Last January, in University of Texas M.D. Anderson Cancer Center v. HHS, 985 F.3d 472, the Fifth Circuit Court of Appeals cast a pretty big shadow of doubt over data security enforcement by the Department of Health and Human Services. But it's not game over for HHS Health Insurance Portability and Accountability Act enforcement. Of the court's four rationales, one seems clearly wrong (although it highlights an important issue), one seems right, the third appears to require more care by HHS when ... Read More

Only a month into 2021, and U.S. privacy professionals are already trying to keep up with fast-moving legislative developments and other privacy initiatives. The whirlwind of action spans across the privacy space, including some potential movement in the health care industry on the Health Insurance Portability and Accountability Act.  The U.S. Department of Health and Human Services' Office for Civil Rights announced Dec. 10, 2020, that a Notice of Proposed Rulemaking was drafted to modify prov... Read More

The rapid growth in telehealth has predictably spawned the development of a variety of new software solutions to serve the needs of both doctors and patients. While the field is wide open for application developers, the area of telemedicine also presents some unique data privacy and security challenges. Of course, the principles of privacy by design tell us that data privacy concerns should be integrated into the entire design process, but this imperative becomes all the more important and chall... Read More

The U.S. government just eased the path for doctors and nurses to do video chats with patients by lifting privacy and security compliance penalties and enforcement action against health care providers. The Office for Civil Rights at the U.S Department of Health and Human Services Tuesday said it will allow health care providers to use technology, such as Apple FaceTime, Facebook Messenger video chat or other video platforms, to communicate with patients. But, while federal response to the COVID... Read More

We would understand if health care organizations have been ignoring the California Consumer Privacy Act of 2018. The act was signed June 28, just before the July 4 holiday, most privacy pros have a GDPR hangover, and there’s a HIPAA exemption, so who cares — right? Dear readers: It is our unfortunate duty to inform you that this act will significantly impact health care organizations. In a nutshell, the California Consumer Privacy Act requires “businesses” involved in the “processing” of “pers... Read More

Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections. Around the world, leading neuroscientists, neuroethicists, privacy advocates and legal minds are taking greater interest in brain data and its potential. Opinions vary widely on the long-term advancements in technology designed to measure... Read More

Digital transformation is progressing in the health care sector, with electronic patient files, health apps, mobile health wearables, connected medical devices and even remote emergency doctors. Digital transformation generates large volumes of data, which offer a wide range of opportunities for research and innovation. When it comes to patient data, these opportunities may clash with the requirements under applicable data protection laws, particularly consent requirements. However, consent as l... Read More

In early February, the U.S. Federal Trade Commission published a proposed order that fines telehealth and discount prescription provider GoodRX $1.5 milllion. Though part of the case involves deception — one of two prongs under the FTC Act — the case also raises the first-of-its-kind use of the Health Breach Notification Rule. To help better understand the novel and complex issues embedded in the case, IAPP Editorial Director Jedidiah Bracy, CIPP, caught up with WilmerHale Partner Kirk Nahra, CI... Read More

In what the U.S. Federal Trade Commission calls a "first-of-its-kind" enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness author... Read More

For better or worse, digital technologies have undeniably transformed many aspects of daily life. Experiences interacting with the digital world can be different for everyone, especially neurodiverse people. Many neurodiverse people reap its benefits by connecting with other like-minded people through online communities, accessing plentiful knowledge about topics of interest, and learning different strategies for navigating a world built around the needs of neurotypical people. At the same time,... Read More

The U.S. Federal Trade Commission released an updated Mobile Health App Interactive Tool. The application, first developed in conjunction with the HHS' Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration, aims to help health care app developers determine if the app is compliant with federal laws and regulations. The interactive tool asks users questions about the app's functionality and the data it collects. It then ... Read More

The U.S. Department of Health and Human Services’ Office for Civil Rights issued new guidance for “recognized security practices” for enforcing the Health Insurance Portability and Accountability Act, InfoSecurity reports. The guidance clarifies a 2021 rule added into the Health Information Technology for Economic and Clinical Health Act of 2009 which required OCR to evaluate “regulated entities’ implementation of ‘recognized security practices’" over the prior year “when the agency makes certai... Read More

