In 2013, the Federal Department of Health and Human Services (HHS) issued final omnibus amendments to regulations arising under the Health Insurance Portability and Accountability Act (HIPAA). The omnibus rules implemented privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The omnibus rules required a new and significant compliance burden, widened the scope of those burdened with compliance and provided for large penalties for noncompliance—something new under HIPAA. Although HITECH and HHS’ omnibus rules had been a long time coming, many affected entities took a “wait and see” approach to compliance. For some, budgets were not prepared for compliance; others did not believe that there was significant risk of a breach. Worse, some believe that the risk of getting caught was insignificant in light of the cost and burden of compliance.

It has since become clear that reportable breaches happen to every covered entity and business associate; frequently multiple times a year. These breaches are not only of personally identifiable health information protected under HIPAA, but of other personal information outside of the health care context. These breaches now not only implicate more than HIPAA, but more than U.S. law alone.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that will have both a direct and indirect effect on U.S.-based biotech and life sciences companies. The GDPR itself allows the EU to fine, and individuals to sue, U.S.-based companies if they collect “personal data” of any “natural person” who is in the EU at the time of the collection. Citizenship in an EU member state is not a requirement for protection under the GDPR. While there is no framework in place for GDPR member states to effect their fines of U.S.-based companies, people who sue U.S.-based companies under the GDPR in the EU might be able to domesticate and enforce judgments in the United States on a state-by-state basis if the state has enacted the Uniform Foreign Money-Judgments Recognition Act, or similar statutes.

The GDPR is a very broad and comprehensive effort aimed at regulating the collection, use, maintenance and rights of persons to data; this comprehensive approach is finding purchase here in the Unites States. The California Consumer Privacy Act, passed in June 2018, and which becomes enforceable in 2020, provides broad protection and rights to consumers with regard to their data and data privacy. Consumers not only have a right to be notified of a breach of their data, but to know how that data was used by companies covered by the CCPA. Many biotech firms will not be covered by the CCPA, as it tends to affect only larger organizations; however, the laws of many states will bring similar laws to bear on smaller companies.

For instance, Massachusetts, Illinois, New York and Pennsylvania have data breach notification laws that apply to any business holding personal information of state residents—although definitions and requirements vary. New York, in particular, just passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which imposes stringent data security requirements for any business collecting personal information of New York residents; this law also takes effect in 2020. Data security compliance is part of the GDPR and the Massachusetts and California laws, among others.

What does this mean for companies operating in the life sciences and biotech industries? These companies frequently store and utilize personal information of consumers, patients, clinical trial participants and others. This data is not only used in the primary business of the company, but in the analytics and secondary income stream products and services they create. Not only do they now have to comply with HIPAA, but with a patchwork of national and international laws requiring differing levels and types of data security and breach notification compliance.

A HIPAA breach problem or administrative data privacy investigation can quickly become far more serious than the results of the mere breach; investigators will look at a wide range of compliance obligations, whether or not related to the breach being investigated. Similarly, expect that states’ agencies and attorneys general will investigate a company’s data security compliance well beyond the scope of any one breach.

It will be difficult for any company, especially emerging growth entities, to comply with a 50-state and international patchwork of data security laws and regulations. At the same time, avoiding compliance because the risk of getting caught is less concerning than the cost and time of a difficult compliance effort can be terminal for a company.

When advising biotech and life sciences clients, it would be useful, then, to consider the following:

• A patchwork of laws frequently results in federal law preempting state laws—but in the meantime, a compliance effort should be undertaken.
• Data security compliance is as much of a public relations and brand issue as it is a compliance issue. While accidental breaches are regular—and consumer appear inured to them—consumers and corporate clients will not be interested in (and may legally be prohibited from) doing business with a company that knowingly ignores data security.
• Companies are collecting information from people all over the country as well as the globe; merely being in a state that does not have significant compliance obligations does not remove the business or legal case for compliance.
• Cyber liability insurance is critical; however, not all insurers are well versed in this growing market. It is wise to research the providers and obtain the assistance of a good broker who concentrates in this area.
• Having one set of overarching data privacy policies in place, in an easy location for all stakeholders to locate, is also critical, as well as training to those policies on an annual basis.
• Encryption of data at rest and in transmission can cure many problems before they become serious. There are many SAAS providers charging monthly rates for these services; encryption is so critical that companies would be well advised to consider making this a part of their permanent budget.
• Willful or knowing noncompliance is far more dangerous than inept compliance; companies must begin consideration now of how they will meet their current and 2020 obligations. This means both budgeting and planning.

If you represent life sciences and biotech companies, begin discussing these issues with them now; if they are raised in 2020, when compliance is due, they won’t have budget or attention span for them. Preparing your client for this new reality will be as important as advising them through it.

Christopher Ezold is a partner in the business, corporate and tax practice group of Wisler, Pearlstine, as well as an assistant director of the firm’s general counsel initiative. Ezold acts as outside general counsel to companies in the biotech, life sciences, health care, emerging growth and technology industries. He is also a sponsor of the Mid-Atlantic Region of The Keiretsu Forum, the world’s largest angel investment group. Contact him at [email protected].