China’s Cybersecurity Law and administration of medical devices in China

“The China Food and Drug Administration (“CFDA”) has issued guidelines aimed to implement China’s new Cybersecurity Law (“CSL”) in the administration of medical devices in China. This development is a clear signal that Chinese regulators intend to enhance cybersecurity protection in the healthcare sector.”

(from 2016) UK court decision on whether clinical trial data can be adequately anonymised

The below is from 2016.

Very interesting article from Freshfields, that shows the UK Information Commissioner (supported by the First Tier Tribunal) taking a practical approach to the anonymisation of personal data. Also, a reminder that clinical trial data might be subject to freeddom-of-informations requests in UK under some conditions.

Key points of interest incl.

“There was no evidence that a third party, alone, could identify participants. The evidence showed that identification would be possible by combining the patient data with NHS data, but this would have involved an NHS employee breaching professional, legal and ethical obligations, and having the skill and motivation to do so. This level of conjecture was considered remote. It is not ‘any conceivable means of identification’ that must be considered, but only ‘those reasonably likely to be used’. We ‘must consider whether any individual is reasonably likely to have the means and the skill to identify any participant and also whether they are reasonably likely to use those skills for that purpose’. ”

High-level summary

“The Information Commissioner had ordered Queen Mary University London to disclose patient data from a trial on chronic fatigue syndrome under the Freedom of Information Act. The Tribunal reviewed this decision.

QMUL ran several arguments but the one the Tribunal most struggled with was whether the data had been anonymised enough that it should no longer be considered personal data. If so, it would likely be disclosable under FOIA. If the data was not sufficiently anonymised, it would still be ‘personal data’ and would therefore have to be withheld from disclosure.

Although the Tribunal was split in its decision, the majority was in favour of upholding the Information Commissioner’s decision that the data had been adequately anonymised. QMUL was therefore ordered to disclose it.”

US Health Breach Notification Rule

While  HIPAA is well-known, there are also obligations under the FTC’s Health Breach Notification Law..

From the linked page below:

“Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.” [..]