On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues.  For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement.  Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.

On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool.  According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule.  ONC states that the updated tool includes additional features such as:

  • Enhanced user interface
  • Modular workflow
  • Custom assessment logic
  • Progress tracker
  • Threats & vulnerabilities rating
  • Detailed reports
  • Business associate and asset tracking
  • Overall improvement of the user experience

As with prior tools, the ONC/OCR tool includes a broad disclaimer noting that use of the tool “does not guarantee compliance with federal, state or local laws”.  Indeed, ONC and OCR encourage providers to “seek expert advice when evaluating the use of the tool.”

Ultimately, while the tool may provide a useful resource for small physician groups, larger organizations are more likely to need what is rapidly becoming the industry standard of having a security risk assessment/risk analysis performed by an outside third party, and ensuring additional assessments (such as penetration testing of the systems) are a part of that full risk assessment for the organization.

***

If your organization has any questions or needs assistance with a privacy and security related issue, please reach out to members of our Privacy and Security Group: Patricia Wagner, Alaap Shah, Brian CesarattoAdam Forman, or Wenxi Li.

In the tech world, blockchain technology appears to be the panacea to all problems.  As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow reaction to technological advances.

What is Blockchain Technology?

An over-simplified explanation of blockchain is an online database that stores information on a network of computers. Information also known as “a record” is stored in a block. For example, a record of you paying Mr. Smith 10 dollars is stored in a block. Traditionally, that information is saved in a database at a data center. However, blockchain technology stores that record on an individual computer with a time stamp (the “block”).  Any change to that information is then stored on another individual computer with a time stamp.  Each individual computer holds a block of information that is chronologically time stamped, which creates the blockchain. Thus, information cannot be edited or changed without the verification from all parties who have access to a block in the blockchain.  Blockchain technology distributes and decentralizes information.  There is no central company or one person that holds the information. This makes it extremely difficult for any one person to take down or corrupt the network. Traditionally, blockchain technology is used as a public transaction ledger for bitcoin. Bitcoin users utilized the technology to mitigate the issue of double spending, spending the same single digital coin more than once, without the need of one trusted authorizer or central server. 

Blockchain and Health Care

Blockchain technology could play a role in the industry’s goal to improve the quality of care through care coordination. Care coordination often involves the sharing of information between multiples providers. Blockchain technology could be used to facilitate this process in a more efficient manner by storing a variety of information, including provider and patient details, within electronic health records (EHR) on a network of computers. Blockchain would store the information on various computers, such that information entered into an EHR could be stored across a network of computers that includes providers and the patient. Providers and the patient would hold blocks of information, allowing each provider and each patient to validate the updates to that patient’s record with the consensus of all the providers and the patient. Using blockchain in this fashion would give patients control over their care while also encouraging care coordination because providers would have to interact with one another to update a patient’s file. In this sense, Blockchain could take the first step in facilitatating the improvement of patient care as a whole.

Blockchain could also reduce the health care industry’s susceptibility to privacy attacks or breaches because of its decentralized and distributed structure. Privacy attacks often involve a hacker entering a system or a database, but, with blocks held in multiple locations instead of one database, blockchain technology would help to minimize hacker infiltration.

However, as with any heavily regulated industry, implementing blockchain will not be easy. There are state and legal roadblocks that hinder blockchain’s viability. Health Insurance Portability and Accountability Act (“HIPAA”), for example, could hinder the ability of sharing health information technology between a network of computers due to restrictions on sharing of Personal Health Information (PHI). Furthermore, state and federal laws would have to be updated to facilitate this technological advance. Despite these hurdles, there may be a glimmer of hope. The Centers for Medicare & Medicaid Services is dedicated to improving interoperability and patients’ access to health information through its Promoting Interoperability program. The agency’s push for moving health towards EHR has the potential to be pivotal if the industry uses blockchain or a similar technology to improve patient access to health information.

