On January 22, 2025, the New York Assembly passed Senate Bill S929, known as the New York Health Information Privacy Act. If enacted, it will impose strict requirements on entities that handle health or wellness-related consumer data.
On April 26, 2024, the Federal Trade Commission (FTC) issued a final rule to amend its Health Breach Notification Rule (HBN Rule). The HBN Rule works as a compliment and counterpart to the breach notification requirements established under the Health Insurance Portability and Accountability Act (HIPAA) for HIPAA-regulated entities. Specifically, the HBN Rule requires that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA notify individuals, the FTC and, in some cases, media outlets of a breach of unsecured personally identifiable health data. Stakeholders should carefully review the final rule to understand how organizations will be impacted.
On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA-protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA-covered entities and business associates that have already heeded the 2022 bulletin.
The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).
According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.
New state privacy laws regulating health data impose significant obligations and heightened litigation and regulatory risks. During this webinar, Elliot Golding and Sam Siegfried discussed how these laws apply, what they require, and practical tips to implement and operationalize compliance.
The Biden administration recently announced that 28 healthcare payors and providers intend to implement and adhere to voluntary commitments for the safe, secure and trustworthy development and deployment of artificial intelligence (AI) in healthcare. The signatory companies aligned around the FAVES principle—namely, that AI should lead to healthcare outcomes that are fair, appropriate, valid, effective and safe.
Regulators in California and Colorado recently announced enforcement sweeps under new and newly updated state privacy laws. Companies in Colorado (including nonprofits) and California should double-check their privacy notices, processes and documentation to comply with these laws, particularly the enforcement priorities identified in the notices.
Following in the footsteps of Washington State’s My Health My Data Act, the governors of Nevada and Connecticut recently approved Nevada SB 370 and Connecticut SB 3. These bills impose a number of new requirements on the processing of consumer health data. Nevada SB 370 will go into effect on March 31, 2024, while the consumer health data-related provisions of Connecticut SB 3 that amend the Connecticut Data Privacy Act will take effect on July 1, 2023.
Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.
The Illinois Supreme Court recently held that all causes of action brought under the Illinois Biometric Information Privacy Act (BIPA) are subject to a five-year statute of limitations. The Court’s holding is the latest disappointment for Illinois companies defending BIPA actions and means the scourge of BIPA litigation will continue.
Subscribe
