E160 - Kimberly Gold, Chief Privacy Officer, Senior Associate General Counsel and Executive Director, Privacy Law,  Genentech (BioTech)

37:57

SUMMARY KEYWORDS

privacy, hipaa, health, organizations, privacy laws, data, information, laws, ai, law, apply, regulations, state, healthcare, area, regulated, work, clinical trial, washington, breach notification rule

SPEAKERS

Debbie Reynolds, Kim Gold

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show today. This is Kimberly Gold. She is the Chief Privacy Officer and Senior Associate General Counsel and Executive Director for Privacy and Law at Genentech, which is a biotech company. Welcome.

Kim Gold  00:50

Thank you. I'm happy to be here today.

Debbie Reynolds  00:52

Yeah. Happy to have you on the show today. We've been connected on LinkedIn for quite some time. I was really interested by, and I love your commentary and the things you say. And I think the area of tech and emergent technologies mesh together really well. And I thought you'd be a great person to talk to on the show.

Kim Gold  01:14

Thank you. And I love talking about this area; I find it very fascinating, fascinating, and exciting. I think also, what's interesting about working in this industry is seeing the impact that your work can have on patient care, on new medical treatments, advancing clinical research and overlaying that with working in privacy, which is super exciting and constantly changing. It's a really fun area to be in.

Debbie Reynolds  01:43

I agree. I agree. I have friends that are in biotech and pharmaceutical companies, and you know, it's just mind-boggling, the issues that you all deal with. Tell me a bit about your journey. How did you get here? How did you get to this place in your career?

Kim Gold  02:00

Yeah, that's a great a great question. I think if you ask 10 different privacy professionals how they got into privacy, you'll probably get 10 entirely different answers. For me, I have a legal background. So I did go to law school. I graduated in 2008. And I went to work at a big law firm in 2008. And I started as a corporate attorney. And that wasn't the best time to start as a corporate attorney, given the financial crisis that occurred around that time. And I'd always been interested in healthcare and pharmaceuticals. So my firm had a practice that was focused on healthcare, regulatory, and transactional issues. And at that time in 2008, I wasn't aware of any firm, at least then, not aware of any firm that had a privacy practice at that time. But I did find healthcare really interesting. And the work was slowing down in the corporate area, but still pretty active in regulated areas like health care. So I started to do some work with the healthcare team. I really enjoyed it. I started learning about healthcare regulations; I worked on transactions involving healthcare facilities. And I developed an interest in how technology and healthcare would be intersecting and seeing that would likely be the future of healthcare. No one at my firm was really doing healthcare privacy work. I started to get involved in industry organizations like the American Health Lawyers Association, they had a health information technology group that I joined to try to learn more; I started reading up on Healthcare Information Technology, which is now more commonly referred to as digital health, I suppose. And kind of started to teach myself about how healthcare technology was regulated; I started to teach myself about HIPAA and healthcare privacy. And then, there was some work that I found in my firm in the area of at least HIPAA. And so I had an opportunity to get some real-world experience doing that work. And then, when I moved to another firm that was more deeply involved in the biotech space so that I could do more healthcare technology and healthcare privacy work, I really got deep into healthcare privacy, and then from there, expanded into general privacy and especially working with different companies that are outside of the HIPAA regulated space. So like many pharma and biotech companies don't have direct HIPAA obligations. So I started to learn more about general privacy matters, like consumer protection laws, like the Telephone Consumer Protection Act that applies to text messages. From there, I was able to do a year-long to come in and Pfizer's global privacy office as part of my work at another firm that I had moved to with a partner that I'd been working with. And so that was a wonderful experience. It helped prepare me for the role I'm in today. And I just continued to do work with a variety of companies in and out of the health and life sciences, space and privacy over the next few years. And then, three years ago, I was a partner at a law firm. And Genentech was one of my clients. And I was working with them counseling on the CCPA at the time, and they had this role open. And so then I went to work for Genentech it just seemed like one of my dream jobs; something I'd always wanted to do is work in a privacy team and a pharmaceutical company. And that's how I got to where I am today.

