Tag: Data Privacy

Categories
Health Law Highlights

A Regulatory Roadmap to AI and Privacy

Summary of article from IAPP, by Daniel Solove:

There is a complex relationship between AI and privacy. AI-related privacy issues are often extensions of existing digital privacy problems. Privacy law reform must address digital privacy holistically, not just in the context of AI. AI creates implicates privacy concerns in data collection and processing, decision-making, and data analysis. Current privacy laws are inadequate in handling these issues. AI also presents difficulties in oversight, participation, and accountability. Effective reform must include transparency, due process, and stakeholder involvement. Comprehensive overhaul of existing privacy laws needed to effectively regulate AI’s impact on privacy.

Categories
Health Law Highlights

Washington’s My Health My Data Act and its Nevada Twin are Now in Effect – Are You Ready?

Summary of article from Davis Wright Tremaine, by David L. Rice, Adam H. Greene, Rebecca L. Williams:

The “My Health My Data Act” in Washington, effective March 31, 2024, imposes strict regulations on the collection and use of “consumer health data” (CHD), even extending to data indirectly related to a consumer’s health. The Act covers all businesses operating in Washington and those providing services or products to its consumers, and applies to both residents and non-residents whose CHD is collected within the state. It mandates consumer consent for CHD collection, processing, or disclosure, and prohibits the sale of CHD without a valid, annually renewed authorization. The Act also forbids the use of “geofences” around healthcare facilities for data collection or advertising. Finally, the Act grants enforcement authority to the Washington Attorney General and establishes a private right of action for consumers, with Nevada implementing a similar law.

Categories
Alert

Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.

Categories
Health Law Highlights

Healthcare Highlights from FTC’s 2024 PrivacyCon

From SheppardMullin, by Carolyn Metnick, Carolyn Young:

The Federal Trade Commission’s annual PrivacyCon highlighted three healthcare privacy research projects: tracking technology use by healthcare providers, women’s privacy concerns post Roe era, and bias propagation through large language learning models (LLMs). One key finding was the extensive use of tracking technologies on hospital websites, which can reveal personal health information and potentially be exploited. Despite serious implications, healthcare data privacy concerns are largely overlooked by users. The event also underscored how biases in LLM training data can lead to biased healthcare outcomes. The key takeaway was the need for transparency in handling healthcare data, including clear policies around data collection and usage, compliance with HIPAA and FTC rules, and the need for accurate privacy notices for users.

Categories
Health Law Highlights

New State Health Privacy Laws—Moving Beyond HIPAA and Recasting Consumer Health Data Rights?

From Jones Day, by Alexis S. Gilroy, Lisa M. Ropple, Ryan P. Blaney, Claire E. Castles, Jennifer C. Everett and Kristen Pollock McDonald:

The new consumer health data (CHD) privacy laws enacted in Washington and Nevada aim to offer state-level protections for personal health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). The laws, effective from March 31, 2024, mandate entities to obtain affirmative consent before collecting or sharing CHD, develop privacy policies, implement security safeguards, and restrict geofencing. Both laws grant consumers rights to access, review, and delete their CHD, and to withdraw consent for its collection or sharing. Washington’s law, uniquely, gives consumers a private right of action for CHD-related violations, potentially leading to increased litigation. Companies are advised to review and revise their policies and practices to ensure compliance.

Categories
Article

Updated: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

From U.S. Department of Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) updated its guidance to regulated entities when using online tracking technologies. These technologies, used to collect and analyze user interaction with websites or mobile applications, must comply with HIPAA rules if the information gathered includes protected health information (PHI). Unauthorized disclosures of PHI to tracking technology vendors, such as for marketing purposes without compliant authorizations, are deemed impermissible.

The update emphasizes that regulated entities should ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It provides guidance on the application of HIPAA rules to the use of tracking technologies on user-authenticated webpages, unauthenticated webpages, and within mobile apps. For instance, tracking technologies on user-authenticated webpages generally have access to PHI, and tracking technology vendors are considered business associates if they handle PHI.

Unauthenticated webpages, which do not require user login, usually do not have tracking technologies that access PHI. However, in cases where PHI is accessible, HIPAA rules apply. For mobile apps offered by regulated entities, information collected is generally considered PHI, and the entity must comply with HIPAA rules for any PHI the app uses or discloses. However, HIPAA does not protect information users voluntarily enter into non-regulated mobile apps.

Disclosures of PHI to tracking technology vendors must be specifically permitted by the Privacy Rule. If the vendor is a business associate, a business associate agreement (BAA) must be established. The use of tracking technologies should be addressed in the entity’s Risk Analysis and Risk Management processes. If there’s an impermissible disclosure of PHI, breach notification to affected individuals and the Secretary is required. OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.

Categories
Health Law Highlights

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

From Bradley Arant Boult Cummings LLP, by Alexis Buese, Eric Setterlund

The healthcare sector has seen a significant increase in cyber-threats, especially hacking and ransomware, with a 256% rise in hacking-related breaches and a 264% surge in ransomware incidents in the last five years. In 2023, these breaches affected over 134 million individuals, a 141% increase from the previous year.

