Insights

On January 6, 2025, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a notice of proposed rulemaking (the “NPRM”) entitled HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. In light of evolving technologies and cybersecurity threats, the NPRM aims to modernize security regulations implementing the Health Insurance Portability and Accountability Act security standards (the “HIPAA Security Rule”) and strengthen protections for the confidentiality, integrity, and availability of electronic protected health information (“ePHI”). In particular, OCR is considering modifications to the HIPAA Security Rule to address:

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments.

On April 26, 2024, the Federal Trade Commission (“FTC”) announced a final rule (“Final Rule”) modifying the Health Breach Notification Rule (“HBNR”). The Final Rule, which largely finalizes changes proposed in a Notice of Proposed Rulemaking published last year (“2023 NPRM”), broadens the scope of entities subject to the HBNR, including many mobile health applications (“apps”) and similar technologies, and clarifies that breaches subject to the HBNR include not only cybersecurity intrusions but also unauthorized disclosures, even those that are voluntary. The Final Rule will take effect 60 days after its publication in the Federal Register.

On April 26, 2024, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a final rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”) to address new privacy issues that have resulted in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”). The Final Rule aims to strengthen reproductive health care privacy under the Health Insurance Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) by prohibiting covered entities and business associates (collectively, “regulated entities”) from using or disclosing protected health information (“PHI”) to investigate or impose liability on any person for the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for such purposes.

On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule (“Final Rule”) in the Federal Register modifying regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. The changes, which largely finalize those proposed in a notice of proposed rulemaking (“NPRM”), are intended to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act and more closely align Part 2 with privacy rules under the Health Insurance Portability and Accountability Act (“HIPAA”). Ultimately, the much-anticipated Final Rule relaxes some of Part 2’s very stringent requirements, which have historically limited the ability to include SUD data in electronic health information exchange and care coordination efforts. However, there may be more enforcement of Part 2 now that there can be civil enforcement that aligns with HIPAA. Compliance with the Final Rule is required by February 16, 2026.

On January 11, 2024, the Federal Trade Commission (“FTC”) published in the Federal Register a Notice of Proposed Rulemaking (“NPRM”) to modify the Children’s Online Privacy Protection Rule (“COPPA Rule”), a set of regulations implementing the Children’s Online Privacy Protection Act (“COPPA”) statute. Overall, the NPRM seeks to strengthen and clarify the COPPA Rule in response to technological advances and changes in the way children interact with online offerings. In particular, the NPRM follows a public comment period in which the FTC noted novel issues affecting the COPPA Rule, including the educational technology sector, voice-enabled connected devices, and platforms directed to general audiences that host third-party content directed to children. Comments on the NPRM are due on March 11, 2024.

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (“MHMDA”) to strengthen protections for health data. The MHMDA has the potential to significantly impact how organizations of many types collect, use, and share health data, not only that of Washington residents but also health data collected in the state. The majority of the law’s provisions will take effect on June 30, 2024 for small businesses and March 31, 2024 for other regulated entities.

On April 17, 2023, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a Notice of Proposed Rulemaking (“NPRM”) entitled HIPAA Privacy Rule To Support Reproductive Health Care Privacy. The NPRM, which OCR released in response to the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”), aims to amend regulations implementing the Health Insurance Portability and Accountability Act (collectively, “HIPAA”) to mitigate concerns about reproductive health care privacy that have arisen as a consequence of the Dobbs ruling.  

On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.

On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against California-based telehealth and prescription drug discount provider GoodRx Holdings, Inc. (“GoodRx”) for allegedly violating section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, marks the first time the FTC has enforced the HBNR and could signal the beginning of increased scrutiny and enforcement of the HBNR. In addition to imposing a civil penalty of $1.5 million, the Proposed Order prohibits GoodRx from sharing health information for advertising purposes and imposes several requirements on GoodRx, including requirements to (1) obtain user consent for any other sharing of information, (2) seek the deletion of information held by third parties, (3) limit how long it can retain personal and health information, and (4) implement a privacy program.

Earlier this month, two courts, one in California and one in Massachusetts under two different scenarios, opined on the enforceability of browsewrap and hybridwrap agreements, providing important warnings for companies relying on such agreements to obtain legally required consent for activities such as telemarketing or to otherwise impose terms and conditions on website users. Many cases turn on the enforceability of such agreements, and companies should evaluate their use of browsewrap agreements (e.g., terms of use available through a hyperlink at the bottom of a webpage) and hybridwrap agreements to determine whether changes are appropriate to improve enforceability and mitigate legal risk.

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recently issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. The bulletin defines tracking technologies, provides examples of potential impermissible disclosures of electronic protected health information (ePHI) by HIPAA regulated entities to online technology tracking vendors, and outlines procedures regulated entities must take to protect ePHI when using tracking technologies in order to comply with HIPAA rules.

Earlier this week, the United States Department of Health and Human Services (“HHS”) released a Notice of Proposed Rulemaking (“NPRM”) that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. These modifications, which implement provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, are intended to align Part 2’s currently stringent rules more closely with health information privacy rules promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”), improving the ability of entities subject to Part 2’s restrictions to use, disclose, and redisclose SUD-related information.[1]

The Biden Administration is taking action to support access to reproductive health care in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. This is occurring as some states seek to restrict or criminalize abortion services. So far, there has been action by the White House, through an Executive Order, and by the U.S. Department of Health and Human Services (HHS), through guidance on HIPAA and privacy. 

Earlier this month, in Facebook, Inc. v. Duguid, the Supreme Court held that to be considered an “automatic telephone dialing system” (or “autodialer”) for purposes of the Telephone Consumer Protection Act (“TCPA”), a device must have the capacity to either (1) store a phone number using a random or sequential number generator, or (2) produce a phone number using a random or sequential number generator. In so ruling, the Supreme Court overturned the Ninth Circuit’s holding that an autodialer need only have the capacity to “store numbers to be called” and “to dial such numbers automatically,” resolving a contentious circuit split on the scope of the term autodialer.

In a ruling issued last week, the Federal Communications Commission (FCC) overturned precedent from 2016, ruling that federal, state, and local government contractors are subject to the Telephone Consumer Protection Act (TCPA) and therefore cannot make TCPA-prohibited robocalls on behalf of the government.

Last week, the United States Department of Health and Human Services (HHS) released a proposed rule (Proposed Rule) that would amend privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) to remove barriers to care coordination and case management. The Proposed Rule, whose changes are intended to support HHS’s Regulatory Sprint to Coordinated Care, is based in part on the more than 1,300 comments HHS received in response to a December 2018 Request for Information, which we covered here.

On July 15th, the Substance Abuse and Mental Health Services Administration of the Department of Health & Human Services (SAMHSA) published final rules (“Final Rule”) revising its regulations on the Confidentiality of Substance Use Disorder Patient Records at 42 C.F.R. Part 2 (“Part 2”). This Final Rule will be effective August 14, 2020 and follows prior Part 2 rules that relaxed restrictions to enable greater access and availability of Part 2 covered records as more health data is being shared electronically.

As the COVID-19 pandemic continues and there is mounting pressure to ease business and social restrictions, governments, non-profits, and private corporations are all increasingly focused on solutions that would not only track and trace the movements of individuals to determine exposure to the virus and compliance with stay-at-home orders, but also potentially signal the person’s COVID-19 status. This, of course, raises a slew of privacy issues.