Debbie Reynolds  05:41

I love that story. I love the story that you really sought out those opportunities; you taught yourself, you found that this is the area you really wanted to dig deep in, and you really just carved your own path. And I think that's fascinating.

Kim Gold  05:56

Yeah, I think there's so many opportunities still for people that are interested in privacy interested in doing more technology-related work; if they're lawyers, or if they're not lawyers, there are so many opportunities in this field. And there are ways to self-educate. And sometimes, there's opportunities to find another individual or team in the organization that you're already in that might be doing the work that you'd like to do. And maybe you can work with them. I've had people internally reach out, and it's been great for me to have more individuals and teams that want to work with privacy, and we can partner together. And so it's a really exciting area to be in with a lot of opportunities.

Debbie Reynolds  06:38

Yeah, I can imagine. I remember I was on a panel once with an attorney from a famous firm. This was around 2016. And we were talking about different implications of privacy laws around the world. And his thing was that he thought HIPAA covered everything that had to do with health, and I just thought he was crazy. So for people who don't understand, I think a lot of people have a misconception that anything health-related is covered by HIPAA. But tell me about how not just HIPAA but how these other laws play into the life science space.

Kim Gold  07:29

Sure, it's a huge misconception, even in the healthcare and life sciences space. Even by lawmakers, though, we've had the opportunity to influence some of the recent lawmaking and to clarify some of the language and how these laws cover or don't cover companies in this space. So HIPAA is absolutely not a law that covers the privacy of all healthcare information. In the US it covers a limited scope of healthcare-related information in the United States; it was initially passed as well; it's in the name the Health Insurance Portability and Accountability Act. So it was passed as an insurance portability law. And if you think about it, it really applies to the traditional health care provider-patient context, and more specifically for providers and for health insurance companies, but providers that bill to the insurance company, so having that nexus there, of the billing to insurance is really what brings a provider or health insurance company under the scope of HIPAA. So there's a huge gap between what is covered by HIPAA, which is really, again, information that might be shared or used in a traditional patient-provider context, versus all the other healthcare information that's collected and used in the United States. The direct-to-consumer healthcare apps, for example, that is getting a lot of attention from lawmakers because, in most cases, that data is not covered by HIPAA. And that's where the State and Federal governments have really tried to fill this gap. And we've ended up with a bit of a patchwork of laws. And so the more recent State privacy laws, I think we're up to at least a dozen by now, have tried to define healthcare information and cover data that's not covered by HIPAA, and they usually carve out data that is already covered by HIPAA assuming that it's already being regulated by another agency, but both the recent lawmaking Federal enforcement as well is focused on this health data that's not covered by HIPAA and lawmakers are really looking at different solutions here. There have been discussions in Congress about expanding HIPAA potentially to cover more health data. But it makes things interesting because there's kind of this layering of the different privacy laws that may or may not apply to health data. Medical research data is also generally subject to clinical trial regulations that require informed consent. And so when these new State laws or proposed Federal laws are coming out or being proposed, we're really looking at each one that that is proposed, we in the industry are really looking at each one to see what is the impact that this law might have on us and our important medical research activities, for example, where generally the intent seems is that this the new lawmaking is intended to fill that gap, though, where HIPAA is not already covering the health data?

Debbie Reynolds  10:48

Yeah, I think there's a huge confusion. I always tell people HIPAA isn't a privacy law. It's a law about data portability, but it has privacy parts in it.

Kim Gold  11:01

No, it's true, HIPAA is the insurance portability law, and then there's privacy and security regulations under that. And so there's also applicability to service providers of organizations that are providers or health insurance companies to capture those vendors or third parties that are handling that data. So there's also obligations on those parties. And I think a lot of software organizations, for example, are often surprised to learn that they're under HIPAA scope. There is also this paradigm now of other State and Federal laws. There's also State medical privacy laws that are more aligned to HIPAA than the general privacy laws. And then you add, on top of that, there's newer State genetic privacy laws. There's newer State biometric privacy laws and tracking and reviewing each of these and really looking at how these could impact, in my instance, I'm looking at medical research and what the impacts might be, and whether any changes might need to be made to ensure that there's no negative consequences for medical research, while still ensuring that the privacy is maintained of that information. And largely because it's usually regulated under clinical trial regulation is already in sometimes we're explaining to lawmakers what the impact might be and how the language can be adjusted while still maintaining the privacy of individuals’ information.

