Health Law Advisor

In response to several high-profile cybersecurity incidents affecting hospitals and other health care providers, including the Change Healthcare breach, new federal legislation was recently introduced by Senators Ron Wyden (D-OR) and Mark Warner (R-VA). The health care industry has received intense criticism for perceived weaknesses in cybersecurity protections.   As stated in a summary of HISAA prepared by the Senate Finance Committee: 

According to the FBI, the health care sector is now the #1 target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners. Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security. Despite these high stakes, health care has some of the weakest cybersecurity rules of any federally regulated industry.

The new legislation, the Health Infrastructure Security and Accountability Act (HISAA), would create significant new security requirements applicable to HIPAA Covered Entities and Business Associates designed to address cybersecurity risks, require ongoing risk assessments and audits related cybersecurity practices, establish new penalties for noncompliance with these requirements and remove HIPAA statutory caps on such penalties, and create funding incentives and Medicare payment reduction disincentives for entities subject to these requirements.  

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?

On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.

Introduction

Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”  

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

The U.S. Supreme Court is expected to imminently issue its opinion in the case Dobbs v. Jackson Women’s Health Organization (“Dobbs”). If the Court rules in a manner to overturn Roe v. Wade, states will have discretion in determining how to regulate abortion services.^[1] Such a ruling would overturn nearly 50 years of precedent, leaving patients, reproductive health providers, health plans, pharmacies, and may other stakeholders to navigate a host of uncharted legal issues. Specifically, stakeholders will likely need to untangle the web of cross-state legal issues that may emerge.

The success of an artificial intelligence (AI) algorithm depends in large part upon trust, yet many AI technologies function as opaque ‘black boxes.’ Indeed, some are intentionally designed that way. This charts a mistaken course.

Our colleagues Brian Cesaratto and Alexander Franchilli of Epstein Becker Green have a new post on Workforce Bulletin that will be of interest to our readers: “NAME:WRECK” Cybersecurity Vulnerability Highlights Importance of Newly Issued IoT Act".

The following is an excerpt:

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout ...

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate.  These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.

On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million).  This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people.  The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months.  Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people.  Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls.

On January 1, 2020 California Consumer Privacy Act (“CCPA”) largely came into effect, albeit with several last-minute modifications and a need to promulgate regulations.  As our colleagues have discussed previously here, CCPA joins other California laws safeguarding California residents’ privacy rights under the California Constitution.  Despite uncertainty around the final regulatory parameters of the law, CCPA grants the California Attorney General (AG) the authority to begin enforcement on July 1, 2020. Further, there have been no indications that such enforcement will be delayed.

Re-issued Proposed CCPA Regulations

After the California legislature passed several amendments to the CCPA in October 2019, the California AG has been working on proposed regulations.  The proposed regulations, initially introduced on October 12, 2019, went through three rounds of comment periods and were recently amended and reissued as the “Final Text of Regulations” on June 1, 2020.  These proposed regulations notably add new aspects and regulatory hurdles to CCPA implementation most notably: (i) increasing requirements for initial notices; and (ii) adding new requirements on the contents in business’s privacy policies.  These reissued proposed regulations were submitted to the California Office of Administrative Law (OAL) for review.  The OAL has thirty working days to review these regulations, plus an additional sixty calendar days under the California Governor’s Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with state law.

CCPA Proposed Regulatory Framework

The CCPA applies to any for-profit business that: (i) collects personal information on California residents; (ii) does business in the state of California; and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.  Businesses that hit the thresholds will be covered even if they are located outside the state of California.

Notably, companies subject to CCPA must “at or before the point of collection” of personal information provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company.  In addition, CCPA requires businesses to post a clear and conspicuous link on their website that says "Do Not Sell My Personal Information" and then to enable consumers to opt-out of the sale of their data to third parties.  CCPA also establishes a wide-range of rights to consumers (as specified below).  Companies should be aware of the potential added cost of business in responding to these rights and ensure that they do not discriminate against any individual who exercises their rights under CCPA.