The FTC recently published two new resources for complying with the Health Breach Notification Rule. The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. The guidance reaffirms and adds further clarity to the Agency’s broad interpretation of the Rule released in its policy statement last fall.
Continue Reading FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources
Healthcare Privacy
States Catch Health Care Entities Taking the Bait in Phishing Attacks
The State Attorneys General in New York and New Jersey recently settled with four companies over alleged HIPAA noncompliance following phishing attacks. The New Jersey settlements were brought against three NJ-based cancer care providers after a phishing attack on several employees’ email accounts. That attack resulted in the unauthorized access of the PHI of 105,200 patients. Although the providers had implemented safeguards, the NJAG concluded that those measures were insufficient to protect against reasonably anticipated threats. In particular, the NJAG was concerned that an accurate and thorough risk assessment had not been conducted, nor was there sufficient employee training. As part of the settlement, the providers agreed to pay $425,000.
Continue Reading States Catch Health Care Entities Taking the Bait in Phishing Attacks
Digital Health Trends and Privacy: What to Watch in 2022
The digital health sector has been rapidly growing, and the demand is not expected to diminish. Those in the industry will want to keep in mind some key legal concerns in the coming year, which we outline in this recent article. Privacy and cybersecurity features among these, and include more than just HIPAA concerns. There is an ever-growing patchwork of state and federal privacy laws that are being applied to the industry. At the same time, cyber threat actors are finding ways to attack even the most prepared companies in the digital health space.
Continue Reading Digital Health Trends and Privacy: What to Watch in 2022
FTC 2022 Regulatory Priorities to Include Privacy and Security
As we look to 2022, a question on many companies’ minds is what actions we will see from the FTC. Two recent developments are important on that front.
Continue Reading FTC 2022 Regulatory Priorities to Include Privacy and Security
FDA Joins Other Regulators in Focus on AI and Machine Learning
The Food and Drug Administration recently sought comments on the role of transparency for artificial intelligence and machine learning-enabled medical devices. The FDA invited comments in follow up to a recent workshop on the topic.
Continue Reading FDA Joins Other Regulators in Focus on AI and Machine Learning
Florida Imposes Criminal Penalties for Improper Processing of DNA
Florida recently passed a law governing DNA samples. The Act places several restrictions on the use, retention, and sharing of DNA samples. Those that violate the Act may face criminal liability.
Continue Reading Florida Imposes Criminal Penalties for Improper Processing of DNA
California Broadens Security and Breach Laws, Includes Genetic Data
California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The information needs to be “reasonably protected.” While many other states have similar “reasonable protection” requirements in their data security laws, California is one of a handful to specifically list genetic information.
Continue Reading California Broadens Security and Breach Laws, Includes Genetic Data
California Enacts New Privacy Law for Genetic Data
California’s governor recently signed SB 41 into law. The bill enacts the Genetic Information Privacy Act (GIPA). The governor rejected a similar bill last year over concerns about COVID-19 public health efforts. To address that concern, this bill exempts tests used to diagnose whether an individual has a specific disease.
Continue Reading California Enacts New Privacy Law for Genetic Data
FTC Warns Digital Health Industry to Comply with its Breach Notification Rule
The use of apps, wearables, and other devices used to track health and wellness data have continued to rise. The FTC again signaled its focus on this growing industry in a statement on the scope of the Health Breach Notification Rule. In the statement, the FTC called out specific types of apps and trackers that it views as having notification obligations under this rule.
Continue Reading FTC Warns Digital Health Industry to Comply with its Breach Notification Rule
Breach of PHI? California AG Reminds Companies of Potential State Notification Obligations
The California AG recently reminded companies in the healthcare industry of potential data breach notification obligations beyond HIPAA. As ransomware attacks continue to rise, particularly in healthcare, companies should keep in mind the patchwork of state and federal health data privacy laws that may apply.
Continue Reading Breach of PHI? California AG Reminds Companies of Potential State Notification Obligations