Debbie Reynolds  12:37

Yeah, I think that's true. There's a regulation or law around breach of security I'm sure you're familiar with. And this covers people who do help apps. A lot of people haven't heard of this but really is trying to fill that gap where companies that aren't subject to HIPAA but also collect medical information or health information. They are subject to the breach of security rule, is basically saying if you have a breach, you have to take these steps, even though HIPAA does not apply to you. What are your thoughts about that law?

Kim Gold  13:14

Yeah, again, I think another area where the Federal regulators are trying to fill the gap is that HIPAA doesn't cover that. Yeah, the Health Breach Notification Rule is, it's an old rule. And it wasn't really applied very much until pretty recently. And now the FTC is leveraging that rule in enforcement actions against companies that are handling healthcare data that's not subject to HIPAA. Like I believe GoodRx was one of the early enforcement actions that applied the Health Breach Notification Rule. And there are also discussions and comments gathered at the Federal level on how to potentially not only revise HIPAA but also potentially revise the Health Breach Notification Rule. And this is, of course, on top of the state breach notification laws that exist in every single State and say something a little bit differently in each State. And some of those do explicitly cover health information, but most do not.

Debbie Reynolds  14:17

I would love for you to explain to people what PHI is, personal health information. Sometimes people get it confused with PII or personal data. But if you could explain, that'd be great.

Kim Gold  14:32

Yeah, sure. I mean, PHI is officially a term of art under HIPAA that stands for protected health information. And so legally, it's a term that is used to describe how the information that's personally identifiable that is subject to HIPAA, that falls under that scope that's either collected process maintained by one of those organizations that are already subject to HIPAA. It's also used pretty colloquially, I think, to describe personally identifiable health information and other contexts and sometimes that the information is thrown around. But I think the distinction is that personally identifiable information is broader and can be any information that's can be used to identify an individual but personal health information, protected health information is really a subset of that. That is that health information that could be used to identify a person that relates to health treatment or healthcare services that person might be receiving or their diagnosis, for example, is another example where if it can be tied back to the individual with their name, for example, that it's probably within that scope of personal or protected health information.

Debbie Reynolds  15:48

Very good. Thank you tell me how is AI impacting your work in privacy?

Kim Gold  15:56

I think AI is impacting everyone's work in privacy right now. And as companies are finding new ways to use artificial intelligence, and in many instances, there are privacy considerations, such as when personal information is being used to train models. And sometimes there are no privacy issues if there is no personal information being used. What a lot of people don't realize and these discussions around regulating AI is there is some AI regulation already existing in privacy laws as we have them now, particularly in certain State laws, where the use of automated decision making is regulated by some of the State laws, and we're seeing more laws focused on the use of AI and hiring and employment decisions.

Debbie Reynolds  16:55

I think that's what AI does; it heightens some of the privacy issues or privacy concerns, especially, as you said, personally identifiable information can be slipped up into those models. So I think this is definitely a balancing act for companies. So I've seen companies do this in three ways. So they either try to shut the gates and like, okay, we're not going to use AI, which I don't think is realistic, or they go full force ahead without really thinking about risk because they're really excited about the innovation. And then I think more people fall that middle space, where they're like, well, let's take a look and see what makes sense to use AI for and make sure that we are understanding the risk. We're educating people about how and when they should use AI; what are your thoughts?

