Join Thora Johnson and Jeremy Sherer to learn about:
- Evaluating compliance through privacy notices
- Key questions to address, from leadership accountability to employee training
Jeremy: Thora, when you are getting ready to do diligence on a healthtech company from a health information privacy and security perspective, what is the playbook?
Thora: The very first thing I do is go on their website and see if they have a privacy notice. From the privacy notice, I can tell when it was last revised, so when did they last critically think about the data they're collecting. Do they state whether HIPAA applies to them? Do they have a consumer health privacy notice? Which would signal to me that they're subject to either Washington or Nevada's consumer health data privacy law. And I’ll also look to see if they have state law addendums addressing the CCPA, the California Consumer Privacy Act, and other state consumer privacy laws. That’ll gives me a sense of their level of sophistication in thinking through their data privacy compliance program.
Then I ask questions like, can you identify your privacy officer and your security officer? Not that those have to be full-time roles, but that they have somebody who is accountable for their privacy and security program. And then questions like, do you run risk assessments? How often do you conduct penetration and vulnerability scans? Do you encrypt your data? And do you conduct privacy training?
[View source.]
