Privacy & Cybersecurity

The SEC adopted its final rules and amendments concerning cybersecurity risk management, strategy, governance, and incident disclosure (the “Final Rule”) on July 26, 2023.  In this article we highlight some of the principal changes to the cybersecurity rules first proposed by the SEC more than 16 months prior.

Covered entities, business associates, and any entities that collect health information about consumers online should carefully review the latest joint letter from the Office for Civil Rights (OCR) and the   Federal Trade Commission (FTC). On July 20, 2023, the agencies sent a joint letter to approximately 130 hospital systems and telehealth providers warning them about “serious privacy and security risks related to the use of online tracking technologies” such ad Google Analytics and Meta/Facebook Pixel. That letter was subsequently shared publicly and should be reviewed by any entity subject to regulation by either agency.   

In Montana, Governor Greg Gianforte signed the Montana’s Consumer Data Privacy Act (S.B. 384) (“MCDPA”) on May 19, 2023 – one of the strongest privacy bills signed in a red state.  Montana now becomes the ninth state to enact a comprehensive consumer data privacy law. 

Washington greatly expanded the protection for consumers’ identifiable health information by enacting the “My Health My Data Act” (MHMDA), in an effort to close the gap between HIPAA protections and the laws protecting the privacy and security of other consumer health care data. While MHMDA resembles the acts in both California and Illinois, it broadly applies to health information outside of traditional health care settings. In this article we answer frequently asked questions about MHMDA’s applicability and requirements.

Tennessee is expected to become the eighth or ninth state to enact a comprehensive data privacy law. Tennessee Information Protection Act (“TIPA”) is a unique safe harbor compared to other recently enacted laws: it offers an affirmative defense to businesses who create, maintain and comply with a written privacy program that “reasonably conforms” to the National Institute of Standards and Technology (“NIST”) privacy framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.”

Last month, three state legislatures passed comprehensive data privacy laws. This week, Indiana’s governor signed the Indiana Consumer Data Privacy Act (“ICDPA’) into law. Montana and Tennessee likely to follow right behind. These newcomers will join the six other states with data privacy statutes already enacted.

In April, 2020, in an effort to facilitate a national pivot to telehealth in light of the COVID-19 Public Health Emergency (PHE), the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a policy of Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement discretion for regulated health care providers (Covered Entities) implementing communications technologies that weren’t fully compliant with HIPAA or using those technologies in a manner that didn’t comply with HIPAA. Examples of flexibilities included allowing technology providers access to protected health information (PHI) without a HIPAA Business Associate Agreement (BAA). OCR’s enforcement discretion enabled Covered Entities to minimize the need for in-person visits for all kinds of health care services, not just COVID-19 related care. OCR also implemented flexibilities to promote public health during the COVID-19 pandemic; for example, it allowed for Business Associates to share COVID-19 data with government agencies for such purposes without specific authority to do so under BAAs.  

In response to concerns about the confidentiality of protected health information (PHI) related to reproductive health care less than one year after Dobbs v. Jackson Women’s Health Organization decision, and the prospect of such PHI being weaponized by states and used against patients, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has proposed amendments to the HIPAA Privacy Rule to protect that information.

Generative artificial intelligence creates content and work efficiencies but also comes with legal pitfalls. Mintz Venture Capital & Emerging Companies Practice Co-chair Jeremy Glaser and Associate Lorena Niebla look at the technology's potential uses as well as risks related to data privacy, intellectual property, and more.

The Federal Trade Commission (FTC) recently kicked off enforcement of its Health Breach Notification Rule (Breach Rule) by taking aim at GoodRx’s use of tracking technologies (e.g. pixels) and the sharing of consumer health data for advertising purposes. According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, the FTC “is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." Bottom line, HIPAA applicability may no longer be as significant of a factor when it comes to the risk presented by collecting, using, disclosing, and maintaining identifiable health information (IHI).

As illustrated by a recent Office for Civil Rights (OCR) settlement with a dental practice, health care entities continue to struggle with how to respond to negative online reviews while maintaining compliance with the HIPAA Privacy Rule. Given the significant reputational harm that negative reviews on Yelp and other social media and public platforms (Platforms) can create, providers may be tempted to respond to such negative comments with patient specifics in an attempt to mitigate harm to their businesses.

The European Commission has published its long-awaited draft of the new EU-US Data Privacy Framework, available here.  The Data Privacy Framework will replace the Privacy Shield decision that was invalidated in July 2020 by the Schrems II decision. President Biden’s recent Executive Order paved the way for the new Data Privacy Framework by creating a significantly more robust right of redress for people in the EU, along with stronger guardrails and greater oversight for US intelligence agencies’ data privacy compliance.