Kim Gold  17:48

Right, it's completely unrealistic to say that an organization can never use AI. at all, I agree with you. It's more about educating on the responsible and ethical uses of AI and how data can and cannot be used. And a lot of times, because privacy is so data heavy. When a company is looking to use AI or using AI, privacy is often one of the first calls. And sometimes, companies are kind of grappling with where should AI really sit within the organization because it is broader than privacy. But it also becomes a privacy issue when personal data is involved. And so, a lot of privacy organizations within companies are deeply involved in AI initiatives and guiding the business on how to use data and use AI responsibly and in compliance with laws. So I think it's more about helping the business and working together with the business to ensure its use responsibly rather than shutting it down. There are also many beneficial uses, potentially, particularly in the medical space, for the use of AI. So we often find that there's more of a partnership between the privacy team and the business team than what you might normally think of as legal counsel. I enjoy that part of this work; I enjoy that part of being in privacy is really partnering with the business finding innovative solutions, and helping them find ways to move forward in a compliant fashion that protects people's privacy.

Debbie Reynolds  19:29

There are so many different groups that work within businesses and corporations. I think as a privacy person because privacy is such a horizontal issue. You have to work with the entire organization from top to bottom, but then also you have to find a way to have champions in different groups. So how do you go about getting buy-in from different groups or developing champions within different groups for privacy?

Kim Gold  20:02

Yeah, there's a lot of education, I would say, almost every day on privacy, and this is an emerging area too. And it is getting more attention internally and externally, as there are new uses of data of potential uses of AI and new legislation; a lot of organizations have a concept of privacy champions; as you mentioned, we have a privacy network internally that has been developed. We have similar to champions; we call them liaisons throughout different functions in the organization representing functions throughout the business, IT, other parts of legal and compliance, and many other areas of the organization, and together making up this larger network that the privacy office leads, and were giving guidance, for example, on implementation of new privacy requirements. Then, we rely on and partner with the liaisons throughout that network to help us implement those new requirements throughout the business and help us monitor, and also, it's a two-way conversation. So those liaisons can help educate their teams. They can also bring new matters or issues that could have privacy implications back to us and keep us educated on things that might be happening in the business or areas where they need additional guidance, legal advice, or things like contract terms or additional training. So it really is this collaborative relationship. And I think it's necessary to have that because privacy does touch on every single part of the organization; I can't think of an area that hasn't touched upon. And so it's so important to have those partnerships. We also work very closely with the IT security functions, as you could imagine, as new product initiatives or programs are being built or changing. It's so necessary and important. And I'm grateful for those relationships and those supporters throughout the organization who can help us implement privacy and also particularly as it's changing as the laws are changing, that requirements are changing, to help keep things up to date and implement new requirements.

Debbie Reynolds  22:22

Yeah, what do you think is unique about privacy in the biotech space that people may not understand?

Kim Gold  22:30

I think it's unique in how it is regulated, and it is very complicated. And it's not as simple as a biotech being regulated by one healthcare privacy law. So a lot of healthcare organizations, there are mainly in the US regulated by, let's say, HIPAA, for example. And in which case, most of their data is exempt from the newer state laws for biotech; since most of our data is not regulated by HIPAA, then it becomes this complex web of other legal requirements. And we're looking at consumer protection laws at the federal and state level, the comprehensive privacy laws like CCPA, CPRA, Virginia, the other handful are doesn't that now exist, then genetic privacy laws, clinical trial, regulations are also an area that it's not necessarily thought of, I think, by many privacy professionals, and then adding to that clinical trial regulations that are relevant in this space that are not necessarily within the body of the general state privacy laws, for example, that are coming into play. They've been around for a long time, like FDA regulations, HHS regulations, and good clinical practices. These standards require informed consent and set out those standards for collecting data in a clinical trial. And so there's just so many different areas of the organization that have different types of data that might be regulated differently. So in the clinical trial space, there's those clinical trial regulations. If there's a marketing program, there could be consumer protection regulations that apply, depending on the activities and the types of data, like email marketing, might have to look at can spam, text message marketing, CCPA. And when you're collecting data on websites, there's State privacy laws and general consumer protection laws. And then there's employee data that's collected. So I think what's interesting is that there's different regulations and different requirements, and different parts of the organization depending on what's being collected and how it's being used. So it makes things very interesting and exciting. I think every day can be a little bit different. It's important to have a really deep and broad understanding of privacy laws of clinical trial regulation of consumer protection laws because there might be different requirements and many different areas depending on what's actually happening.

