?Lucid Privacy Bulletin: Healthy Data Privacy

SPOTLIGHT

?? US Health Data Privacy Landscape and its Ripple Effect

In 2023, the privacy race has expanded to include healthcare data, with states like Washington, Connecticut, and Nevada introducing data-specific bills to protect consumers of wellness services beyond the traditional confines of America’s healthcare system. This is in parallel to states like Illinois’ interest in biometric data privacy, with IL’s BIPA being the most consequential to-date.?

• On April 27 2023, Washington signed the?My Health My Data Act (MHMDA)?into law, creating robust protections for consumers and strong requirements for businesses in areas where HIPAA does not reach.?
• The act?defines health data broadly, requires disclosure of data practices, prohibits selling of consumer health data (including biometric and location data), and extends obligations to processors and third parties.
• Meanwhile, the?FTC's enforcement actions?against companies like Premom, GoodRx, and BetterHelp highlight increased attention at the federal level, underscored by the agency’s proposed updates to HIPAA's Privacy Rule and Congress’s introduction of the Upholding Protections for Health and Online Location Data?(UPHOLD)?Privacy Act.?

In the void of a comprehensive national privacy law it is clear policymakers are finding political success with reforms affecting our most sensitive data.

We continue unpacking each of these issues and their implications for businesses in our blog post.

Continue Reading

ACROSS THE POND

?? Health Data Privacy in the UK and EU

Enforcement actions within the health and life sciences sector have been on the rise in the UK and the EU. To date, DPAs from 25 different countries have imposed 154 fines totalling €15M against errant organizations.

How is health data regulated in Europe? Here are some ‘must knows’:

1. The term?"data concerning health" encompasses more than just medical records. Health app and inferential ailment data count. Mind your apps and wearables!
2. GDPR is the overarching regulation. But most EU countries and the UK have enacted national health laws that?supplement and in some cases go beyond?the GDPR.
3. For example, the?French Data Protection Act and Public Health Code?creates strict requirements for private and public health sector actors. And in 2020 CNIL published guidance on?health data processing and retention practices.
4. Consent is?not the sole legal basis?for processing health data. However, it is crucial to understand where consent is required to?ensure appropriate?and?sufficient?lawful grounds are documented under national law.
5. For example, a French health study participant must agree to have their identifiable information shared with the study’s sponsor. Without the participant’s consent only?pseudonymized or anonymized information?may be shared.
6. Consent to use health data, like other ‘special category’ data, must be?explicit. This generally means an?enhanced, standalone request?followed by an?express, legally binding response. Examples include voice recordings, hand or e-signatures, and double opt-ins.
7. Health data can be reused for legitimate scientific research provided that?research is compatible with the original use?and all appropriate safeguards are in place. Here again national laws and regulations play an important role.
8. When relying on?anonymization?to process data, caution must be exercised, taking into account the risk of unauthorized disclosure or re-identification.?Privacy Enhancing Technologies?like?differential privacy?and?on-device processing?are playing an increasingly important role in this regard.?

SECURITY?IN FOCUS

?? Unleashing DarkBERT in the Battle Against Cybercrime

Amidst the intricate labyrinth of artificial intelligence (AI), a formidable figure,?DarkBERT, emerges from the shadows. No, this isn't some reimagined, AI-hallucinated remake of the 'Dilbert' comic with gallows humor. This newly-invented AI tool, Lucid Folks, is far better than that!

What is DarkBERT?

Born within the realm of natural language processing (NLP), DarkBERT represents a paradigm shift that holds the key to empowering cybersecurity professionals in their tireless fight against the relentless waves of cybercrime.

DarkBERT, an evolution of the esteemed BERT model, possesses an unyielding determination to venture where others falter. Delving into the linguistic abyss, DarkBERT unveils concealed subtleties buried within vast text repositories, laying bare the hidden patterns and connections that serve as vital clues in combating cyber threats.

How Does DarkBERT Work?

Through the power of unsupervised learning, DarkBERT devours vast quantities of unlabelled data, honing its ability to decipher context and empowering cybersecurity guardians with unrivaled comprehension.

DarkBERT's true potency lies in its uncanny capacity to encapsulate the essence of a text, adeptly contextualizing meaning within the broader linguistic landscape. With this unparalleled contextual sensitivity, cybersecurity professionals can leverage DarkBERT's capabilities to discern intricate nuances, unravel malicious intentions, and swiftly respond to emerging cyber threats.?

DarkBERT effectively serves as a bridge, seamlessly connecting cybersecurity professionals' human expertise with artificial intelligence's analytical prowess.

A Double-Edged Sword

However, with great power comes great ethical responsibility. It is imperative that the use of DarkBERT remains aligned with societal norms and operates within the realms of ethical cybersecurity practices. By harnessing DarkBERT's potential with utmost prudence, cybersecurity professionals can effectively combat cybercrime while maintaining the integrity of their mission.

A Word for the Wise

Armed with the knowledge of how the legions of cyber devils can leverage DarkBERT just as adeptly as the 'good guys', let us forge ahead (with caution!), guided by ethical considerations, leveraging DarkBERT's might to secure a safer digital future for all.

Go Blue-team!

ROUNDUP

1. UK ICO Warns About Higher Bar for Health Apps Using AI. The UK ICO has stated the context in which generative AI is crucial.?Therefore greater compliance expectations may be placed on health apps utilizing generative AI compared to retail-focused apps.?Health care businesses will need to demonstrate how they have addressed risks specific to their context, even if they are using the same underlying technology.
2. Nevada Passes Health Data Privacy Bill. Effective March 31, 2024, Nevada's new health data law requires separate informed and freely-given consents to collect, disclose or sell consumer health data. Notably, the bill allows consumers to learn the specific parties to whom their health data was disclosed or sold, and bans the geofencing of healthcare facilities.
3. FTC Dings DNA Testing Company Over Privacy Policy Changes. The FTC’s action against 1Health.io underscores that changing a privacy policy and retroactively applying it to previously collected personal information uses could be an unfair business practice. Organizations should refer to the FTC’s?oldie-but-goodie guidance?regarding material changes to personal information uses.

READINESS TOOLS

??Pan-US Readiness Record (US)??

??Utah Readiness Record (UCPA)?

??California Readiness Record (CCPA/CPRA)

??Virginia Readiness Record (VCDPA)

??Colorado Readiness Record (CPA)

??Connecticut Readiness Record (CTDPA)

??Transfer Impact Assessment Template (TIA)

??China Transfer Impact Assessment Template (PIPIA)