Privacy & Cybersecurity

Earlier this week, the Biden-Harris Administration, through the Office for Civil Rights (OCR) announced a Final Rule aimed at protecting protected health information (PHI) related to lawfully provided reproductive health care services. As we discussed last year, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy was proposed in response to concerns about the confidentiality of PHI related to reproductive health care following the decision in Dobbs v. Jackson Women’s Health Organization. In the executive summary of the Final Rule, OCR emphasized that the changing post-Dobbs legal landscape “increases the likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in health care providers and the health care system.” The Final Rule defines “reproductive health care” as “health care…that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”

If you have been relying on last year’s court order staying the ability of the California Privacy Protection Agency (CPPA) to enforce regulations promulgated under the California Privacy Rights Act (CPRA) to also stay your own CPRA compliance program --- time to ramp back up. Read more

Consumer privacy protection must have been tops on the New Jersey legislature’s list of New Year’s resolutions. The year was just two weeks old and New Jersey became the first State in 2024 to enact a comprehensive privacy law and is now one of over a dozen states to have its own comprehensive privacy law (together, the Privacy States”). New Jersey Governor Phil Murphy wrote in a recent press release that he is proud New Jersey is better protecting its residents with Senate Bill 332/A1971 (the “Law”). This comprehensive law aims to protect consumer privacy by creating strict requirements for how applicable companies may use and collect personal data from New Jersey consumers and provides such consumers with rights of access, modification and deletion of their personal data.

This post will analyze the discussion and draft regulations for risk assessments and automated decisionmaking technology. The board spent over three hours on this agenda item, focusing closely on defined terms and the timing of certain requirements. As these regulations will impose new burdens and restrictions on many businesses, the board is walking a tightrope, balancing between protecting the consumer and burdening businesses.

The Federal Communications Commission (“FCC”) announced Thursday that in furtherance of the work of the agency’s Privacy and Data Protection Task Force, the FCC’s Enforcement Bureau signed Memoranda of Understanding (“MOU”) with the Attorneys General of Connecticut, Illinois, New York, and Pennsylvania to share expertise and resources and to coordinate efforts conducting privacy, data protection and cyber-security-related investigations. Read more about this noteworthy legislative step.

The SEC adopted its final rules and amendments concerning cybersecurity risk management, strategy, governance, and incident disclosure (the “Final Rule”) on July 26, 2023.  In this article we highlight some of the principal changes to the cybersecurity rules first proposed by the SEC more than 16 months prior.

Covered entities, business associates, and any entities that collect health information about consumers online should carefully review the latest joint letter from the Office for Civil Rights (OCR) and the   Federal Trade Commission (FTC). On July 20, 2023, the agencies sent a joint letter to approximately 130 hospital systems and telehealth providers warning them about “serious privacy and security risks related to the use of online tracking technologies” such ad Google Analytics and Meta/Facebook Pixel. That letter was subsequently shared publicly and should be reviewed by any entity subject to regulation by either agency.