Blockchain may not be a today solution—it will take time to change state and federal laws regarding health information to facilitate such technology. However the promotion of initiatives encouraging use of EHR, may be priming the industry’s palate to provide a place for blockchain in the future.

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a breach of personal information, the California Privacy Act provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.  Therefore, the California Privacy Act will have a significant impact on businesses, including the healthcare sector.

Business Types Affected.

Generally, the California Privacy Act will affect business entities that are for-profit business entities that collect consumers’ personal information and that meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.  The law applies to businesses who collect, use, or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., travelers).  California’s privacy law does not apply to protected health information regulated by California’s Confidentiality of Medical Information Act or by HIPAA’s privacy, security, and notification rules, but, it does apply to the other personal information held by an organization that meets the criteria above and doing business in California. 

Consumer Rights Expanded.

Additionally, the California Privacy Act will provide California residents more control over their personal information.  For example, consumers will have the right to know the type of personal information collected by the business, the purpose for which the information is being collected, and with whom the information is being shared with.  Also, consumers will have the “right to be forgotten” by requesting the deletion of their personal information from the businesses’ systems (with certain exceptions that may apply).  Under the new law, consumers will have the right to prohibit businesses from selling their personal information.  Furthermore, the California Privacy Act will also provide consumers protection from discriminatory action by businesses for exercising these privacy rights.  Overall, the expansion of consumers’ rights to their personal information are similar to the requirements set forth in the European Union’s General Data Protection Regulation (“GDPR”) policies.  Therefore, in this regard, the good news is that the work businesses have been doing to be GDPR compliant will most likely comport with the California Privacy Act.

Business Response Required.

Also, the California Privacy Act will mandate businesses, affected by the law, to comply with several requirements that will ensure consumers’ awareness of their privacy rights.  For example, the law will require businesses to make available at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).  Businesses will be required to disclose and deliver the requested information, free of charge to the consumer within 45 days of the request (although businesses will not have to provide such information more than twice a year to a single consumer).  Furthermore, businesses will be required to ensure that all individuals handling consumer inquiries about the business’s privacy practices or the business’s compliance with the law understand all the requirements under the California Privacy Law.  Therefore, businesses will need to make sure that its online privacy policies and/or California-specific consumers’ privacy rights are updated to include these new rights.

* * *

As mentioned above, the California Privacy Act reaches businesses beyond the borders of the state.  According to the International Association of Privacy Professionals (“IAPP”), more than 500,000 U.S. businesses (most being small- to medium-sized enterprises) will be affected by the privacy law.  Because the California Privacy Act follows in the footsteps of the GDPR, the work businesses have done to be in compliance with the GDPR will most likely comport with California’s privacy law.  But those businesses who have not, should begin making changes to their policies and procedures to ensure they are in compliance by the end of 2019.

The pace of health care transactions is robust, purchase price multiples are increasing, and many health care businesses are taking advantage of a sellers’ market.  Recently, our clients have increasingly turned to representation and warranty (“R&W”) insurance, finding a market more amenable to the nuances of health care deals than in the past. In the right deal, R&W insurance can limit risk to both seller and buyer and increase value to a seller by allowing for “walk-away” or “naked” deals.  R&W insurance may also be used as a tool by a buyer to increase the attractiveness of its offer in a competitive environment.

The acquisition of a company or its assets is typically governed by a purchase agreement and related transaction documents. The purchase agreement will contain various representations and warranties by the seller regarding a variety of matters, such as the seller’s assets and financial performance (including growth projections), and the accuracy of its billings for services, and its compliance with law (including healthcare laws and regulations). The buyer must do its own diligence before consummating a transaction, but in connection with such diligence it also relies on the seller’s representations and warranties. Following the closing of the transaction, if it is determined that one of the seller’s representations was incorrect (i.e., breached) and the buyer suffers damages as a result, the buyer usually has a right to compensation pursuant to the purchase agreement and related transaction documents.  Frequently, however, those agreements limit the amount that the buyer may recover, either in total, or by using various formulas, deductibles, and/or caps.   Even in the absence of these limits, if the cash purchase price has been distributed by a seller to its creditors and owners, a buyer seeking recovery may face a complex and difficult process.

