Health Law Advisor

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.

Introduction

Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”  

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

The U.S. Supreme Court is expected to imminently issue its opinion in the case Dobbs v. Jackson Women’s Health Organization (“Dobbs”). If the Court rules in a manner to overturn Roe v. Wade, states will have discretion in determining how to regulate abortion services.^[1] Such a ruling would overturn nearly 50 years of precedent, leaving patients, reproductive health providers, health plans, pharmacies, and may other stakeholders to navigate a host of uncharted legal issues. Specifically, stakeholders will likely need to untangle the web of cross-state legal issues that may emerge.

Medical providers are often asked, or feel obligated, to disclose confidential information about patients.  This blog post discusses when disclosures of confidential medical information involve law enforcement, but the general principles discussed herein are instructive in any scenario.  To protect patient confidentiality and avoid costly civil liability arising from improper disclosures, it is imperative that providers ask questions to assess the urgency of any request and to understand for what purpose the information is sought by authorities.  Knowing what questions to ask at the outset prepares providers to make informed decisions about disclosing confidential information in a manner that balances the obligation to maintain patient confidentiality and trust with legitimate law enforcement requests for information aimed at protecting the public.

In a recent blog post, colleagues in our Employment, Labor & Workforce Management practice addressed the legal framework pertaining to coronavirus (COVID-19) risks in the workplace.  As the number of cases continues to the climb in the U.S., it is imperative that HIPAA covered entities and their business associates are aware of their privacy and security responsibilities in the midst of this public health emergency.  EBG provides this guidance on how to effectively respond to the coronavirus public health crisis while navigating patient privacy issues.