Attorneys Highlight Broad DOJ Definition for Personal Health Data
Organizations should be aware of how broadly DOJ defines “personal health data” in its data transfer rule, attorneys at Bodman said in a Thursday post.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Authors noted how DOJ guidance makes clear that personal health data isn’t limited to “Protected Health Information or data collected by Covered Entities as regulated by” the Health Insurance Portability and Accountability Act (HIPAA).
Instead, it’s defined as “data collected or held by any entity that indicates, reveals, or describes the past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual,” they said. This includes data about basic physical attributes, as well as exercise data collected by fitness apps.
Attorneys recommended healthcare organizations "(1) assess data license agreements and other agreements to determine whether data covered by the DSP is implicated; (2) assess whether the impacted agreements constitute a prohibited or restricted transaction; and (3) assess whether there is either access by, or any restrictions within the agreements to limit access by, ‘Countries of Concern,’ ‘Covered Persons,’ or additional restrictions on further access or circulation of data in agreements with any foreign person.”