The most common way to protect a buyer from potential losses that may be difficult to recover using simple indemnification is to escrow a portion of the purchase price from which claims may be paid. The amount of the escrow and how long it must be held are important negotiated terms in the purchase agreement. At the conclusion of the agreed-upon escrow period, the funds remaining in the escrow account will be released to the seller. Naturally, a buyer will want the most protection (and a large escrow amount), while a seller will want to retain the largest portion of the purchase price (and a small escrow amount). That’s where R&W insurance comes in.

R&W insurance shifts the risk of liability for breaches of representations and warranties from the seller to the insurance company in order to provide the parties to the transaction with greater protection post-closing. By utilizing R&W insurance, a buyer will be more comfortable placing a smaller portion (or even none) of the purchase price in escrow, resulting in a larger portion of the purchase price being paid to the seller at closing. In the event a breach of covered representations and warranties by the seller is discovered post-closing, the buyer may look to the insurance company rather than to the escrow (and therefore to the seller) to be made whole.

R&W insurance is an interesting way to shift the risk involved in a transaction and to provide a buyer with greater certainty of collection in the event of a breach. Further, making R&W insurance a component of a bid may provide a buyer a way to favorably distinguish itself from other bidders in a typical “sale process” run by investment bankers (or in auction-style sale). There are many other considerations, however, when deciding whether to use R&W insurance in lieu of the traditional escrow model. Such considerations include, among others:

  • The size of the policy needed for the transaction, and whether the resulting cost of the policy makes good business sense. The size of a policy can range significantly, in theory covering losses up to the full purchase price, which will impact the cost of the insurance.
  • Whether, and the extent to which, the buyer wants the seller to have “skin in the game” post-closing (i.e., in the form of an escrow), potentially making R&W insurance less desirable.
  • Which representations and warranties the policy excludes. If significant claims are excluded (e.g., Medicare claims, HIPAA violations, or specific matters already under government investigation or subject to litigation), there may be a weaker business case for buying R&W insurance.
  • Who will pay for the R&W insurance (buyer? seller? split?).
  • Some healthcare deals are harder to insure for representations and warranties relating to billing and coding compliance, such as providers with a higher percentage of government payor reimbursement and a greater number of “high-end” CPT codes.
  • The policy’s requirements for a buyer to make (and collect) a claim under the policy. For example, does the policy contain a materiality requirement?  Are the policy requirements consistent with the term of the purchase agreement?

Buyers and sellers should be aware of the existence of R&W insurance, as well as the above considerations, when analyzing and negotiating transactions. It may provide a valuable alternative to the traditional indemnification escrow model.

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

On the cooperative side, DHS and HHS have sought to work with the tech sector to employ cybersecurity best practices to address the ransomware threat, now the most common problem faced across the cyber universe but especially in health care. DHS has opined that “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices including installation of the latest patches and avoiding phishing efforts that can implant ransomware to lock down a system. Among the recommended best practices include employee training to avoid clicking on unfamiliar links and files in emails, and to backing up data to prevent possible loss. Beyond those somewhat simplistic suggestions, one detects a decided trend towards to adoption of the voluntary framework of cybersecurity standards issued by the National Institute of Standards and Technology (NIST), which was issued in 2014 and is in the process of being updated per public comments and meetings.  This also is consistent with the recently issued Executive Order that mandates federal department compliance to the same standards suggested for the private sector, particularly the NIST framework.

The OCR enforcement component is more problematic.  On May 17, 2017, Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when an HIPAA covered entity or associate has experienced a ransomware attack, due to the nature of how ransomware attacks work. This is somewhat at odds with the way that ransomware actually works. Ransomware generally is a form of blackmail where a Trojan will deprive a data owner of access to its own data unless a ransom is paid (often by Bitcoin or another block chain currency). OCR’s presumption can be overcome especially if health care data were encrypted prior to the incident (and presumably that would include data at rest). HHS’s ransomware guide provides that:

“Unless the covered entity or business associate can demonstrate that there is a ‘low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. … The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.”

