Adaptive Biotechnologies Global Head of Privacy Alea Garbagnati, CIPP/US, enjoys her work at the crossroads of medical innovation and patient privacy, ensuring the research and devices her company develops are in compliance with a variety of privacy regulations around the world. At Adaptive, she implemented a principles-based approach to clinical trial work and product development to build an expansive culture around privacy.
Garbagnati will present as part of a panel discussion at the IAPP Global Privacy Summit 2023 in Washington, D.C., 4 April. The panel, titled "New health data privacy: Risk management in an evolving regulatory landscape," will address the shifting legal environment where entities such as health apps, medical device manufactures and telehealth platforms currently find themselves.
In this Member Spotlight, Garbagnati speaks with Staff Writer Alex LaCasse about the complexities around responsible patient data use in the medical field and the future of personal health data collected by entities not regulated by the U.S. Health Insurance Portability and Accountability Act, given recent enforcement action taken by the U.S. Federal Trade Commission.
Editor's note: This conversation has been edited for length and clarity.
The Privacy Advisor: How did you come to work in privacy, and what interests you most about the field?
Garbagnati: I first wanted to do intellectual property law and I was passionate about consumer rights. That led me to an internship at the Electronic Frontier Foundation where I did some IP projects and found I was doing a lot of work with privacy. That’s where I got my feet wet in the topic.
When I graduated from law school in 2011, I was working with my alma mater building a clinic for a workshop for current students to get some practical experience with startups. I ran into an opportunity to step away from the law for a little bit to do consulting and privacy at Deloitte. That's really where my path to privacy kicked off, because I was advising companies on how to operationalize privacy and getting subject matter expertise in the field. My next step came after I met a manager on the first life science projects I was on. Without knowing much about me, on our first phone call he said, "I've heard you're good. I'm going make you a life sciences person." And that was the start of my trajectory working in privacy in the biological technology space.
The Privacy Advisor: Starting with your work at Deloitte, how would you evaluate where your clients’ privacy programs were when you started in 2012 and how have you seen awareness of privacy evolve?
Garbagnati: Ten years ago (privacy) was not quite as big and there weren't nearly as many professionals in the field. There was a lot of education to be done at the time, and there still is. Today, there’s still confusion about when HIPAA applies, so I can't say that has changed too much. There definitely were projects where we spent a lot of time trying to explain when HIPAA did and did not apply. I had left Deloitte by the time the (EU General Data Protection Regulation) was finalized. Things in the privacy space really escalated in the years going into the GDPR.
The Privacy Advisor: Between your work now at Adaptive Biotechnologies, and previously at Roche, can you talk about how privacy is addressed in the medical field and how it is being scaled in industries that are not necessarily regulated within the bounds of HIPAA?
Garbagnati: What I love about doing privacy in this industry specifically, is that every question you're answering is actually two questions: Is this okay for people from a privacy perspective, and are you handling people's data correctly? And at the same time: are you doing good by the patients?
So it's about finding that balance. In some cases privacy and doing what's right for patients go in lockstep. Other times they veer a little bit. There are times where you have to collect a lot of data to get to the next step when you're working in biotech. A good example is you have to collect a lot of data to develop products like drugs or medical devices, and you have to do so before the product is released via clinical trials and after via pharmacovigilance to make sure the products work and aren't harming patients. Traditionally, when you apply the models of privacy laws we're seeing right now, they don't immediately translate to these collection activities. Part of what's both fun and meaningful about privacy in this space is trying to figure out the different puzzle pieces to address that concern at the cutting edge of health technology.
One of the big questions we had In our industry when we were implementing GDPR and (California Consumer Privacy Act), was how you apply these privacy laws, which are very focused on tech companies and apply that to medical devices? Sometimes you're a joint controller, sometimes you're an independent controller, sometimes you're a processor and sometimes you're none of the above. That’s just one question from when you're trying to figure out the complexity of applying privacy law. A lot of it is very heavy on privacy by design.
