Categories
Health Law Highlights

New Practical Guidance for Balancing Fairness, Privacy

Summary of article from IAPP, by Cobun Zweifel-Keegan:

The tension between achieving fairness and maintaining privacy in the operation of advanced AI and machine learning systems is a major challenge for digital governance teams. To test for bias and ensure equity, demographic data is often needed, potentially infringing on privacy rights. A report by the Center for Democracy and Technology AI Governance Lab offers best practices for navigating this issue, such as gathering data responsibly, pseudonymization, encryption, and conducting privacy impact assessments. Legislation, like the upcoming Colorado bill, may balance these issues by requiring fairness and bias testing in AI systems. Transparency and clear communication of methodologies are essential to build trust and uniform benchmarks in AI governance.

Categories
Health Law Highlights

Better Call Your Privacy Attorney: 3 New State Privacy Laws Begin July 1, 2024

Summary of article from Dickenson Wright, by Sara Jodka:

On July 1, 2024, Florida, Oregon, and Texas will join other states in implementing privacy laws to govern the collection, use, and transfer of consumer personal data, with Montana following on October 1, 2024. These laws will impose requirements on businesses collecting personal data, and although existing privacy programs may not need significant changes, new businesses will need to update their privacy policies and processes. The laws vary between states, with Texas having the broadest application and Florida the narrowest, and they encompass different definitions of personal data and sensitive data. Covered entities will need to provide clear privacy notices, limit data collection, obtain consumer consent for processing sensitive data, implement safeguards, and conduct data protection assessments among other requirements. Beyond 2024, more states including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee will implement similar laws in 2025, with Indiana and Kentucky following in 2026.

Categories
Health Law Highlights

FTC Finalizes Expansion of Health Breach Notification Rule’s Broad Applicability to Unauthorized App Disclosures

Summary of article from Davis Wright Tremaine, by Adam H. Greene, Apurva Dharia:

The Federal Trade Commission (FTC) has finalized changes to the Health Breach Notification Rule (HBNR), expanding its scope to include virtually all health and wellness apps. The revised rule requires vendors of personal health records (PHRs) and related entities to notify individuals, the FTC, and, in some cases, the media of any unauthorized disclosure of identifiable health data. The updated rule also includes a broader definition of “health care services or supplies” and “breach of security,” and clarifies the role and responsibilities of PHR related entities. The FTC has also modernized the method of notice, expanded the content of the notice, and revised the timing of notice to the FTC. The changes signal the FTC’s increased prioritization of protecting consumers’ sensitive health information.

Categories
Health Law Highlights

How Pharmacies Can Protect Patient Data From Cyber Threats

Summary of article from Specialty Pharmacy Continuum, by Karen Blum:

Pharmacies, both large and small, are increasingly targeted by sophisticated cyberattacks due to their databases of patient financial and health information. The breaches can lead to identity theft and drug diversion, with hackers using advanced tactics to gain access to data. To mitigate these risks, pharmacies should establish a robust cybersecurity plan, keep it updated, and conduct regular staff training. Vetting vendors for their data protection measures and having a contingency plan for data breaches are also crucial. In case of a breach, pharmacies should comply with all legal requirements, including notifying affected individuals and the Federal Trade Commission.

Categories
Health Law Highlights

A Regulatory Roadmap to AI and Privacy

Summary of article from IAPP, by Daniel Solove:

There is a complex relationship between AI and privacy. AI-related privacy issues are often extensions of existing digital privacy problems. Privacy law reform must address digital privacy holistically, not just in the context of AI. AI creates implicates privacy concerns in data collection and processing, decision-making, and data analysis. Current privacy laws are inadequate in handling these issues. AI also presents difficulties in oversight, participation, and accountability. Effective reform must include transparency, due process, and stakeholder involvement. Comprehensive overhaul of existing privacy laws needed to effectively regulate AI’s impact on privacy.

Categories
Health Law Highlights

Washington’s My Health My Data Act and its Nevada Twin are Now in Effect – Are You Ready?

