Insights

On April 26, 2024, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a final rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”) to address new privacy issues that have resulted in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”). The Final Rule aims to strengthen reproductive health care privacy under the Health Insurance Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) by prohibiting covered entities and business associates (collectively, “regulated entities”) from using or disclosing protected health information (“PHI”) to investigate or impose liability on any person for the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for such purposes.

The Federal Trade Commission (FTC) recently entered into a settlement with Monument, Inc., an alcohol addiction treatment service, for allegedly disclosing users’ personal health data to third-party advertising platforms without consumer consent and violating their own website claims to consumers with respect to the disclosure of such data. The action follows other settlements by the FTC focused on tracking technologies collecting sensitive health information through web pages and web portals. “This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule (“Final Rule”) in the Federal Register modifying regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. The changes, which largely finalize those proposed in a notice of proposed rulemaking (“NPRM”), are intended to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act and more closely align Part 2 with privacy rules under the Health Insurance Portability and Accountability Act (“HIPAA”). Ultimately, the much-anticipated Final Rule relaxes some of Part 2’s very stringent requirements, which have historically limited the ability to include SUD data in electronic health information exchange and care coordination efforts. However, there may be more enforcement of Part 2 now that there can be civil enforcement that aligns with HIPAA. Compliance with the Final Rule is required by February 16, 2026.