Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!
Healthcare Privacy
FTC Finalizes Breach Notification Rule Amendments Directed at Digital Health
The FTC recently announced that it had finalized the changes to the Health Breach Notification Rule (HBNR). This is roughly one year later from when the proposed changes were first released and three years later from the Agency’s initial “position statement” on the rule sparking controversy. The final changes clarify the scope of the rule to health apps and expands what must be told to consumers when notifying them of a breach. The updated rule goes into effect June 25, 2024.Continue Reading FTC Finalizes Breach Notification Rule Amendments Directed at Digital Health
Out in the Open: HHS’s New AI Transparency Rule
The Department of Health & Human Services through the Office of the National Coordinator for Health Information Technology recently updated the process for certification of health information technology. Some of the modifications are intended to address use of artificial intelligence in health IT systems. ONC’s certification is required for certain programs, such as where the health IT will be used for Medicare and Medicaid Incentive programs. It is optional for others. Those who are already certified will need to update their certifications. Those seeking new certifications will be subject to the new process.Continue Reading Out in the Open: HHS’s New AI Transparency Rule
The Landscape of GIPA Litigation in Illinois
Class action litigation has exploded in cases involving violations of Illinois’ Biometric Information Privacy Act (“BIPA”). Less known and litigated is Illinois’s Genetic Information Privacy Act (“GIPA”) – enacted in 1998. But recent trends may portend an increase in GIPA filings on the horizon.Continue Reading The Landscape of GIPA Litigation in Illinois
Regulators Send Warning Letter to Hospitals and Telehealth Providers About Tracking Technology Use
The FTC and OCR at HHS are continuing to scrutinize the use of tracking technologies that may reveal information about a person’s health or health status. Both agencies recently sent a letter to a reported 130 hospitals and telehealth providers warning about the use of tracking technologies and the risks they pose. This follows on the heels of other statements, guidance, and enforcement actions from these regulators about these tools over the past two years.Continue Reading Regulators Send Warning Letter to Hospitals and Telehealth Providers About Tracking Technology Use
FTC Looks to Update Health Breach Notification Rule, Targeting Digital Health Industry
The FTC recently proposed amendments to the Health Breach Notification Rule (HBNR). This is on trend with its aggressive interest over the last couple of years in health data not covered by HIPAA.Continue Reading FTC Looks to Update Health Breach Notification Rule, Targeting Digital Health Industry
My Health My Data Act: Consent Requirements
In this third post in our ongoing series, we examine the scope of the consent requirements under the recently enacted My Health My Data Act. (Visit here for information about the scope of the law and here for information about consumer rights). The Act imposes consent requirements on a wide range of common processing activities.Continue Reading My Health My Data Act: Consent Requirements
My Health My Data Act: Consumer Rights
In this second post in our ongoing series, we examine the scope of rights given to consumers under the recently enacted My Health My Data Act. (Visit here for information on the scope of the law). The law provides consumers several rights, all of which are in other privacy laws. However, the requirements associated with some of these rights create some unique challenges.Continue Reading My Health My Data Act: Consumer Rights
My Health My Data Act: Scope of the Law
On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. While the 2023 legislative season has been busy for state “comprehensive” privacy laws, this law is likely to have the most impact on businesses. The My Health My Data Act covers a very wide range of entities, consumers, and data, as we describe below. And, it contains a private right of action. With the law coming into effect in the first half of 2024, organizations will want to take steps now to understand the scope of this law and its onerous obligations.Continue Reading My Health My Data Act: Scope of the Law
HHS Releases Cybersecurity Guide
The US Department of Health and Human Services recently updated its guide to help the private and public healthcare sectors develop cybersecurity protocols that address NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The guide is a toolkit, with information and resources intended to help companies implement cybersecurity programs in the health care space. While the aim of this guidance is to help companies implement NIST’s protocols for protecting US critical infrastructure, the recommendations contained in the guide mirror other agencies’ security recommendations (for example those we have written about from the Department of Labor and the FDA).Continue Reading HHS Releases Cybersecurity Guide
FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps
The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its “Mobile Health App Interactive Tool”.Continue Reading FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps