Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.
Over the next year, the following laws will become effective:
- Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
- Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
- Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
- Nebraska Data Privacy Act (effective Jan. 1, 2025)
- New Hampshire Privacy Act (effective Jan. 1, 2025)
- New Jersey Data Privacy Act (effective Jan. 15, 2025)
- Tennessee Information Protection Act (effective July 1, 2025)
- Minnesota Consumer Data Privacy Act (effective July 31, 2025)
- Maryland Online Data Privacy Act (effective Oct. 1, 2025)
These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here. All nine laws listed above contain the following familiar requirements:
On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...
Introduction
Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”
On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.
On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).
As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties. In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.
January 28th marks Data Privacy Day which commemorates the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. This international treaty is the first of its kind to address privacy and data protection.
Strong privacy and cybersecurity safeguards are paramount to the success of companies and the consumers they serve. These issues are so critical they took center stage at the annual Consumer Technology Association’s Consumer Electronics Show (CES) held earlier this month where tech companies of all sizes promoted ...
On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.” OCR is seeking comments for a series of 54 different specific questions (many with additional subparts ...
In the tech world, blockchain technology appears to be the panacea to all problems. As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow ...
Last week's "WannaCry" worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick ...
The U.S. Department of Health and Human Services, Office of Civil Rights ("OCR"), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information ("PHI") that affect fewer than five-hundred (500) individuals.
It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR's new initiative to investigate smaller breaches as well. OCR ...
On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.
Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of ...
By Patricia Wagner, Ali Lakhani and Jonathan Hoerner
On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency's Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 ("Breach Report"). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.
Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services ...
As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI). To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures. From locks, to security guards, to alarm systems ...
Several colleagues and I recently wrote Health Reform: Key Compliance Actions for the New HIPAA Privacy Regulations, an alert published by the Implementing Health and Insurance Reform team of Epstein Becker Green.
In it, we summarized areas in which employers should consider taking action prior to September 2013 to facilitate compliance with the new requirements. Here are our top five action items for covered entities and business associates to focus on in their Omnibus Rule compliance efforts:
- Review Business Associate Relationships, and Update Business Associate ...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides standards for the use and disclosure of "individually identifiable health information," dubbed protected health information, or PHI. PHI is information, including demographic information, that relates to an individual's physical or mental health, the provision of health care to the individual, or payment for the provision of health care to the individual. Such information constitutes PHI if it identifies the individual or if there is a reasonable basis to believe it can be ...
They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception. Texas House Bill 300 ("HB 300") amends the Texas Medical Records Privacy Act ("Texas Act") and takes effect on September 1, 2012. HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health ("HITECH") Act by:
•revising the definition of a ...
For those healthcare employers that have been resting on your laurels and viewing through rose-colored glasses your entity’s HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health) compliance efforts, the time has come to thoroughly clean your glasses and prepare for increased Office of Civil Rights (“OCR”) enforcement actions. Speaking at the recent National HIPAA Summit, the OCR’s Director, Leon Rodriguez, announced that the OCR intends to follow the Office of Inspector ...
Epstein Becker Green has been designated by the Health Information Trust Alliance (HITRUST) as a Common Security Framework (CSF) Assessor. This will allow the firm to provide health care organizations with privacy and security risk assessments to protect the entities from breaches of protected health information (PHI). The health care industry has accepted the HITRUST CSF as the most widely adopted security framework. Epstein Becker Green is the first law firm to become a CSF Assessor and the designation exemplifies the firm's distinct capability to identify and address risk for ...
Blog Editors
Recent Updates
- Supreme Court of Ohio Decides on a Peer-Review Privilege Issue in Stull v. Summa
- Unpacking Averages: Exploring Data on FDA’s Breakthrough Device Program Obtained Through FOIA
- Importance of Negotiating the Letter of Intent for Health Care Leases
- Importance of Negotiating Default Provisions in Health Care Leases
- Podcast: Health Policy Update: Impact of the 2024 U.S. Elections – Diagnosing Health Care