Summary of article from Davis Wright Tremaine, by David L. Rice, Adam H. Greene, Rebecca L. Williams:

The “My Health My Data Act” in Washington, effective March 31, 2024, imposes strict regulations on the collection and use of “consumer health data” (CHD), even extending to data indirectly related to a consumer’s health. The Act covers all businesses operating in Washington and those providing services or products to its consumers, and applies to both residents and non-residents whose CHD is collected within the state. It mandates consumer consent for CHD collection, processing, or disclosure, and prohibits the sale of CHD without a valid, annually renewed authorization. The Act also forbids the use of “geofences” around healthcare facilities for data collection or advertising. Finally, the Act grants enforcement authority to the Washington Attorney General and establishes a private right of action for consumers, with Nevada implementing a similar law.

Categories
Alert

Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.

Categories
Health Law Highlights

Healthcare Highlights from FTC’s 2024 PrivacyCon

From SheppardMullin, by Carolyn Metnick, Carolyn Young:

The Federal Trade Commission’s annual PrivacyCon highlighted three healthcare privacy research projects: tracking technology use by healthcare providers, women’s privacy concerns post Roe era, and bias propagation through large language learning models (LLMs). One key finding was the extensive use of tracking technologies on hospital websites, which can reveal personal health information and potentially be exploited. Despite serious implications, healthcare data privacy concerns are largely overlooked by users. The event also underscored how biases in LLM training data can lead to biased healthcare outcomes. The key takeaway was the need for transparency in handling healthcare data, including clear policies around data collection and usage, compliance with HIPAA and FTC rules, and the need for accurate privacy notices for users.

Categories
Health Law Highlights

New State Health Privacy Laws—Moving Beyond HIPAA and Recasting Consumer Health Data Rights?

From Jones Day, by Alexis S. Gilroy, Lisa M. Ropple, Ryan P. Blaney, Claire E. Castles, Jennifer C. Everett and Kristen Pollock McDonald:

The new consumer health data (CHD) privacy laws enacted in Washington and Nevada aim to offer state-level protections for personal health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). The laws, effective from March 31, 2024, mandate entities to obtain affirmative consent before collecting or sharing CHD, develop privacy policies, implement security safeguards, and restrict geofencing. Both laws grant consumers rights to access, review, and delete their CHD, and to withdraw consent for its collection or sharing. Washington’s law, uniquely, gives consumers a private right of action for CHD-related violations, potentially leading to increased litigation. Companies are advised to review and revise their policies and practices to ensure compliance.

Categories
Article

Updated: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

From U.S. Department of Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) updated its guidance to regulated entities when using online tracking technologies. These technologies, used to collect and analyze user interaction with websites or mobile applications, must comply with HIPAA rules if the information gathered includes protected health information (PHI). Unauthorized disclosures of PHI to tracking technology vendors, such as for marketing purposes without compliant authorizations, are deemed impermissible.

The update emphasizes that regulated entities should ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It provides guidance on the application of HIPAA rules to the use of tracking technologies on user-authenticated webpages, unauthenticated webpages, and within mobile apps. For instance, tracking technologies on user-authenticated webpages generally have access to PHI, and tracking technology vendors are considered business associates if they handle PHI.

Unauthenticated webpages, which do not require user login, usually do not have tracking technologies that access PHI. However, in cases where PHI is accessible, HIPAA rules apply. For mobile apps offered by regulated entities, information collected is generally considered PHI, and the entity must comply with HIPAA rules for any PHI the app uses or discloses. However, HIPAA does not protect information users voluntarily enter into non-regulated mobile apps.

Disclosures of PHI to tracking technology vendors must be specifically permitted by the Privacy Rule. If the vendor is a business associate, a business associate agreement (BAA) must be established. The use of tracking technologies should be addressed in the entity’s Risk Analysis and Risk Management processes. If there’s an impermissible disclosure of PHI, breach notification to affected individuals and the Secretary is required. OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.