Privacy & Information Security Law Blog

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a settlement agreement with Doctors’ Management Services (“DMS”), a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) Privacy and Security Rules (collectively, the “HIPAA Rules”). DMS is a HIPAA business associate (“BA”) that provides payer credentialing and medical billing services to HIPAA Covered Entities (“CEs”). 

On November 8, 2023, the Network Advertising Initiative (“NAI”) issued its best practices guidance (“Guidance”), which advocates for the use of demographic data for health advertising, rather than sensitive health information.

On September 13, 2023, the National Coordinator for Health Information Technology (“ONC”) and the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services released version 3.4 of the Security Risk Assessment (“SRA”) Tool under the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

On April 27, 2023, Washington adopted the My Health My Data Act (“WMHMDA”). Most of the law’s provisions are not effective until March 31, 2024 (or June 30, 2024 for small businesses). The law’s geofencing prohibition, however, is set to take effect on July 23, 2023. The prohibition is part of stringent requirements that Washington added when it became the first state to enact a comprehensive consumer health information privacy law in the United States.

On June 2 and June 5, 2023, the Connecticut and Nevada state legislatures, respectively, voted in favor of sending legislation to their governors for signature that would impose restrictions, among others, on the processing of consumer health data, including geofencing provisions.  Nevada S.B. 370 was signed by Nevada Governor Joe Lombardo on June 16, 2023. These bills contain provisions similar to Washington’s My Health My Data Act and expand on protections in the Health Insurance Portability and Accountability Act of 1996 and other privacy laws.

On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires  vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.

On May 17, 2023, the Federal Trade Commission issued a consumer alert regarding the Premom Ovulation Tracker app (“Premom”) sharing sensitive information with third parties without users’ permission. According to the alert, Premom is a free app that is marketed as an accurate fertility calendar, which can be used to assist users who are trying to become pregnant.

On May 3, 2023, New York Governor Kathy Hochul signed into law fiscal bill A.3007C/S.4007, which contains provisions prohibiting the establishment of a geofence around health care facilities.

On April 27, 2023, Washington State Governor Jay Inslee signed the My Health My Data Act into law, making Washington the first state to establish a comprehensive health data privacy law in the United States.

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.

On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach. 

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.

On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

On September 27, 2022, California Governor Gavin Newsom signed into law a pair of bills designed to prevent medical information and other data held by California entities from being used in out-of-state abortion prosecutions. 

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

On July 21, 2022, the National Institute of Standards and Technology (“NIST”) released an updated draft of its HIPAA Security Rule guidance. The draft guidance, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide” (NIST Special Publication 800-66, Revision 2), is designed to assist HIPAA regulated entities “maintain the confidentiality, integrity and availability of electronic protected health information (ePHI).” NIST issued the updated draft guidance to align it with other NIST cybersecurity guidance documents that have been published since the original HIPAA Security Rule guidance was issued in 2008.

On July 8, 2022, President Biden issued an Executive Order titled, “Protecting Access to Reproductive Health Care Services,” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade. The Executive Order aims, in part, to “ [p]rotect[] the privacy of patients and their access to accurate information” regarding reproductive health care services. It directs the Department of Health and Human Services (“HHS”) and the Federal Trade Commission to take certain steps to address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data, and by digital surveillance related to reproductive health care services from fraudulent schemes or deceptive practices.

On May 26, 2022, California Attorney General Rob Bonta issued a press release reminding health app providers that California’s Confidentiality of Medical Information Act (“CMIA”) applies to mobile apps that are designed to store medical information, which includes health apps such as fertility trackers. The press release reminds health app providers that the CMIA requires businesses to preserve the confidentiality of medical information and prohibits the disclosure of medical information without proper authorization. It also urges mobile app providers to adopt robust security and privacy measures to protect reproductive health information. According to the press release, this should include, at a minimum, “assess[ing] the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.”

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 1, 2021, Florida’s Protecting DNA Privacy Act (the “Act”), took effect. The Act, signed into law by Governor Ron DeSantis on June 29, restricts certain willful collection, retention, analysis and disclosure of the DNA samples or DNA analysis results of persons in Florida without their express consent.

