Health care analytics make use of patient data to inform treatment decisions and is increasingly moving front and center in personalized medicine. For example, the President’s Precision Medicine Initiative (see post of January 26, 2016) has rolled out a program to collect health data from one million volunteers to inform and guide future research. Consumers too, outside the confines of the traditional health care system, are collecting and crunching their own data points with the help of smart phone apps that measure the numbers from steps taken in a day to blood glucose levels.
It is not inconceivable that this data will be shared domestically and globally, as informed analytics will drive research and development of new therapeutic interventions and preventive health care. The EU and the US recently reached a tentative agreement relating to the legality of cross-border data transfers. Under EU law, companies have to step through certain hoops to legally be able to transfer personal information, including health information, to the US. Until recently, one of the mechanisms to do this was for the US company to certify under the Safe Harbor agreement between the US and the EU. In October of last year, a high level EU court invalidated the Safe Harbor agreement due to deficient privacy and security protections, rising primarily out of the NSA surveillance revelations.
Technically since that time, companies relying on Safe Harbor have been violating EU law when transferring health information from the EU to the US. On February 2, the EU and the US reached a tentative agreement for a new Safe Harbor framework, now called “Privacy Shield.” For more information on the tentative agreement, see Foley & Lardner’s Legal News Alert: Tentative Agreement on New “Privacy Shield” Framework for Transatlantic Data Flows Reached.
Foley’s Legal News Alert is co-authored by James Kalyvas, Chanley Howell, Aaron Tantleff, Sophie Lignier, Steve Millendorf, and Michael Chung.