The OCR recommends proactive measures to mitigate these threats, including securing partnerships with vendors, conducting regular risk assessments, establishing robust audit controls, and adopting multi-factor authentication.

The OCR’s two Congressional Reports on HIPAA compliance and enforcement highlight the need for healthcare systems to address potential HIPAA compliance issues before breaches occur. The reports reveal common vulnerabilities and suggest areas for improvement tied to specific HIPAA Security Rule standards, including the security management process standard, audit controls standard, and response and reporting requirements.

Despite the sophistication of some cyber-attacks, the majority of incidents could be prevented or significantly lessened if healthcare entities adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods like phishing emails, exploiting existing vulnerabilities, and using weak authentication measures. In case of a successful breach, attackers often encrypt or steal electronic Protected Health Information (ePHI) for ransom or future malicious activities.

Categories
Health Law Highlights

New PCI DSS 4.0 Will Impact the Digital Health, Healthcare Industries

From McDermott Will & Emery, by Mark E. Schreiber, Brian Long, Jonathan Ende:

The healthcare industry, particularly digital health, is increasingly adopting an e-commerce model, accepting direct payments from consumers. This necessitates compliance with the Payment Card Industry Data Security Standard (PCI DSS), even if payment card processing is outsourced. 

The new version of PCI DSS (4.0) will be mandatory from March 31, 2024, introducing more rigorous requirements. Entities that offer these services and accept payment cards must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) annually.

PCI DSS 4.0 brings new requirements, focusing on targeted risk analysis, organizational maturity, and governance. It makes PCI DSS compliance a continuous effort, rather than an annual task, and allows businesses to implement alternative controls that meet the customized approach objective.

Some significant changes in PCI DSS 4.0 include increased requirements for yearly diligence for merchants and service providers, introduction of a customized approach for controls, expanded risk analysis guidance, and clarifications to the “significant change” standard.

Failure to comply with PCI DSS 4.0 may lead to investigations, fines, penalties, and assessments by card brands and acquirers. It may also lead to legal risks, as the new version requires more security documentation and risk analysis, exposing the company’s security posture to greater scrutiny. Therefore, businesses should promptly begin addressing and validating compliance.

Categories
Health Law Highlights

US Department of Human Services vs Hospital & Tech Sector Showdown

From Telehealth.org, by Marlene Maheu, PhD:

Recent developments in digital privacy ethics in the healthcare sector have led to a lawsuit against the US Department of Health and Human Services (HHS) by the American Hospital Association (AHA), with support from hospitals, health centers, other hospital associations, and the tech sector. The issue stems from the widespread practice of sharing online patient information with technology companies for marketing purposes.

The HHS has been actively investigating the use of tracking technologies and has issued fines and penalties to companies improperly handling sensitive data. As far back as 2022, HHS issued a guidance in 2022, emphasizing the obligations of HIPAA covered entities when using online tracking technologies.

A recent study revealed that 98.6% of US hospitals might still be involved in sharing patient information, highlighting the extent of data dissemination within the healthcare industry. This has led to increased interest in preventing or responding to HIPAA violations.

The legal challenge underscores the tension between the need for digital marketing tools in healthcare and the necessity to safeguard patient privacy and will significantly affect how healthcare entities use technology for marketing.

Categories
Health Law Highlights

Confidentiality of Substance Use Disorder Patient Records: What to Know About Updates to Part 2

From Orrick, Herrington & Sutcliffe LLP, by Thora Johnson, Kyle Kessler, Cosmas Robless:

The U.S. Department of Health & Human Services (HHS) has updated the Confidentiality of Substance Use Disorder Patient Records regulations (Part 2) to align with HIPAA and HITECH, aiming to improve care coordination while protecting patient privacy. Notably, patient consent for disclosure of SUD treatment records has been simplified, allowing a single consent for all future uses and disclosures related to treatment, payment, and health care operations.

The Rule permits redisclosure of SUD records by HIPAA-covered entities without additional patient consent, promoting coordinated care. The Rule also introduces a definition for SUD counseling notes, mirroring the HIPAA protections for psychotherapy notes, which require separate written consent for use or disclosure.

The Rule establishes two new patient rights: the right to receive an accounting of any disclosures of their SUD records in the three years prior to their request, and the right to request restrictions on disclosures of their records for treatment, payment, and health care operations.

The Rule expands patient privacy in legal proceedings, extending the prohibition of the use and disclosure of SUD records to all criminal, civil, administrative, and legislative proceedings against a patient. It also authorizes civil penalties, in addition to criminal ones, for Part 2 violations, aligning with the value of civil penalties under HIPAA.

The Rule applies the same requirements as the HIPAA Breach Notification Rule to breaches of patient records subject to Part Providers must notify affected individuals, the Secretary of HHS, and in some cases the media in the event of a breach. The Rule will become effective 60 days after its publication in the Federal Register on February 16, 2024, with compliance required by February 16, 202