More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through. But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 confe... Read More

The Dobbs v. Jackson Women's Health Supreme Court decision has raised the stakes for privacy protections of health data in the U.S. By the end of the year, the femtech market — that is, digital tools such as mobile applications related to women's health — is estimated to be a $51.6 billion global market, more than a third of the total valuation of digital health. While the repercussions of gaps in U.S. digital health data protections extend well beyond women's health, the post-Dobbs privacy conc... Read More

Definitions can be messy, especially when they move from dictionaries to law books. Just look at the idea of genetic data and ponder this riddle: When is a medical test result genetic information? The National Institute of Standards and Technology definition of “genomic information” says it is limited to information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing. Privacy laws broaden the scope of covered data within such a functional definition — pe... Read More

On June 24, the U.S. Supreme Court overturned Roe v. Wade, confirming the understanding contained in the draft decision leaked in early May. Roe v. Wade is a paradigmatic decision that secured the constitutional right to abortion in the country in 1973. After 49 years, it came to an end. The recent decision allows a number of U.S. states to adopt laws criminalizing abortion in a short time. It is thought that approximately half of the U.S. states will ban or severely restrict the practice. This... Read More

The draft American Data Privacy and Protection Act that is the focus of current attention raises many complex issues. I want to focus on one detail from the bill. My basic objective is to illustrate some of the difficulties of regulating health information that exists outside the health care system. The bill defines sensitive covered data to include “Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatm... Read More

The U.S. Supreme Court's recent decision to overturn Roe v. Wade dealt a blow to women's rights with the constitutional right to an abortion nullified and individual state legislatures now ultimately in charge of deciding if, when and for what reason a woman is allowed to have the procedure. The 6-3 ruling from Supreme Court Justices was expected after a draft opinion leaked in May. The issue cuts largely at the heart of women's civil rights, but the privacy implications of the reversal are bei... Read More

Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More

That the trans-Atlantic data relationship needs some healing and repair is well-understood. The highly innovative biotechnology sector delivers breakthrough innovations that transform health care, promote public health and cure once incurable diseases. Perhaps a remedy to the trans-Atlantic data relationship is not beyond the sector's reach as well. Data flows between the United States and the European Union are critical for advancing biomedical research. Collaborations between researchers on b... Read More

HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert.  First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More

IAPP CEO and President J. Trevor Hughes, CIPP, hosted Pfizer's Chief Privacy Officer Patrice Ettinger during the IAPP's "Profiles in Privacy" series June 17 on LinkedIn Live. The mission of multi-national biopharmaceutical company Pfizer is to deliver “breakthroughs that change patients’ lives.” Chief Privacy Officer Patrice Ettinger, CIPP/US, said she may never have understood that more than she has over the past 18 months. “In 2020, I and probably everybody else were able to relate to that i... Read More

Who would have predicted a pandemic? And yet, it seems that somehow, we have learned to live with COVID-19. But have we also learned or reinforced "hidden" data-processing techniques?  Always relevant, but in the last year more than ever, is the discussion on data and privacy protection. EU data protection authorities agree personal data protection must be ensured even in these exceptional times, especially when it comes to the generally prohibited processing of health data (Article 9 of the EU... Read More

Amidst the shifting employment landscape created by COVID-19, employers requiring employees to disclose their vaccination status has become a hot — yet murky — topic rife with privacy-related risks. Vaccination requirements are expected to soon “become dominant in the workplace” due to President Joe Biden’s recent COVID-19 Action Plan. Some employers will be required to impose vaccine mandates for their employees; some will be required to ensure their employees are either vaccinated or tested we... Read More

As the COVID-19 pandemic has unfolded over the past year, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill said there has been an unparalleled digital transformation. The company’s collaboration platforms, like Microsoft Teams, saw “enormous growth” of 160% to 170%, Brill said, as those who could shifted to working online. “What that meant was we had technology much more in our lives, in terms of how we were working, how we were socializing, how we were engaging with o... Read More

