More than other kinds of entities, biotechnology companies must understand privacy law compliance to properly handle information about patients and research. For example, biotech companies that conduct health research are routinely collecting personal data that is highly sensitive in nature and/or is being imported from clinical trial sites outside of the U.S. Myriad laws govern how that data must be handled.

Health Insurance Portability and Accountability Act (HIPAA)

While biotech companies are not typically considered covered entities, there are occasions when HIPAA can still affect them, and they need to know the requirements if they interact with covered entities. One common way that biotech companies fall under HIPAA requirements is if they provide health services as part of a research study and then transmit health information electronically to a third party. As the most significant federal law governing health information privacy, it is critical for biotech companies to know if and when HIPAA applies to them and their business contacts.

California Online Privacy Protection Act (CalOPPA)

Cal. Bus. & Prof. Code §§ 22575-22579 requires all commercial operators of websites or online services (including mobile apps) that collect personally identifiable information from California residents to conspicuously post and comply with a privacy policy. Essentially, this means any company that does business in or with California and has an externally facing website needs a privacy policy.

EU-U.S. Privacy Shield

On a more specialized level, EU privacy law governs how U.S. businesses may legally receive data from the EU about European citizens. This is a key consideration for organizations including biotech businesses that routinely receive identifiable information from the EU, such as when conducting clinical trials. In addition, multinational companies with European offices or employees must abide by EU’s regulations when transferring personnel data.

Data Security

In addition to complying with the above laws, biotech organizations should understand that they often have very sensitive, confidential information stored on their mobile devices, networks, and computers, and should employ practices to mitigate the risk of a data breach. The specifics, of course, will vary depending on the nature of the business, but below are some practical considerations for all biotechnology companies to consider:

1. Biotech companies should be aware of the risk that their devices, hardware, and servers could be unlawfully accessed and plan accordingly to keep them secure. Using password protection on these devices is a bare minimum. They should also be careful of joining unsecured internet hotspots, should carry anti-virus protection on their phones and should treat their mobile device like they would a wallet — securing it physically at all times. Small businesses are 50 percent more likely than larger businesses to report a physical breach or theft or loss of unencrypted data on electronic devices, so encrypting data on any mobile device, as well as on laptops, desktop computers, hard drives and USB drives is a good practice.
2. Companies should have privacy policies that are followed consistently in all key areas of privacy risk. This should include, at a minimum, a record retention policy. After the time period for retaining records expires, a company takes on additional risk for a data breach by continuing to maintain confidential documents.
3. When a biotechnology company uses a cloud service, it should realize that it is still responsible for a data breach. Cloud services spend significant time and money to ensure that a data breach does not occur, so they are a good way to manage risk. However, unless the company receives an indemnification clause from the cloud provider, the company retains liability.
4. On a related note, companies should consider limiting access to private data, either via cloud or local hardware, to its employees who have a “need to know.” Servers should be segregated where possible so that not all employees can see or even store information in all electronic locations.
5. When logging in remotely, biotech companies should make sure they are doing everything they can to secure their systems, such as using strong passwords and updating software. They should also consider additional security measures like firewalls, limiting users who can log in remotely, and setting an account lockout policy after a certain number of incorrect guesses. Use a personalized firewall when logging onto unsecured Wi-Fi, such as at Starbucks.
6. Biotechnology companies’ vendor contracts should address privacy and confidential information and be sufficiently protective of client and employee information. Biotech companies must not assume that vendors will take all necessary measures to protect sensitive information unless spelled out in contract.
7. Malware and hacking present the greatest threat in terms of breaches of personal information to businesses. Malware can be delivered via “phishing,” which is used to deceive employees into clicking on an email that downloads malicious software. Biotech companies should train employees to spot phishing emails and should upgrade to new versions of browsers and other critical software when earlier versions are no longer supported and patched. Training all employees in privacy best practices and internal privacy policies is one of the best things a business can do to avoid a breach.

While the above practices won’t make biotech companies data breach proof, they’ll go a long way toward protecting patient and customer data and avoid regulatory punishment so they can continue to provide products, research, and services that are essential to society.