Attorneys Highlight Broad DOJ Definition for Personal Health Data
Organizations should be aware of how broadly DOJ defines “personal health data” in its data transfer rule, attorneys at Bodman said in a Thursday post.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Authors noted how DOJ guidance makes clear that personal health data isn’t limited to “Protected Health Information or data collected by Covered Entities as regulated by” the Health Insurance Portability and Accountability Act (HIPAA).
Instead, it’s defined as “data collected or held by any entity that indicates, reveals, or describes the past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual,” they said. This includes data about basic physical attributes, as well as exercise data collected by fitness apps.
Attorneys recommended healthcare organizations "(1) assess data license agreements and other agreements to determine whether data covered by the DSP is implicated; (2) assess whether the impacted agreements constitute a prohibited or restricted transaction; and (3) assess whether there is either access by, or any restrictions within the agreements to limit access by, ‘Countries of Concern,’ ‘Covered Persons,’ or additional restrictions on further access or circulation of data in agreements with any foreign person.”