Wade’s Healthcare Privacy Advisor

Legislation

• In 2024, states continued to enact sectoral privacy laws, particularly focusing on children’s data and AI regulation. The New York Child Data Protection Act and SAFE for Kids Act aim to protect children’s privacy and safety online, while the Maryland Age-Appropriate Design Code Act seeks to regulate online content for children. Other states, such as Connecticut and Colorado, have also passed amendments to their consumer data privacy laws to enhance protections for children’s data.
• In 2024, seven states passed comprehensive data privacy laws, bringing the total to 19. Maryland, Vermont, and Maine introduced more restrictive data minimization provisions, while Minnesota, New Jersey, and Rhode Island iterated on existing models. Existing laws in California, Colorado, Virginia, and New Hampshire received amendments, primarily focusing on expanding protections for children’s data.
• The Health Infrastructure Security and Accountability Act (HISAA) aims to enhance cybersecurity standards for healthcare organizations by imposing mandatory minimum security measures and providing financial support for compliance. The bill requires annual audits, stress tests, and increased accountability for non-compliance, with penalties reaching up to $250,000 for willful neglect. HISAA also includes financial assistance for hospitals to enhance their cybersecurity infrastructure, particularly for rural and safety net facilities.
• California’s CCPA amendment protects neural data as sensitive personal information, impacting Illinois businesses that collect or utilize this data. Illinois businesses should review their data privacy practices to ensure compliance with both state and federal laws.

Security Practices

• Healthcare workers resort to insecure password practices due to care delivery demands, leading to data breaches and compromised credentials. These breaches impact patient care, cause significant costs, and highlight the ineffectiveness of complex passwords.
• HIPAA EDI transactions are electronic data exchanges between healthcare providers and health plans that adhere to HHS standards. Non-compliance can result in delayed treatments and payments, and may lead to sanctions or exclusion from Medicare and Medicaid.
• New York has implemented new cybersecurity regulations for general hospitals, requiring annual risk assessments, incident response plans, and multifactor authentication. The regulations aim to enhance cybersecurity standards beyond HIPAA requirements and address the increasing frequency of cyberattacks on hospitals. Hospitals have one year to comply with the new requirements, with funding available to assist with implementation costs.

LLMs

• A recent study by Apple engineers shows the fragility of mathematical reasoning in advanced large language models (LLMs) like those developed by OpenAI and Google. The research shows that LLMs struggle with minor changes to benchmark problems, resulting in performance drops of up to 9.2%. These findings suggest that LLMs rely on probabilistic pattern matching rather than genuine logical reasoning. The researchers concluded that these models’ reasoning processes have critical flaws that cannot be resolved with simple refinements.
• Google DeepMind has developed an AI model to predict key properties of potential drugs. The new Tx-LLM (Therapeutic Large Language Model) model represents a shift toward specialized artificial intelligence tools for specific industries. This targeted approach could prove more valuable than general-purpose AI in addressing complex commercial challenges.

LItigaton

• The Texas Attorney General settled allegations of false and misleading claims about the accuracy of a healthcare AI product. The company agreed to comply with specific requirements for five years, including disclosing metrics and potential harmful uses of its products. As AI use in healthcare grows, legislators and regulators are increasingly interested in AI laws and regulations, and healthcare entities should adopt AI governance programs to ensure compliance.
• Social credit scores, used by the DOJ to prosecute healthcare providers, are data-driven profiles that assess risky behavior and predict future violations. These scores, influenced by biased enforcement patterns, disproportionately target minority physicians and patients, leading to unjust prosecutions and surveillance. The widespread adoption of predictive tools like social credit scores amplifies systemic biases and entrenching the surveillance and punishment of already marginalized populations.

Online Tracking

• In St. Aubin v. Carbon Health Technologies, Inc., the United States District Court for the Northern District of California examined a claim under the California Invasion of Privacy Act (CIPA) regarding alleged interceptions of medical data by third-party tracking technologies. The court focused on the application of CIPA’s second clause, which prohibits unauthorized interception of the “contents or meaning” of communications, finding that URLs containing detailed health information could qualify as protected content. Facebook’s tracking was deemed to meet this requirement due to its real-time data interception capabilities, while Google’s tracking lacked sufficient specificity, leading the court to allow an amendment to the complaint. This case highlights the increasing judicial scrutiny of digital privacy, particularly concerning online tracking and the sharing of sensitive medical information.
• Online tracking technologies, such as cookies, can impact HIPAA compliance by potentially disclosing protected health information. Non-HIPAA-regulated businesses must comply with state laws regarding consumer health data collected through these technologies. To ensure compliance, businesses should review tracking technologies, analyze license terms, and determine applicable state and FTC rules.

Regulation

• The FDA has authorized almost 1000 AI-enabled medical devices and has received hundreds of regulatory submissions for drugs that used AI in their discovery and development. The FDA assets that effective regulation requires coordination across industries, government, and international bodies, with flexible mechanisms to keep pace with AI developments. Transparency from sponsors and proficiency in AI evaluation by regulators are crucial, alongside a life cycle management approach with ongoing postmarket performance monitoring.

Threat Vector

• There is an alarming rise in healthcare data breaches, which have increased by 187% in 2023. The surge in cyberattacks, particularly driven by ransomware and phishing, poses significant challenges to the healthcare industry. To address these challenges, healthcare organizations must prioritize regular training and thorough audits to enhance their security measures.
• Data compromises decreased by 8% in Q3 2024, with 672 incidents reported. However, the number of individuals affected fell by 77% due to a significant decrease in healthcare data breaches. Despite the decrease in data compromises, the total number of victims for the year is still above the 2023 record.
• Privacy-enhancing technologies (PETs) like fully homomorphic encryption (FHE), trusted execution environments (TEEs), and privacy-preserving federated learning (PPFL) can protect sensitive healthcare data while enabling analysis. Regulators should endorse these technologies to simplify compliance and incentivize their adoption. Post-quantum cryptography (PQC) will provide protection against emerging attacks, including those from quantum computing devices.
• Ransomware claims have increased by 68% in severity, with an average loss of $353,000. Business Email Compromise remains a leading threat, while funds transfer fraud has seen a slight decline.

Opinion

• AI and precision health aim to improve patient outcomes by tailoring treatments to individual characteristics. However, challenges such as data diversity, privacy concerns, and the need for longitudinal data need to be addressed. To ensure the success of precision health, strategies like assembling large cohorts, improving diversity, and protecting data privacy are essential.