Thus, if there is anything to take away from this, it is to encrypt PHI – period.

OCR offers to work with the private sector to provide technical assistance.  This might be useful to very small, unsophisticated  organizations.  Larger private sector entities arguably have resources and technical skills that surpass those of the government.  Indeed, the President’s Executive Order recognizes this.

We at Epstein Becker Green will have more to say about the ransomware threat and other cyber security vectors affecting the health care space. Expect a webinar and other publications like this one in the near future.

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies’ management, general counsel and others  might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed at :  https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information (“PHI”) that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR’s new initiative to investigate smaller breaches as well.  OCR stated that in determining when it will open an investigation, it will evaluate a number of factors, such as: (1) the size of the breach, (2) whether the PHI was stolen or improperly disposed of, (3) whether an entity reports multiple breaches, (4) whether numerous entities are reporting breaches of a particular type, and (5) whether the breach involved unauthorized access to an IT system.  The announcement also notes that OCR may consider lack of breach reports for a region, suggesting that OCR is interested in investigating the potential of under reporting.

The announcement emphasized that OCR can determine both large scale trends among HIPAA regulated entities, and entity-specific compliance issues that must be addressed by investigating breaches.  The announcement also serves as a warning to persons and/or entities subject to HIPAA to ensure that their breach reporting and other HIPAA compliance efforts are up-to-date and ready to withstand any potential scrutiny from OCR.

By Arthur J. Fried, Patricia M. Wagner, Adam C. Solander, Evan Nagler, and Jonathan Hoerner

On September 2, 2015, the U. S. Department of Health and Human Services (“HHS”) announced a $750,000 settlement with Cancer Care Group, P.C. (“CCG”), a radiation oncology practice in Indiana, for Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules violations. The alleged violations occurred in 2012, but a subsequent HHS Office for Civil Rights (OCR) investigation led to allegations from OCR that there was a lack of compliance with HIPAA Privacy and Security Rules requirements dating back to 2005.

CCG notified OCR on August 29, 2012 of a data breach of electronic protected health information (ePHI) resulting from the theft of a laptop bag that was left unattended in an employee’s car.  The bag contained a laptop computer and unencrypted backup storage media.  OCR estimated that the stolen data included the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former patients.

After receiving notification of the breach, OCR conducted an investigation that OCR alleged revealed CCG was in “widespread non-compliance with the HIPAA security rule.”  Specifically, OCR determined that CCG failed to conduct an enterprise-wide risk analysis at any time between April 21, 2005 (the compliance date of the Security Rule) and November 5, 2012, almost 5 months after the data breach.  OCR also determined that CCG also failed to have in place a written policy covering the removal of hardware and electronic media containing ePHI from CCG facilities.  OCR noted that an enterprise-wide risk analysis would have determined that removal of unencrypted media was a high risk to the group’s ePHI security.

In addition to the $750,000 payment, the settlement requires CCG to adopt a robust corrective action plan to correct HIPAA compliance program deficiencies. The entire Resolution Agreement can be viewed here.

This case highlights the need for all covered entities and business associates to conduct regular risk assessments and vulnerability testing.  A proper risk assessment will help organizations to identify vulnerabilities to the ePHI they store. While the Security Rule does not mandate encryption, as it is an addressable implementation specification, this settlement again reinforces OCR’s position that unencrypted computer hard drives, mobile devices, and electronic media will be under intense scrutiny should a breach occur. Thus, in most instances it is advisable for those types of devices to be encrypted.

