned with the privacy requirements of the Global Data Protection Regulation (GDPR), just HIPAA as it relates to privacy and protecting sensitive health information.

1. That’s right; the only rules that apply are the ones that are sovereign to where your organization is based.
2. No, if you offer goods or services to, or monitor the behavior of data subjects within the EU or EEA regardless of where your organization is located, you must adhere to the requirements of GDPR.
3. Not only do you need to be concerned about GDPR’s regulations, but also based upon your subjects’ location in the EU, there may be additional regulatory requirements as with France, Germany, Spain and others.
4. You’re not a provider or insurance company, so none of this applies to you.

Learning: 2 and 3 are correct. If you offer goods or services to, or monitor the behavior of data subjects (individuals) within the EU or EEA, then you should adhere to GDPR. The price of non-compliance is steep—up to €20 million ($22,775,000), or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. If a firm infringes on multiple provisions of the GDPR, they will be fined according to their most severe violation. In addition, it is important to note that many countries changed their own privacy requirements to be harmonious with GDPR and where there was conflict, they reverted to GDPR, but there can still be fines over and above those listed in GDPR regulations. Germany has additional millions of Euros in fines.

Q) Because, and only because I am in healthcare, I have to be concerned about GDPR.

1. True
2. False

Learning: False. You have to be concerned about GDPR if you are handling any kind of personally identifiable information as defined by GDPR in Article 9. The article spells out the circumstances in which the processing of this personal data—which is otherwise prohibited—is allowed. The data that is considered “sensitive” relates to racial or ethnic origin; political views; data concerning health or sex life and sexual orientation, and a few other parameters. New additions to the list that should be of particular interest to healthcare organizations are genetic data and biometric data that uniquely identify a person when processed.

Like the previous legislation, Article 9 elaborates on the grounds for processing sensitive data but provides wider domain in the health and healthcare management space. Specifically, sensitive data may be processed when it’s necessary for the purposes of preventative or occupational medicine, in the assessment of working capacity, medical diagnosis, and providing treatment. The article also describes broader rationales for processing sensitive data, such as cross-border health threats or ensuring the high safety standards of healthcare, drugs and medical devices.

Q) I am a U.S.-based life sciences organization and I am partnering with offshore vendors to help develop an app that speeds time to market for drug development. Because of the research, I have access to PHI and am transmitting the PHI to these vendors and lab partners. What’s required from a compliance standpoint? (Select all that apply)

1. I am fine as long as everyone signs a mutual Non-disclosure Agreement (NDA)
2. I need a Business Associate Agreement (BAA) with all vendors that process, store, and transmit PHI
3. I am required to ensure that these vendors and lab partners protect the data in the same way that my organization is required to as reflected in the BAA.
4. I need a PHI inventory to apply reasonable and adequate safeguards to the data.

Learning: 2, 3 and 4 are correct. In the healthcare arena, the business associate in the BAA mostly refers to a person/organization that creates or works with protected health information (PHI) “on behalf of” a covered entity, or in some cases, another business associate. Example: a HIPAA-compliant cloud services provider and a manufacturer of medical devices.

Who signs a BAA? The big-picture view is if you handle identifiable patient data for any reason, most healthcare providers, insurance companies, pharmacies, self-insured employers, etc. will deem you/your company to be a business associate and would like your signature on the BAA. Independent contractors and consultants may need to sign a BAA as well. For the most part, they will not be under your direct control and should be considered business associates and should be prepared to comply fully with HIPAA and accept liability for compliance. Ergo, point that contractor to the dotted line.

While a BAA should exist between two parties any time a business associate relationship exists, it doesn’t necessarily need to be a standalone agreement. All the requisite stipulations can be consolidated into terms of service, data security agreements, etc.

A BAA’s main requirements are to:

• Specify the PHI’s permitted uses and disclosures. If it’s not specified, it’s not allowed.
• State what is required under the regulations.
• Allow the upstream entity to terminate the BAA if the other violates a material term.
• Address data lifecycle events (PHI amendments, patient PHI requests, return/destruction of PHI at BAA’s end, and logging PHI disclosures to third parties.)
• Specify how security incidents and data breaches are handled, communicated, and reported.