Over the past few months, millions received the option to receive "Exposure Notifications " through Apple or Google. The technology took off: millions of individuals downloaded applications or opted-in to exposure notifications. The Bluetooth Low Energy technology that powers the system, the privacy-by-design of the system and the increase in privacy-centric marketing demonstrate how the COVID-19 pandemic has increased awareness of potential privacy harms while providing a roadmap for the rollou... Read More

At the beginning of each school year, there are many papers to be signed. I agree I have (1) read the student handbook, (2) health forms, (3) appropriate use of technology at school, (4) photos of my children for promotional purposes, and so on. Then, this year out of the blue, a new consent shows up — a consent to record classes for operational purposes — and if I don’t sign it, it will significantly impact my child’s education. Wait … what?  This doesn’t sound right. What exactly are opera... Read More

Business and health care data are the new “honeypot,” an attractive and lucrative source of revenue to the modern hacker. A report from IBM in July 2020 reported that the average cost of a health care breach was $7.13 million per breach, noting “compromised employee accounts were the most expensive root cause, and that 80% of these incidents resulted in the exposure of customers' personally identifiable information.”  The COVID-19 pandemic has exposed how unprepared many health care providers w... Read More

While the COVID-19 pandemic has necessitated using data to analyze and map its origins and spread, Philippines National Privacy Commissioner and Chairman Raymund Liboro said “our data subjects need us now more than ever.” During the pandemic, data privacy professionals play an important role in protecting data, fostering privacy rights, and earning and maintaining the trust of those they serve, Liboro recently told fellow privacy commissioners, privacy officers in the corporate sector and membe... Read More

The U.S. Department of Health and Human Services' Office for Civil Rights published resources for providers and patients explaining privacy and security risks when using telehealth services. "Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private," OCR Director Melanie Fontes Rainer said.Full story... Read More

The state of Washington has led the way in creating the first set of guardrails (a geofence, some would say? pun intended) around consumer health data — which has now  been followed by copycat laws such as the recently passed Connecticut Senate Bill 3 — to fill the void left by the landmark Dobbs decision overturning Roe v. Wade. Recent legislative and regulatory actions, including the Federal Trade Commission cases Premom, GoodRX and Flo, were particularly challenging because companies and con... Read More

Over decades, observers have witnessed the emergence of a void within U.S. privacy law with respect to the protection of health information. Due to limitations in the scope of the Health Insurance Portability and Accountability Act, a broad array of health data, such as that collected by mobile devices, apps or wearable fitness trackers, has remained mostly outside the law’s reach. Indeed, privacy expert James Dempsey has even estimated "the majority of health-related data" may fall outside of H... Read More

When her parents' careers as doctors took her family to Saudi Arabia when she was 5 years old, Sue Khan would join her mom during her work as a general practitioner — watching as patients, especially women from neighboring Yemen, would seek treatment without understanding their bodies. "It was not uncommon for women to seek treatment for pain related to their periods or even pregnancy without knowing much about their reproductive health. It became apparent to me at a young age how important cle... Read More

Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections. Around the world, leading neuroscientists, neuroethicists, privacy advocates and legal minds are taking greater interest in brain data and its potential. Opinions vary widely on the long-term advancements in technology designed to measure... Read More

Digital transformation is progressing in the health care sector, with electronic patient files, health apps, mobile health wearables, connected medical devices and even remote emergency doctors. Digital transformation generates large volumes of data, which offer a wide range of opportunities for research and innovation. When it comes to patient data, these opportunities may clash with the requirements under applicable data protection laws, particularly consent requirements. However, consent as l... Read More

In early February, the U.S. Federal Trade Commission published a proposed order that fines telehealth and discount prescription provider GoodRX $1.5 milllion. Though part of the case involves deception — one of two prongs under the FTC Act — the case also raises the first-of-its-kind use of the Health Breach Notification Rule. To help better understand the novel and complex issues embedded in the case, IAPP Editorial Director Jedidiah Bracy, CIPP, caught up with WilmerHale Partner Kirk Nahra, CI... Read More

In what the U.S. Federal Trade Commission calls a "first-of-its-kind" enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness author... Read More

