pexels-tima-miroshnichenko-9574323

On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act. If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the Connecticut Data Privacy Act. Importantly, NY HIPA could have a significant impact on companies across the country that collect or process health information of New York residents.

Click here to read the full Ropes & Gray client alert.

lady-justice-2388500_1280

The U.S. Department of Justice (DOJ) announced last Wednesday that settlements and judgments under the False Claims Act (FCA) exceeded $2.9 billion in fiscal year 2024—up approximately 5% from last year. DOJ’s announcement underscores its commitment to FCA enforcement, particularly in the healthcare industry and now with increased activity in the areas of pandemic relief programs, military procurement, and cybersecurity.

Click here to read the full Ropes & Gray client alert detailing the key takeaways from DOJ’s press release, along with our key insights as companies try to anticipate what lies ahead.

ai-generated-9106907_1280

In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under state law (a “Data Breach”), require Data Breaches to be reported to the New York State Department of Financial Services (“NYSDFS”), and add medical information and health insurance information to categories of private information that may be subject to a Data Breach. According to their legislative history, the Bills were introduced in order to address “a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, [are] charged with the responsibility to monitor and do regular supervision on cybersecurity.”3 While the Bills are likely to have a limited effect on HIPAA covered entities and business associates, they stand to significantly impact other persons and businesses in New York, including life sciences and consumer health care companies that are not subject to HIPAA.

Click here to read the full Ropes & Gray client alert.

pexels-cottonbro-7578799

In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).

The New HTI Final Rules will affect Trusted Exchange Framework and Common Agreement (“TEFCA”) qualified health information networks (“QHINs”) and health care organizations that exchange data through QHINs, as well as developers of certified health information technology, health information exchanges and networks, and health care providers (collectively, “Actors”) that are subject to the Information Blocking Rule.

Click here to read the full Ropes & Gray client alert which summarizes key provisions of the New HTI Final Rules.

digitization-5231610_1280

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024, and its Advance Notice of Proposed Rulemaking (“ANPRM”) earlier in 2024. (Ropes & Gray published alerts on the NPRM and ANPRM)

The Final Rule continues to assert the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals located in or otherwise having relationships with the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the Final Rule for potential impacts on their business models. The Final Rule prohibits certain data brokerage transactions and transactions involving human ‘omic data. The Final Rule also creates a set of restricted transactions involving vendor agreements, employment agreements, or investment agreements in which U.S. persons may engage only if they comply with a set of cybersecurity requirements. In tandem with the publication of the Final Rule, on January 8, 2025 Cybersecurity and Infrastructure Security Agency (“CISA”) published its final security requirements for restricted transactions.

Click here to read the full Ropes & Gray client alert for more detailed information.

24_1742_12 Days of Data_Graphic_102912

As a recent DataPhiles post explored, the threat to telecommunications infrastructure and private call records posed by foreign threat actors only continues to grow. In fact, at least one U.S. government agency has urged employees to avoid using mobile communications for any work-related activity. This has led private entities to wonder how they might protect the sensitive mobile communications of officers and employees.

Continue Reading New Year, New Threats: Practical Tips for Secure Communications after Salt Typhoon
24_1742_12 Days of Data_Graphic_102911

After its election to power in July 2024, the newly formed Labour government wasted little time in announcing its legislative priorities for the coming year. Unsurprisingly, these priorities included several proposed Bills relating to data protection, cybersecurity and digital regulation. At the time of writing, only one of these Bills—the Data (Use and Access) Bill (“DUAB”)—has been introduced to Parliament, with the others expected to follow in early 2025.

Continue Reading Meet the In-Laws: the UK’s Digital Legislative Agenda for 2025
24_1742_12 Days of Data_Graphic_102910

Cybersecurity and national security collided in significant ways in 2024, with governments and private-sector entities grappling with the legal, technical, and policy challenges of a rapidly evolving cyber landscape. Offensive cyber operations, questions of foreign ownership of social media companies, and the balance of power between the Executive and Legislative branches are just a few of the pressing issues shaping the modern landscape. OAs governments and private entities grapple with these challenges, the legal frameworks governing cybersecurity are evolving rapidly, offering both opportunities and risks for practitioners.

Continue Reading Deck the Halls with Cyber Walls: Navigating National Security in the Digital Age
24_1742_12 Days of Data_Graphic_10299

2024 was a record year for cyberattacks in the healthcare sector. According to the Breach Portal maintained by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), to date this year, there have been more than 530 breaches of protected health information (“PHI”) affecting 500 or more individuals. 2024 also the saw the largest known breach of PHI at a HIPAA-regulated entity: Russia-linked cybercrime organization, BlackCat/ALPHV executed a ransomware attack on Change Healthcare, Inc., the payment processor owned by UnitedHealth, which affected the records of more than 100 million individuals.

Continue Reading A Flurry of Healthcare Sector Cybersecurity Regulatory Developments in 2024
24_1742_12 Days of Data_Graphic_10298

While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws.  However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year.  

Continue Reading Making a List and Checking it Twice:  Navigating State Privacy and Security Regulations This Year