On March 12, 2021, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of the partnership between the French Ministry of Health and Doctolib, a leading provider of online medical consultations in Europe, for the management of COVID-19 vaccination appointments.

On January 13, 2021, the FTC announced that fertility-app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers despite representations that Flo would keep such information private.

The UK Prime Minister, Boris Johnson, announced on June 23, 2020, that restrictions relating to COVID-19 would be eased as of July 4. Although many measures remain in place to prevent the virus’ spread, certain businesses, including restaurants and pubs, will be able to reopen in the UK, with the recommendation that staff-customer contact be minimized.

The UK Information Commissioner’s Office (“ICO”) has released guidance to assist employers in implementing appropriate safeguards as workplaces reopen, titled “Coronavirus Recovery - Six Data Protection Steps for Organisations” (the “guidance”). This guidance sets out the key principles of data protection that should be kept in mind as employers put measures in place to prevent the spread of COVID-19.

On May 14, 2020 Democrats in both the House and Senate introduced the Public Health Emergency Privacy Act (“the Act”). In the House, the Act was sponsored by Representatives Jan Schakowsky (IL), Anna Eshoo (CA) and Suzan DelBene (WA), and in the Senate was sponsored by Senators Richard Blumenthal (CT) and Mark Warner (VA). Similar to the recently-introduced COVID-19 Consumer Data Protection Act of 2020, the Act would put temporary rules in place regarding the collection, use and disclosure of emergency health data used to combat the spread of the coronavirus. The rules imposed by the Act would only apply during the course of the Public Health Emergency as declared by the Secretary of Health and Human Services (“HHS”) and would only apply to specific uses of certain personal data.

On April 25, 2020, the Philippines National Privacy Commission (“NPC”) issued a statement that it is investigating several breach notifications it has received relating to the unauthorized disclosure of sensitive personal information of confirmed and suspected COVID-19 patients (the “Statement”).

On April 30, 2020, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, along with Senators John Thune (SD), Jerry Moran (KS) and Marsha Blackburn (TN), announced plans to introduce the COVID-19 Consumer Data Protection Act of 2020 (“the bill”), which would put temporary rules in place regarding the collection, processing and transfer of data used to combat the spread of the coronavirus. The bill would only apply during the course of the COVID-19 Public Health Emergency as declared by the Secretary of Health and Human Services, and would only apply to specific uses of certain personal data.

On April 21, 2020, the European Data Protection Board (“EDPB”) adopted Guidelines on the processing of health data for scientific purposes in the context of the COVID-19 pandemic. The aim of the Guidelines is to provide clarity on the most urgent matters relating to health data, such as legal basis for processing, the implementation of adequate safeguards and the exercise of data subject rights.

On April 16, 2020, the European eHealth Network—a voluntary network connecting national authorities responsible for eHealth designated by EU Member States—published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic (the “Toolbox”). The Toolbox is part of the common EU coordinated approach to using COVID-19 mobile apps, as set out in the European Commission’s Recommendation of April 8, 2020. The Toolbox was accompanied by guidance from the European Commission on data protection and privacy aspects of the use of such apps (the “Guidance”).

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”).

On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).

The French Data Protection Authority (the “CNIL”) recently issued guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak (the “Guidance”). The Guidance outlines some of the principles relating to those data processing activities.

The outbreak of COVID-19 has dramatically changed the economy and working landscape of the United States and many other countries across the world. Companies suddenly find themselves dealing with a host of privacy issues and questions about sharing information with employees, customers and others. In addition, transitioning to a remote workforce can create privacy and data security concerns.

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

On March 12, 2020, the French Data Protection Authority (the “CNIL”) released its annual inspection strategy for 2020. The CNIL carries out approximately 300 inspections every year. These inspections are initiated (1) following complaints lodged with the CNIL; (2) in light of current topics in the news; (3) after the CNIL has adopted corrective measures (e.g., formal notices, sanctions) in order to verify whether the organization in question adopted the measures or remedied the situation; and (4) as part of the CNIL’s annual inspection strategy.