Health Law Advisor

The HIPAA Security Rule was originally promulgated over 20 years ago. While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world.  On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”).  In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.”  One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.

The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule.  While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework.  For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented.  Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management.  For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

One of the European Parliament’s 20 committees, the Civil Liberties Committee (“LIBE”), voted on October, 21, 2013 on a proposed EU General Data Protection Regulation. The regulation includes an increased level of fines and new regulatory requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities). Companies should monitor these issues closely in the next couple of months. Most likely, after the plenary vote on November 18-21, the Parliament will push for rapid negotiations with the Council ...