Privacy & Cybersecurity

Washington greatly expanded the protection for consumers’ identifiable health information by enacting the “My Health My Data Act” (MHMDA), in an effort to close the gap between HIPAA protections and the laws protecting the privacy and security of other consumer health care data. While MHMDA resembles the acts in both California and Illinois, it broadly applies to health information outside of traditional health care settings. In this article we answer frequently asked questions about MHMDA’s applicability and requirements.

Tennessee is expected to become the eighth or ninth state to enact a comprehensive data privacy law. Tennessee Information Protection Act (“TIPA”) is a unique safe harbor compared to other recently enacted laws: it offers an affirmative defense to businesses who create, maintain and comply with a written privacy program that “reasonably conforms” to the National Institute of Standards and Technology (“NIST”) privacy framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.”

Last month, three state legislatures passed comprehensive data privacy laws. This week, Indiana’s governor signed the Indiana Consumer Data Privacy Act (“ICDPA’) into law. Montana and Tennessee likely to follow right behind. These newcomers will join the six other states with data privacy statutes already enacted.

In April, 2020, in an effort to facilitate a national pivot to telehealth in light of the COVID-19 Public Health Emergency (PHE), the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a policy of Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement discretion for regulated health care providers (Covered Entities) implementing communications technologies that weren’t fully compliant with HIPAA or using those technologies in a manner that didn’t comply with HIPAA. Examples of flexibilities included allowing technology providers access to protected health information (PHI) without a HIPAA Business Associate Agreement (BAA). OCR’s enforcement discretion enabled Covered Entities to minimize the need for in-person visits for all kinds of health care services, not just COVID-19 related care. OCR also implemented flexibilities to promote public health during the COVID-19 pandemic; for example, it allowed for Business Associates to share COVID-19 data with government agencies for such purposes without specific authority to do so under BAAs.  

In response to concerns about the confidentiality of protected health information (PHI) related to reproductive health care less than one year after Dobbs v. Jackson Women’s Health Organization decision, and the prospect of such PHI being weaponized by states and used against patients, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has proposed amendments to the HIPAA Privacy Rule to protect that information.

Generative artificial intelligence creates content and work efficiencies but also comes with legal pitfalls. Mintz Venture Capital & Emerging Companies Practice Co-chair Jeremy Glaser and Associate Lorena Niebla look at the technology's potential uses as well as risks related to data privacy, intellectual property, and more.

The Federal Trade Commission (FTC) recently kicked off enforcement of its Health Breach Notification Rule (Breach Rule) by taking aim at GoodRx’s use of tracking technologies (e.g. pixels) and the sharing of consumer health data for advertising purposes. According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, the FTC “is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." Bottom line, HIPAA applicability may no longer be as significant of a factor when it comes to the risk presented by collecting, using, disclosing, and maintaining identifiable health information (IHI).

The European Commission has published its long-awaited draft of the new EU-US Data Privacy Framework, available here.  The Data Privacy Framework will replace the Privacy Shield decision that was invalidated in July 2020 by the Schrems II decision. President Biden’s recent Executive Order paved the way for the new Data Privacy Framework by creating a significantly more robust right of redress for people in the EU, along with stronger guardrails and greater oversight for US intelligence agencies’ data privacy compliance.

Covered Entities and Business Associates should promptly and carefully review their use of online tracking technologies on their websites and mobile apps following a bulletin (Bulletin) published by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) last week.  The Bulletin addresses multiple facets of compliance with HIPAA when using online third-party tracking technologies (Tracking Technologies).  In doing so, OCR significantly expands its interpretation of the definition of Protected Health Information (PHI) to include, in some instances, identifiable information gathered by Tracking Technologies where a user visits a website and does not interact with the entity in any other way. In its Bulletin, OCR interprets the act of an individual visiting a website as evidence of a relationship or anticipated future relationship between the visitor and the entity.

This post provides insights and recommendations surrounding the DOJ's charges against 10 defendants involved in business email compromise schemes.

In what is considered the largest privacy-related settlement in history, Google will pay $391.5 million to 40 states to settle an investigation by 40 state attorneys general.  The bipartisan coalition of attorneys general alleged that Google misled users into believing that opting out of sharing their location data prevented the company from tracking users’ locations.