Adam Greene, Partner, Faith Knight Myers, Jennifer Archie

Chairs:
Adam Greene, Partner, Davis Wright Tremaine LLP
Faith Knight Myers, Global Privacy Leader, McKesson
Jennifer Archie, Partner, Latham & Watkins

Session A – 09:00am – 10:15am

What’s New in Health Information Privacy and Security
Potential changes to HIPAA. A record-breaking Office for Civil Rights (“OCR”) enforcement year behind us. Increased state attorneys general HIPAA actions. New state privacy and breach laws and their relation to health information. This session will share what the moderators and attendees have been seeing over the past year on health information privacy and security and forecast what is to come.

Session B – 10:45am – 12:00pm

Preparing for and Working with Different Health Privacy Regulators
HIPAA is a floor, not a ceiling. It does not preempt laws that create stricter requirements for PHI, and other laws can augment its requirements, even for covered entities. As personal information has become a monetizable asset, privacy compliance/risk experts face expanding, overlapping, and sometimes conflicting regulatory and operational ramifications of novel use cases, as to health data in use both inside and outside of organizations. HHS, FDA, the FTC, state Attorneys General, international data protection or other authorities, self-regulatory bodies, commercial partners – each, any, and all such actors may impose responsibilities to secure and manage personal information relating to data practices and innovative progresses. This session will review practical data management policies and procedures to optimize interactions with diverse actors, including around hot topics such as patient access to and control of health information, use of health information for ad-targeting, and breach and incident management processes. And YES! We can talk about the California Consumer Protection Act and the scope those pesky exemptions for medical information, specifically.

Session C – 1:30pm – 2:45pm

Emerging Health Privacy Questions
In the world of AI and machine learning, what is “research”? How does “minimum necessary” apply in a sector where more data is always sought? When, if ever, is genomic data considered de-identified? Can health systems combine their group health plan, wellness, and clinical data? This session will explore and discuss some of the most vexing health information privacy questions, as raised by both moderators and

Session D – 3:15pm – 04:30pm

Business Associate Challenges
The regulatory requirements and challenges of business associates have changed over time under HIPAA/HITECH regulations, state privacy health care laws and regulations as well as customer expectations. This session will cover some of the requirements, challenges, and practical considerations that come into play for business associates. We will discuss common misperceptions (or perhaps differing interpretations) of business associate requirements from both moderators and attendees.

Readings:

Adam Greene
Adam Greene

Partner
Davis Wright Tremaine

Faith Myers
Faith Knight Myers

Global Privacy Leader
McKesson

Jennifer Archie
Jennifer Archie

Partner
Latham & Watkins