The Privacy Advisor: I want to focus on the highly regulated nature of this industry. With the research and development, the lengthy clinical trials to bring new pharmaceuticals to market, and all the regulations that come with the development of new medical devices, have you ever encountered issues where your company has been far along in the development of a new product, only to have the legal requirements shift out from under your feet midcycle? If so, how did you respond?
Garbagnati: That came up when everyone was implementing the GDPR. Clinical trials were a good example. Part of the challenge became what do we do for new trials? What do we do for ongoing trials? What continues to be fascinating about privacy in this industry is that, even for the GDPR which has been in effect for almost five years, we still don't know all the answers. There is still guidance we're waiting on, such as how to handle privacy in clinical trials. That answer is a lot more complicated because the stakeholders aren't just the study sponsor and the participants. You also have the ethics committees or Institutional Review Boards, who are weighing in with their own opinions on privacy laws.
The Privacy Advisor: You mentioned how privacy by design is becoming a crucial component in the development of new medical devices. Generally speaking, how would you say it has been implemented throughout the health care industry?
Garbagnati: The first thing to remember is there are so many products and apps out there. Generally, there are people doing privacy by design right and there are people doing it wrong. It does get complicated when you're trying to navigate mobile apps, especially when you're HIPAA-adjacent or even one step removed from HIPAA. People assume HIPAA is a benchmark, but that is not always the case. That's where we're seeing a lot concern about gaps right now. What I always advocate for is working through a principles-based privacy program, instead of having controls specific to each law. That will govern the way you talk about privacy as you're developing products and building a culture of privacy in your organization.
The Privacy Advisor: Let’s discuss your current role at Adaptive Biotechnologies. You started as its international privacy counsel before becoming head of privacy, can you talk about your day-to-day responsibilities?
Garbagnati: You always start the day on one track. "Okay, I’m going to red-line some contracts, I’m going to work on a specific policy," and then things can change in an instant. I have a very solutions-oriented practice. So the answer is rarely no. I approach these questions as: "Yes, and." So, I might say, "You gave me this idea. It's not going to work as you’ve presented it, but let's try to find a way we can adjust it to make it work," and ensure we comply with regulations. Also, I’m always on alert for data breaches. In the back of my mind, I’m always fine-tuning breach notification and incident response practices, because all professionals should want to make sure those are in good shape.
The Privacy Advisor: When you look holistically at the entire medical data ecosystem with health apps that aren’t necessarily regulated by HIPAA, what are your thoughts now that the FTC has begun to take action against companies for selling patient data?
Garbagnati: No one likes when their industry is the target of a lot of enforcement, but it was also a long time coming in some ways. The FTC was talking about the gap in HIPAA and data collection with apps when I started my career. The FTC is a big player in this conversation. You're hearing about these big GDPR fines, but the FTC has teeth too, and we're seeing interest in this groundwork they laid years ago, which questions what data flows look like.
The Privacy Advisor: So, in your view, what would be the best solution for securing peoples' health data? Would it come in the form of some kind of amendment to HIPAA? Is the framework of the American Data Privacy and Protection Act sufficient? Or do you believe data health apps collect needs to be regulated in standalone legislation?
Garbagnati: It would be helpful to have a federal law, but it's important to acknowledge the requirements for protecting health data should consider that we operate in a unique and often heavily regulated space. What we see sometimes are things showing up in proposed bills that kind of address the issue but not fully. They don't consider some of the complexities companies in our space are already working with, or that there are often privacy-adjacent requirements and standards we operate with that fill some of the perceived gaps for health data, or there is so much gray area that it is hard to scale global operations. This was an issue with the GDPR, where the (European Data Protection Board) promised us for four years they were going to have guidance on clinical trials, and we still don't have them.
In an ideal world, we need legislation that meaningfully accounts for some of the complexities of how data gets handled, and protects patient privacy, but isn’t reflective of a knee-jerk reaction that might have been the result of seeing fines and settlements with companies engaged in less-than-ideal behavior. I don't think overhauling HIPAA is the answer. What some people don’t appreciate about HIPAA is that it’s a 30-year-old law that still covers most of what it needs to. It could benefit from tune-ups, but still works really well.