These 2 articles appeared recently.
First we had:
At a glance: data protection and management of health data in Australia
Gilbert + Tobin Andrew Hii, John Lee , Kevin Ko and Susan Jones
Australia January 25 2023
Data protection and management
Definition of ‘health data’
What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?
Health data includes:
- information or an opinion about an individual’s health or any health services provided, or to be provided, to the individual;
- any personal information collected to provide or in providing a ‘health service’ to an individual (including organ donation); and
- genetic information about an individual that is in a form that could be predictive about the health of an individual (or relative of the individual).
The concept of ‘providing health services’ is very broad and can capture a range of services that may not be front of mind when thinking about health – for example, information collected by a gym on an individual in connection with a gym class, or Medicare billing information held by an insurance provider or debt collector.
Anonymised health data is not defined, although the Australian Privacy Principles (APP) Guidelines state that ‘anonymity’ means that an individual dealing with an entity cannot be identified. Critically, health data that may be anonymous in the hands of one entity may not be anonymous in the hands of another. The ability of an entity to link a data set with other information is relevant to whether data is truly anonymised.
Data protection law
What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?
Given the sensitivity of health information, its collection, use and management are regulated by the Privacy Act 1988 (Cth) (the Privacy Act).
Health data is treated more strictly than personal information under the Privacy Act. Health data is a subset of ‘sensitive information’ and consent is required for its collection.
Generally, an organisation can collect health data from a person if:
- the person provides their consent (express or implied); and
- the information is reasonably necessary for the organisation’s activities.
Implied consent arises when consent can be inferred from the circumstances and conduct of the person providing the health information. This is a higher test than that imposed on other personal information. The Australian government is currently undertaking a review of the Privacy Act. As part of this review, the government is considering updating the definition of ‘consent’ to be voluntary, informed, current, specific, and an unambiguous indication through clear action.
APP 11 requires entities to take reasonable steps to protect personal information (including sensitive information, such as health information) it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. According to the Office of the Australian Information Commissioner (OAIC) APP Guidelines, ‘reasonable steps’ will depend on the circumstances in each particular case and may include governance, culture and training, internal practices, procedures and systems, information and communications technology security, access security, and destruction and de-identification.
In addition, the handling of health information is also subject to certain state-based legislation, which differs from the Privacy Act in some aspects, but the differences are relatively minor.
Anonymised health data
Is anonymised health data subject to specific regulations or guidelines?
APP 2 provides that individuals must have the option of dealing anonymously or by pseudonym with entities subject to the Privacy Act. However, entities are not required to provide these options if the entity is required or authorised by law to deal with identified individuals or if it is impracticable for the entity to deal with individuals who have not identified themselves. There may also be practical consequences for patients who do not wish to identify themselves, as their ongoing healthcare may be difficult for organisations to manage and they are unlikely to be able to claim a Medicare or health fund rebate.
De-identification may be one way to protect the privacy of individuals. De-identification involves removing personal identifiers (such as name, address, date of birth, etc) and removing or altering other information that could identify an individual (such as unique characteristics). However, with the increasing capability of technology and the sophistication of cyber-attacks, it is becoming more and more difficult to de-identify data effectively. The Australian government is currently reviewing the Privacy Act, and considering increasing the relevant threshold from ‘de-identified’ to ‘anonymous’ (for information to no longer be considered ‘personal information’).
Types of de-identified health data include Medicare numbers and healthcare identifiers. Medicare numbers are primarily used by individuals to claim benefits under the Medicare Benefits Scheme. APP 9 restricts the use or disclosure of a patient’s government-related identifier to specific circumstances (eg, it is reasonably necessary to verify the patient’s identity for an organisation’s activities).
Healthcare identifiers are unique 16-digit numbers that identify individual healthcare providers, healthcare provider organisations (such as digital health organisations) and individuals receiving healthcare. Healthcare identifiers help to reduce the potential for mix-ups with health data and are the foundation for government initiatives such as the My Health Record system, in which individuals’ health information can be viewed securely online. They are not health records, but are limited to identifying information such as name, date of birth and sex to uniquely identify patients. The use of healthcare identifiers is regulated by the Healthcare Identifiers Act 2010 (Cth) and Healthcare Identifiers Regulations 2020 (Cth), which provide that healthcare identifiers may only be collected, accessed, used and disclosed for limited purposes (such as providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient). In circumstances where a healthcare identifier is used or disclosed for purposes not permitted by the legislation, criminal and civil penalties may apply.
Lots more here:
https://www.lexology.com/library/detail.aspx?g=ed623baa-5d82-431c-b910-93df1efb76a6
And second we had:
At a glance: intellectual property for digital health in Australia
Australia January 25 2023
Intellectual property
Patentability and inventorship
What are the most noteworthy rules and considerations relating to the patentability and inventorship of digital health-related inventions?
Patentees of digital health-related inventions, which often require computer implementation in one form or another, need to navigate the patentability requirement in Australia. While abstract ideas and computer-implemented inventions are not regarded as patentable subject matter in Australia, patents directed to other aspects of digital health-related inventions such as hardware, telemetry and diagnostic tools may be patent-eligible.
Recently, the Full Federal Court of Australia found that an artificial intelligence system could not be named as an inventor on a patent application (Commissioner of Patents v Thaler [2022] FCAFC 62). The High Court of Australia (Australia’s apex court) declined to hear an appeal of this decision (Thaler v Commissioner of Patents [2022] HCATrans 199).
Patent prosecution
What is the patent application and registration procedure for digital health technologies in your jurisdiction?
The Australian patent system provides the same application process across all technologies, including digital health. There are no specific provisions for digital health technologies. IP Australia (incorporating the Australian Patent Office) is responsible for pre-grant examinations, pre-grant oppositions, re-examinations and amendments to patents and patent applications. As in other jurisdictions, the process of filing to grant can take more than 18 months.
Other IP rights
Are any other IP rights relevant in the context of digital health offerings? How are these rights secured?
Registrable IP rights are available in the form of design rights that safeguard the visual appearance of new and distinctive products, such as wearable devices that incorporate digital health offerings. Design rights are secured through an application process administered by IP Australia and last for five years initially (renewable for another five years).
Additionally, unregistrable forms of IP including copyright, know-how, trade secrets and confidential information may arise in the context of digital health technologies and offerings. Contractual measures (such as non-disclosure agreements) may help to protect the know-how, trade secrets and confidential information, such as secret algorithms in a digital health app, often in conjunction with physical and technological security measures. Copyright arises automatically in some subject matter likely to be integral to digital health offerings, such as in computer code in a digital health app.
More here:
https://www.lexology.com/library/detail.aspx?g=d962e883-acdd-4d0a-9ed2-12796cdd061f
As I browsed through all this I was reminded just how little I knew about Digital Health law and just how wide the topic was. If you are in a similar situation this may be a good place to start!
David.
No comments:
Post a Comment