Health Law Advisor

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable information (“PII”) and protected health information (“PHI”) continues to loom.

In order to isolate and contain the spread of COVID-19, one critical component of an ...

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  

January 28th marks Data Privacy Day which commemorates the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  This international treaty is the first of its kind to address privacy and data protection.

Strong privacy and cybersecurity safeguards are paramount to the success of companies and the consumers they serve.  These issues are so critical they took center stage at the annual Consumer Technology Association’s Consumer Electronics Show (CES) held earlier this month where tech companies of all sizes promoted ...

The U.S. Department of Health and Human Services, Office of Civil Rights ("OCR"), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information ("PHI") that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR's new initiative to investigate smaller breaches as well.  OCR ...