Health Law Advisor

Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Introduction

Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”  

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

In the absence of a federal law directly aimed at regulating artificial intelligence (AI), the Federal Trade Commission (FTC) is seeking to position itself as one of the primary regulators of this emergent technology through existing laws under the FTC’s ambit. As we recently wrote, the FTC announced the establishment of an Office of Technology, designed to provide technology expertise and support the FTC in enforcement actions. In a May 3, 2023 opinion piece published in the New York Times entitled “We Must Regulate A.I. Here’s How,” Lina Khan, the Chairperson of the FTC, outlined at least three potential avenues for FTC enforcement and oversight of artificial intelligence technology.

On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan for termination of the existing notifications of enforcement discretion related to the expiration of the COVID-19 public health emergency (PHE) on May 11, 2023. 

On February 17, 2023, the Federal Trade Commission (“FTC”) announced the creation of the Office of Technology (the “OT”), which will be headed by Stephanie T. Nguyen as Chief Technology Officer. This development comes on the heels of increasing FTC scrutiny of technology companies. The OT will provide technical expertise and strengthen the FTC’s ability to enforce competition and consumer protection laws across a wide variety of technology-related topics, such as artificial intelligence (“AI”), automated decision systems, digital advertising, and the collection and sale of data. In addition to assisting with enforcement matters, the OT will be responsible for, among other things, policy and research initiatives, and advising the FTC’s Office of Congressional Relations and its Office of International Affairs. 

More than just New Year’s resolutions went into effect when the clock struck midnight on January 1, 2023. The California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCPDA”) are now effective in California and Virginia, respectively. These comprehensive data privacy laws, along with three other state laws going into effect this year, establish new and complex obligations for businesses. If your business has not taken steps to prepare for these privacy laws, it is high time to start that process to avoid violations and enforcement likely to follow later in the year. See below for a timeline of key dates.

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?

The success of an artificial intelligence (AI) algorithm depends in large part upon trust, yet many AI technologies function as opaque ‘black boxes.’ Indeed, some are intentionally designed that way. This charts a mistaken course.

Throughout 2021, we closely monitored the latest privacy laws and a surge of privacy, cybersecurity, and data asset management risks that affect organizations, small and large. As these laws continue to evolve, it is important for companies to be aware and compliant. We will continue to monitor these trends for 2022.

The attorneys of the Privacy, Cybersecurity & Data Asset Management group have written on a wide range of notable developments and trends that affect employers and health care providers. In case you missed any, we have assembled a recap of our top 10 blog posts of 2021, with links to each, below:

On October 22, 2019, the Centers for Medicare and Medicaid Services (“CMS”) issued a Request for Information (“RFI”) to obtain input on how CMS can utilize Artificial Intelligence (“AI”) and other new technologies to improve its operations.  CMS’ objectives to leverage AI chiefly include identifying and preventing fraud, waste, and abuse.  The RFI specifically states CMS’ aim “to ensure proper claims payment, reduce provider burden, and overall, conduct program integrity activities in a more efficient manner.”  The RFI follows last month’s White House ...

The market for direct-to-consumer (“DTC”) genetic testing has increased dramatically over recent years as more people are using at-home DNA tests.  The global market for this industry is projected to hit $2.5 billion by 2024.  Many consumers subscribe to DTC genetic testing because they can provide insights into genetic backgrounds and ancestry.  However, as more consumers’ genetic data becomes available and is shared, legal experts are growing concerned that safeguards implemented by U.S. companies are not enough to protect consumers from privacy risks.

Some states vary ...

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting and thwarting potential threats through automated systems that continuously monitor network behavior and identify network abnormalities.  For example, AI may offer assistance in breach prevention by proactively ...

Our colleagues at Epstein Becker Green have issued a client alert: "HIPAA Omnibus Rule's Impact on Notices of Privacy Practices," by Patricia M. Wagner, Brandon C. Ge, and Alaap B. Shah.

Following is an excerpt:

This health reform alert summarizes the key changes to the Notice of Privacy Practices ("NPP") requirements in the revised Health Insurance Portability and Accountability Act ("HIPAA") regulations (the "Omnibus Rule") as well as what covered entities need to do to be compliant. Because many covered entities may have modified their NPPs based on the Notice of Proposed ...