Debbie Reynolds  25:19

Yeah, I think 2024 is going to be a very interesting year and privacy at this point, I think there are at least 12 privacy laws that are going to go into effect in 2024. There are parts of laws that are going into enforcement that are already in effect in 2024. And I think people who have already thought that we need a Federal privacy law, I think they're going to be pulling their hair out in 2024. What are your thoughts?

Kim Gold  25:52

I get asked this question all the time, whether I think there will be a Federal privacy law; I think most privacy professionals agree that we need one. And that it's not sustainable to continue on this path of having new State laws popping up in different States. And then there's new proposed Federal regulation and then enforcement at the Federal level. And I think most would agree that we would be better served by one comprehensive law that would apply across the board; I think we're still going to have some challenges like we had with ADP and EPA; there were a lot of issues around preemption. And there really needs to be state alignment with the Federal government in order to move anything forward. I think now we have Washington with very stringent health Data Privacy requirements that will be coming into force, and Washington has to be in alignment with the Federal government as well. So while I'd like to see a Federal privacy law, it is so important that a Federal law would preempt all of the other States. And I think that's where we're gonna see some challenges. So I'm not super optimistic that we're going to see a Federal privacy law in the next year. But what's interesting is that this is something I predicted a while ago. But I think what is almost emerging is a comprehensive standard across the US because now we have, I think, Delaware would be the 13th State privacy law. So now that we have over a dozen State privacy laws, most organizations, I believe, are implementing a comprehensive us privacy program that covers all of those privacy laws, all of the different State requirements in one program, rather than going State by State, which would be just untenable, and especially as more and more State laws are coming out. So almost in effect, we're seeing a comprehensive standard emerging where organizations are looking at those common threads across the State laws and implementing programs to cover all of those state requirements. So I would be interested in seeing if the Federal government would be looking at what are those common threads that we already have at the State level? And how could we establish a Federal standard that is consistent with what organizations are already implementing to apply those State law requirements?

Debbie Reynolds  28:27

I think that's true. There are many organizations that I've seen, especially when CCPA came out. They just made a decision as a business that they weren't going to apply CCPA-type consumer privacy rights to people in all States because it was easier for them to do it that way, as opposed to saying, okay, this thing is different, the State is different. So I think you're right; I think we are seeing this to say, okay, this is crazy like this is really hard. Let's find those common threads; let's try to get something as strong as possible within the business so that we're not lurching from one law to the next. But then, of course, you have to take into consideration any way those laws divert you; I think that's still a reason why people are going to pull their hair out about these laws.

Kim Gold  29:22

That's right, it almost becomes a gap assessment. Every time there's a new State privacy law, the first step is a gap assessment between that law and everything else that's already been signed into law so that you can look quickly to say, Well, what's different? What might I need to change about our privacy program to deal with this new state requirement? Because, in large part, they're looking very similar. They're all kind of following this Virginia model. And except for, again, like Washington, the the My Health My Data Act is getting a lot of attention in healthcare and life science. Since industries and organizations are trying to figure out how to grapple with those new requirements that are different from the general State privacy requirements and then layering on top of that, so many organizations are not just us. So many organizations are international or collecting data are using data from other jurisdictions, so in implementing a global privacy program that also applies these different us requirements. What organizations are generally doing is applying privacy principles across the board and having principles-based privacy programs and looking at what are the privacy principles that are interwoven into all of these laws, things like transparency and making sure that you're clear with the individuals about what data is collected and used. Having that data used and collected consistent with what you've told the individual is data minimization, only using the least amount that you need for a given purpose. Those principles are largely interwoven into all of these privacy laws. And so, most global privacy programs are largely taking a principles-based approach that aligns to those common principles.

Debbie Reynolds  31:18

Washington State has the My Health My Data Act, or the law. And I would love your point of view on that law. I know that people have heard about it. But I think that someone like you in biotech, it's probably closer to that. So maybe you can explain what it is and what it does.