For better or worse, digital technologies have undeniably transformed many aspects of daily life. Experiences interacting with the digital world can be different for everyone, especially neurodiverse people. Many neurodiverse people reap its benefits by connecting with other like-minded people through online communities, accessing plentiful knowledge about topics of interest, and learning different strategies for navigating a world built around the needs of neurotypical people. At the same time,... Read More

The U.S. Federal Trade Commission released an updated Mobile Health App Interactive Tool. The application, first developed in conjunction with the HHS' Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration, aims to help health care app developers determine if the app is compliant with federal laws and regulations. The interactive tool asks users questions about the app's functionality and the data it collects. It then ... Read More

The U.S. Department of Health and Human Services’ Office for Civil Rights issued new guidance for “recognized security practices” for enforcing the Health Insurance Portability and Accountability Act, InfoSecurity reports. The guidance clarifies a 2021 rule added into the Health Information Technology for Economic and Clinical Health Act of 2009 which required OCR to evaluate “regulated entities’ implementation of ‘recognized security practices’" over the prior year “when the agency makes certai... Read More

More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through. But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 confe... Read More

The Dobbs v. Jackson Women's Health Supreme Court decision has raised the stakes for privacy protections of health data in the U.S. By the end of the year, the femtech market — that is, digital tools such as mobile applications related to women's health — is estimated to be a $51.6 billion global market, more than a third of the total valuation of digital health. While the repercussions of gaps in U.S. digital health data protections extend well beyond women's health, the post-Dobbs privacy conc... Read More

Definitions can be messy, especially when they move from dictionaries to law books. Just look at the idea of genetic data and ponder this riddle: When is a medical test result genetic information? The National Institute of Standards and Technology definition of “genomic information” says it is limited to information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing. Privacy laws broaden the scope of covered data within such a functional definition — pe... Read More

On June 24, the U.S. Supreme Court overturned Roe v. Wade, confirming the understanding contained in the draft decision leaked in early May. Roe v. Wade is a paradigmatic decision that secured the constitutional right to abortion in the country in 1973. After 49 years, it came to an end. The recent decision allows a number of U.S. states to adopt laws criminalizing abortion in a short time. It is thought that approximately half of the U.S. states will ban or severely restrict the practice. This... Read More

The draft American Data Privacy and Protection Act that is the focus of current attention raises many complex issues. I want to focus on one detail from the bill. My basic objective is to illustrate some of the difficulties of regulating health information that exists outside the health care system. The bill defines sensitive covered data to include “Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatm... Read More

The U.S. Supreme Court's recent decision to overturn Roe v. Wade dealt a blow to women's rights with the constitutional right to an abortion nullified and individual state legislatures now ultimately in charge of deciding if, when and for what reason a woman is allowed to have the procedure. The 6-3 ruling from Supreme Court Justices was expected after a draft opinion leaked in May. The issue cuts largely at the heart of women's civil rights, but the privacy implications of the reversal are bei... Read More

Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More

That the trans-Atlantic data relationship needs some healing and repair is well-understood. The highly innovative biotechnology sector delivers breakthrough innovations that transform health care, promote public health and cure once incurable diseases. Perhaps a remedy to the trans-Atlantic data relationship is not beyond the sector's reach as well. Data flows between the United States and the European Union are critical for advancing biomedical research. Collaborations between researchers on b... Read More

HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert.  First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More

IAPP CEO and President J. Trevor Hughes, CIPP, hosted Pfizer's Chief Privacy Officer Patrice Ettinger during the IAPP's "Profiles in Privacy" series June 17 on LinkedIn Live. The mission of multi-national biopharmaceutical company Pfizer is to deliver “breakthroughs that change patients’ lives.” Chief Privacy Officer Patrice Ettinger, CIPP/US, said she may never have understood that more than she has over the past 18 months. “In 2020, I and probably everybody else were able to relate to that i... Read More

Who would have predicted a pandemic? And yet, it seems that somehow, we have learned to live with COVID-19. But have we also learned or reinforced "hidden" data-processing techniques?  Always relevant, but in the last year more than ever, is the discussion on data and privacy protection. EU data protection authorities agree personal data protection must be ensured even in these exceptional times, especially when it comes to the generally prohibited processing of health data (Article 9 of the EU... Read More