U.S.-EU Safe Harbor renegotiation misses deadline; FDA provides medical device design guidance; FTC settles false advertising claim with health care software vendor over encryption.

U.S.-EU Safe Harbor Renegotiation Misses Deadline

The deadline for the U.S.-EU Safe Harbor renegotiation, set by the EU Data Protection Authorities (DPAs) after the October 2015 invalidation of Safe Harbor was January 31. The EU DPAs have a meeting scheduled for February 2 to discuss the results of the renegotiation. Final terms of the new EU-U.S. data flows framework are reportedly on the table.

On February 1, the European Commission announced to the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the deadline had not been met, but once again stated that the parties are very close to an agreement. EU Commissioner Věra Jourová told the Parliament committee, “I believe the close relationship between the United States and European Union deserves these special efforts. We are close but an additional effort is needed.”

The DPAs have already begun discussing collaborative enforcement actions against companies that continue to rely solely on the invalidated Safe Harbor. The DPAs are expected to clarify their plans at their February 2 meeting, and at that meeting certain DPAs are expected to call for the collective halt to all data flows to the U.S. if a new U.S.-EU framework is not available.

FDA Provides Guidance on Connected Medical Device Design

The FDA published draft security and privacy guidance on connected medical devices to assist companies with the development and design of devices that connect to each other and hospital information technology systems via the web. The guidance is not law, but the FDA does have the authority to define minimum required labeling, design and validation of interoperable medical devices. This is relevant for medical device manufacturers who want to know what the regulators expect in device design. There is also an opportunity to influence policy through public comment on the draft guidance through March 28. See our full client alert on the FDA guidance here.

Medical Software Provider Settles Encryption Capabilities Claim with FTC

The FTC recently settled charges with Henry Schein Practice Solutions, Inc. that the company misled customers about encryption of patient data. The FTC complaint alleged that Henry Schein marketed software to provider groups to help them satisfy HIPAA security requirements by claiming the software met industry encryption standards when the company knew that the technology fell short of the National Institute of Standards and Technology (NIST) encryption standard. This case is yet another example of the FTC’s interest in the intersection between data security and patient privacy. Like with the FTC’s enforcement action in the LabMD case, the FTC has made clear that it has independent jurisdiction to enforce unfair and deceptive trade practices under Section 5 of the FTC Act regardless of whether HIPAA also applies.

Amended California Breach Laws in Effect

California’s amended data security and breach laws went into effect on January 1, 2016 and contain a number of changes.

First, the law now defines “encrypted” to mean “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” The definition is important because data that is lost but encrypted is exempt from breach notification requirements.

Second, the law expands the definition of “personal information,” to include “information collected through an automated license plate recognition system.” Operators and users of automated license plate recognition systems must now also comply with specific notice and use limitations.

Finally, the law now requires particular headings in breach notifications. Such notices must now be labeled “Notice of Data Breach” and the content must be organized under the headings, “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”