Privacy and Data Security
Subscribe to Privacy and Data Security's Posts

FTC Amends Health Breach Notification Rule to Regulate Health Apps and Expand Breach Notification Requirements

On April 26, 2024, the Federal Trade Commission (FTC) issued a final rule to amend its Health Breach Notification Rule (HBN Rule). The HBN Rule works as a compliment and counterpart to the breach notification requirements established under the Health Insurance Portability and Accountability Act (HIPAA) for HIPAA-regulated entities. Specifically, the HBN Rule requires that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA notify individuals, the FTC and, in some cases, media outlets of a breach of unsecured personally identifiable health data. Stakeholders should carefully review the final rule to understand how organizations will be impacted.

Read more here.




read more

OCR Update on Tracking Technologies Provides Little Relief for HIPAA-Regulated Entities

On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA-protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA-covered entities and business associates that have already heeded the 2022 bulletin.

Read more here.




read more

Hospital Settles With OCR for $4.75 Million Over HIPAA Violations

The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).

According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.




read more

Key Takeaways | How to Prepare for New State Health Privacy Laws

New state privacy laws regulating health data impose significant obligations and heightened litigation and regulatory risks. During this webinar, Elliot Golding and Sam Siegfried discussed how these laws apply, what they require, and practical tips to implement and operationalize compliance.

Access key takeaways and webinar replay.




read more

Healthcare Payors and Providers and AI Companies Voluntarily Commit to AI Principles

The Biden administration recently announced that 28 healthcare payors and providers intend to implement and adhere to voluntary commitments for the safe, secure and trustworthy development and deployment of artificial intelligence (AI) in healthcare. The signatory companies aligned around the FAVES principle—namely, that AI should lead to healthcare outcomes that are fair, appropriate, valid, effective and safe.

Read more here.




read more

State Regulators Step Up Privacy Enforcement Relating to Employee Data

Regulators in California and Colorado recently announced enforcement sweeps under new and newly updated state privacy laws. Companies in Colorado (including nonprofits) and California should double-check their privacy notices, processes and documentation to comply with these laws, particularly the enforcement priorities identified in the notices.

Read more here.




read more

Nevada and Connecticut Pass Consumer Health Data Laws

Following in the footsteps of Washington State’s My Health My Data Act, the governors of Nevada and Connecticut recently approved Nevada SB 370 and Connecticut SB 3. These bills impose a number of new requirements on the processing of consumer health data. Nevada SB 370 will go into effect on March 31, 2024, while the consumer health data-related provisions of Connecticut SB 3 that amend the Connecticut Data Privacy Act will take effect on July 1, 2023.

Read more here.




read more

How Dobbs Has Changed the Data Privacy Landscape

Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.

Access the article.




read more

Litigation Setback for Employers Under Illinois Biometric Information Privacy Act

The Illinois Supreme Court recently held that all causes of action brought under the Illinois Biometric Information Privacy Act (BIPA) are subject to a five-year statute of limitations. The Court’s holding is the latest disappointment for Illinois companies defending BIPA actions and means the scourge of BIPA litigation will continue.

Read more here.




read more

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022