Kim Gold  31:37

Sure. The My Health My Data Act is a Washington law that was signed in the spring of 2023. And it goes into effect in 2024. And specific to health data in the State of Washington, and it was passed in reaction to the recent jobs decision, and really intended to protect the health privacy of Washington residents, especially for reproductive health care. So there are provisions that are also intended to fill that gap that we've touched upon a little bit and how health data may may or may not be regulated. And there's provisions that apply to geolocation data, for example, which could identify what types of reproductive care someone might be obtaining. And I think it's going to be interesting to see if other States follow Washington and adopt more comprehensive privacy laws that are focused specifically on health data, something that the industry is definitely watching to see what happens with Washington and how it impacts the organization's practices, as well as what States or even the Federal government might do in response to the Washington law. I recently saw that there's a Senate Member, Cassidy that was soliciting feedback on HIPAA and whether and to what extent HIPAA should be expanded. And I think some of that is also in reaction to laws like Washington's law that get passed, that really shows that there's an interest in protecting individuals health privacy to a greater extent than what we have right now, which is that mix of different privacy laws in the States and Federal government. So it'll be interesting to see what happens as a result and whether the other laws are following Washington's lead.

Debbie Reynolds  33:38

Yeah, it's really interesting. So I know that FTC has really ratcheted up their enforcement, especially around location data. So you know, I think it wasn't surprising that a State like Washington did a bill like this. Maybe we'll see more of that in the future.

Kim Gold  33:58

Yeah, and the FTC has been focusing a lot on health data, as well. There's been quite a few enforcement actions recently. Health Data is one of the more sensitive categories of information. And so the FTC has been focusing on health data as one of its areas of enforcement, as well as we're seeing a lot of activity around online tracking technologies, which may or may not share health data with social media sites. HHS has put out some information about health care providers’ use of that technology and given them some guidance on when it may or may not be subject to HIPAA and what types of things to consider when using those technologies. There's also a lot of litigation activity in that space, applying similar to the FTC Health Breach Notification Rule, but in the area of applying an old law to new technology, and the video probably received a protection act that's from the Blockbuster Video, eh, intended to protect video rental data is now being used by plaintiffs firms to bring litigation and arbitration actions against companies that are using the Meta pixel. So there's all different areas where more and more enforcement and lawmaking is happening. And I do see a focus on the use and sharing of more sensitive data categories like health data.

Debbie Reynolds  35:28

Yeah, I agree. I agree. So if it were the world, according to you, Kim, and we did everything that you said, what would be your wish for privacy anywhere in the world, whether it be law, human behavior, or technology?

Kim Gold  35:43

My wish is for a Federal privacy law in the US; this is probably an answer that many people give you. But I would love to see an alignment across the United States on the regulation of individual information. Bringing together the different considerations of these existing privacy laws and coming together to best protect individuals’ information through a comprehensive Federal privacy law would be my wish for the future.

Debbie Reynolds  36:16

There's a good wish. I'm sure many other people will wish the same thing in 2024 when all these other laws kick in.

Kim Gold  36:26

I think that's right. And yes, it's complex for organizations to track, follow, and comply with all of these different privacy laws. But ultimately, it's about protection of individuals information. And finding one single comprehensive approach across the US, I think, would also benefit individuals and how their information is protected.

Debbie Reynolds  36:56

I agree completely. I agree. Well, thank you so much for being on the show. This was fantastic. I love to talk to people in your area because it is very complex, and it's more complex than people know. And you know, it's only getting more complex. So I think you're doing the right thing and moving in the right direction.

Kim Gold  37:14

Thank you. I also love talking about privacy, and I really enjoyed speaking with you today. Thank you for having me.

Debbie Reynolds  37:22

Oh, that's so sweet. It was my pleasure, my pleasure. Well, hopefully, we'll have chances to collaborate.

Kim Gold  37:31

Yeah, I think so. We'll probably come across each other, all of those different privacy industry organizations and events.

Debbie Reynolds  37:39

Yeah, totally. Totally. Well, thank you so much, and have a good day.

Kim Gold  37:44

Thank you, you too.

Previous
Previous

E161 - Vivek Kumar, Assistant Vice President, Data Protection, EXL Service Holdings, Inc

Next
Next

E159 - Julie Schroeder, General Counsel/Chief Legal Officer, AI/ML Thought Leader