Q) I am going to be sharing PHI from my life sciences organization with payers with whom I am doing business. They want to see HITRUST certification. One of the reasons people request HITRUST certification is it can shorten the time for due diligence to demonstrate that a party/parties are handling PHI in a compliant manner. How do I satisfy their request?

1. I can earn a HITRUST certification in about six months and use it to improve my marketability.
2. I can show them that I have other certifications and a BAA with AWS, and that will suffice.
3. I can partner with a third-party vendor and say I now have HITRUST.
4. I can partner with a third-party vendor who has the most current HITRUST CSF certification and use it to show that I am operating under the best practices, policies and procedures, and I can also speed my time to gaining my own HITRUST certification through appropriate control inheritance.

Learning: 4 is correct. While having HITRUST certification will improve your marketability, it is highly unlikely you can earn it in six months. By opting for answer D, you can show your customers that you are working within best practices and policies for security and compliance.

When it comes to security and compliance, it is often our subjective nature that gets organizations into trouble. Proving adherence may require greater prescriptiveness of applying security and privacy controls to a regulation, and a more objective third party.

To fortify this core pillar of the healthcare industry, HITRUST was born. This industry-driven effort endeavors to standardize on a common, certifiable framework (CSF) to benefit both vendors and covered entities.

Though in the US there is a patch quilt of other compliance frameworks and standards—HIPAA, PCI, ISO, NIST, and more—the perpetually-evolving CSF seeks to map all these terrains together with itself as the compliance/security Sherpa.

They seek progress in protection—to advance the healthcare industry’s safeguarding of health information. They intend to do it through the establishment of a practical mechanism for validating an organization’s compliance with the HITRUST CSF—which many believe is the most respected security framework in the healthcare industry.

Q) I am purchasing some software to help orchestrate my cloud environment, and in order to do this, I am required to have this software company sign a BAA.

1. True
2. False
3. It depends

Learning: 3. It depends. The answer is false if the software is being used to orchestrate a cloud environment and there is not any access by the vendor to PHI or any of the data within the cloud environment. The software provider is not required to have a BAA with my company. The answer is true, if the vendor is accessing PHI—then you’ll need a BAA.

Q) I have a requirement that my vendors follow the NIST Cybersecurity Framework in order to protect PHI. Which of these applies to me?

1. My potential cloud provider claims it is certified under the NIST Cybersecurity Framework, so it fits my requirement.
2. My potential cloud provider was certified by the HITRUST alliance as following and complying with the NIST Cybersecurity Framework, so it fits my requirement.
3. I don’t need to follow NIST because it’s out of date.
4. The NIST Cybersecurity Framework only applies if you are working with a government entity, which I am not, so I do not need to require this.

Learning: 2 is the correct answer

The NIST Cybersecurity Framework is a well-respected framework. You cannot be NIST certified so (a) does not apply and your potential vendor is misrepresenting themselves. Answer (b) would fulfill the requirement because the HITRUST Alliance can certify entities as complying with the NIST Cybersecurity Framework. Answer (c) is incorrect because many operating in the private sector look to NIST because of its maturity and breadth as a respected framework. Answer (d) is also incorrect: The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and practices that should educate all organizations―private and public―to help manage IT security risks.

In cyberspace, no one can hear you scream—which begs the question: what IT security best practices should organizations, and the industry at large, adopt as their deflective force field against hack attacks or to at least be able to lessen the severity of the breaches?

The NIST Framework provides directions on how to fortify your defenses on the cybersecurity front. It’s based on existing measures and best practices to get internal and external organizational stakeholders talking about risk and cybersecurity management. The three main topics are core, implementation tiers, and profiles. The overarching focus: how organizations currently view cybersecurity risk management and how their existing processes complement existing policies and procedures.

How did you score?

Answered all six correctly: Congratulations! Your knowledge is contributing to proper management of your organization’s security risks.

Answered all four or five questions correctly: Not bad, but there are places where these knowledge gaps can put organizations at risk.

Answered three or fewer questions correctly: Proceed with caution: Your cybersecurity program may be vulnerable. Consider investing in third party expertise to ensure you’re not making any costly mistakes.

In the end, the answer to these and many more regulatory questions may be considerably more complicated than simply checking a box. No matter how you scored, many healthcare organizations benefit from partnering with seasoned healthcare compliance and security cloud experts.