Posts tagged Alexander Franchilli.
Blogs
Clock 7 minute read

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...

Blogs
Clock 6 minute read

Healthcare organizations continue to be prime targets of cyberattacks. It is well-established that cyberattacks can lead to financial loss, reputational damage, and, in some cases, risks to patient care and safety. The recent and well-publicized cybersecurity incident affecting Change Healthcare further evidences these risks. As a result of the widespread and disruptive impact of this most recent cyberattack on the healthcare ecosystem, on March 5, 2024 the U.S. Department of Human Services (HHS) issued a public statement and has also announced that it opened an ...

Blogs
Clock 9 minute read

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

Blogs
Clock 2 minute read

New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council.  The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements: 

  • Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
  • Develop a response plan for potential cybersecurity ...
Blogs
Clock 6 minute read

In a previous blog, we discussed the Federal Trade Commission’s (“FTC”) proposed changes to its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the “Endorsement Guides”). The Endorsement Guides are intended to help businesses ensure that their endorsement and testimonial advertising conforms with Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” including false advertising. We specifically highlighted the FTC’s proposed changes related to social media platforms and their users, deceptive endorsements by online “influencers,” businesses’ use of consumer reviews, and the impact of advertising on children. Now, approximately one year later, and after receiving and considering public comments on its proposed changes, the FTC has issued its final rule adopting revisions to the Endorsement Guides. See Guides Concerning the Use of Endorsements and Testimonials in Advertising, 88 Fed. Reg. 48092 (July 26, 2023) (to be codified at 16 C.F.R. pt. 255). In issuing its final revised Endorsement Guides, the FTC stated that the changes are intended to “reflect the ways advertisers now reach consumers to promote products and services, including through social media and reviews.” We summarize below the FTC’s final revisions to the same sections of the Endorsement Guides covered in our earlier blog.

Blogs
Clock 6 minute read

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

Blogs
Clock 3 minute read

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Blogs
Clock 4 minute read

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

Blogs
Clock 4 minute read

In the absence of a federal law directly aimed at regulating artificial intelligence (AI), the Federal Trade Commission (FTC) is seeking to position itself as one of the primary regulators of this emergent technology through existing laws under the FTC’s ambit. As we recently wrote, the FTC announced the establishment of an Office of Technology, designed to provide technology expertise and support the FTC in enforcement actions. In a May 3, 2023 opinion piece published in the New York Times entitled “We Must Regulate A.I. Here’s How,” Lina Khan, the Chairperson of the FTC, outlined at least three potential avenues for FTC enforcement and oversight of artificial intelligence technology.

Blogs
Clock 2 minute read

In a March 6, 2023 constituent update, the U.S. Food and Drug Administration (“FDA”) announced the launch of its new Dietary Supplement Ingredient Directory (the “Directory”), which the agency describes as “a one stop shop of ingredient information that was previously found on different FDA webpages.”  According to the FDA, the Directory is “intended to help manufacturers, retailers, and consumers stay informed about ingredients that may be found in products marketed as dietary supplements and quickly locate information about such ingredients on the FDA’s website.”  With the release of the Directory, the FDA is now retiring the “FDA Dietary Supplement Advisory Ingredient List.” 

Blogs
Clock 3 minute read

On February 17, 2023, the Federal Trade Commission (“FTC”) announced the creation of the Office of Technology (the “OT”), which will be headed by Stephanie T. Nguyen as Chief Technology Officer. This development comes on the heels of increasing FTC scrutiny of technology companies. The OT will provide technical expertise and strengthen the FTC’s ability to enforce competition and consumer protection laws across a wide variety of technology-related topics, such as artificial intelligence (“AI”), automated decision systems, digital advertising, and the collection and sale of data. In addition to assisting with enforcement matters, the OT will be responsible for, among other things, policy and research initiatives, and advising the FTC’s Office of Congressional Relations and its Office of International Affairs. 

Blogs
Clock less than a minute

The California Privacy Protection Agency Board (the “Board”) held a public meeting on February 3, 2023, adopting and approving the current set of draft rules (the “Draft Rules”), which implement and clarify the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”). The Draft Rules cover many CCPA requirements, including restrictions on the collection and use of personal information, transparency obligations, consumer rights and responding to consumer requests, and service provider contract requirements. At the meeting, the Board also addressed additional proposed rulemaking processes concerning cybersecurity audits, risk assessments, and automated decision-making. 

Blogs
Clock 4 minute read

On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

Blogs
Clock 5 minute read

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

Blogs
Clock 6 minute read

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

Blogs
Clock 6 minute read

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.

Blogs
Clock 5 minute read

The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The ...

Blogs
Clock less than a minute

Our colleagues Brian Cesaratto and Alexander Franchilli of Epstein Becker Green have a new post on Workforce Bulletin that will be of interest to our readers: “NAME:WRECK” Cybersecurity Vulnerability Highlights Importance of Newly Issued IoT Act".

The following is an excerpt:

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout ...

Search This Blog

Blog Editors

Recent Updates

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.