One thing’s certain – the vast and growing supply of data contained in electronic medical records systems will play a significant role in improving the speed and efficiency of research into new treatments in the years to come.  The challenge will be striking an appropriate balance between the unquestionable promise of this data to enable research – research that will enhance available treatments and save lives – with the rights of individual patients in the privacy of their health information.  Attempts to strike that balance are at the heart of current legislative, regulatory and policy initiatives that will shape the manner and extent to which this valuable resource will be used in the future.

Included in the 21st Century Cures legislation that passed the House on Friday, July 10, 2015 are changes to HIPAA intended to expand access to patient health records for research purposes.  Specifically, subject to certain requirements, the changes permit use and disclosure of PHI by covered entities for research purposes and remove the prohibition on remote access by a researcher to PHI. In addition, the long-anticipated proposed revisions to the Common Rule, pending with OMB, are expected to significantly alter the consent and IRB review requirements for many research activities, particularly for EMR-based research. For instance, the Advance Notice of Proposed Rulemaking sought comments on proposals to increase data privacy and security requirements for research data, while at the same time reducing informed consent requirements and IRB oversight of research using existing data or biospecimens.

The latest piece of the puzzle came in the form Proposed Privacy and Trust Principles for the Precision Medicine Initiative released by the White House on Thursday, July 8, 2015.  The Precision Medicine Initiative, first introduced in President Obama’s State of the Union Address and supported by $215 million in funding to NIH, NCI, FDA and ONC, aims to establish a voluntary national research cohort made up of at least one million individuals who agree to contribute data from a range of sources, which may include access to medical records, analysis of biospecimens, environmental and lifestyle data, patient-generated information, and personal device and sensor data.  This data will be aggregated and made available to qualified researchers, including those from academic, non-profit and for-profit entities.

The proposed privacy and trust principles provide broad guidance regarding the operation of the research cohort, including its “governance; transparency; reciprocity; respect for participant preferences; data sharing, access, and use; data quality and integrity; and security.” Established by an ‘interagency working group’ convened by the White House, the principles are intended to build privacy into the cohort and ensure confidentiality of patient health information.

Certain of the proposed principles will impact the accessibility and utility of the data to interested researchers, including those in the pharmaceutical and medical device industries, and the details of the further development and implementation of these broad principles will be of critical importance to those who hope to use the cohort data in their future research. For example, the requirement that all data users must publish or post their summary research findings publically as a condition for use of data within the cohort may present challenges for many users. The nature of the findings that would be subject to that public disclosure requirement, and precisely how and when those findings must be disclosed, will impact whether industry, in particular, will be willing and able to leverage this valuable resource while maintaining necessary protections for proprietary information. Additionally, as the data are intended for use not only for hypothesis-driven research, but for hypothesis-generating and feasibility assessments as well, the nature of the findings that must be disclosed will need to be carefully considered to avoid imposing an undue burden by requiring publication of data with limited scientific value, and to avoid the potential disclosure of commercially sensitive information on the early research strategy or direction being contemplated by a researcher; this may limit the extent to which researchers are willing to utilize the data to its full potential.

Similarly, the manner in which certain principles are operationalized will determine how burdensome the use of cohort data will become. Specifically, the proposed principles contemplate a multi-layer consent model for participants in the cohort.  The working group determined that the duration and potential breadth of the research activities contemplated would render a single contact consent at the time of participant enrollment insufficient.  Instead, an ongoing, dynamic consent process has been proposed. As those involved in research know, the development, IRB review and approval, and administration of the informed consent process is burdensome, and the ability to forgo this consent for certain types of non-interventional records research would have a significant impact on reducing the cost and time required to conduct research using cohort data.  The extent to which the implementation of the consent process includes emerging practices for obtaining informed consent through remote, electronic means will impact the magnitude of this potential burden.

The White House is seeking public feedback on these privacy and trust principles online through August 7, 2015. Companies intending to use and participate in the cohort should carefully review these principles and provide feedback at https://www.whitehouse.gov/precision-medicine.

This post was written with assistance from Thejasree Kayam, a 2015 Summer Associate at Epstein Becker Green.