On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour
Health Insurance Portability and Accountability Act (HIPAA)
HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare
On July 20, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) sent warning letters to approximately 130 hospital systems and telehealth providers. The letters were intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. The agencies noted that the entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), the FTC Act, and/or the FTC Health Breach Notification Rule (“HBNR”).Continue Reading HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare
Latest Washington Privacy Law Sets New, Broad Course for State-Based Health Information Regulation
On April 27, 2023, Washington Governor Jay Inslee signed into law the “My Health My Data Act,” (the “Act”), beginning the 11-month countdown until this new, broad privacy law takes effect. The Act distinguishes itself from other recent state privacy law legislation in that it is specifically health care focused—aiming to protect health data that…
Health and Human Services Proposes Changes to Part 2 Regulations Concerning Substance Use Disorder Records to Further Align with HIPAA
For decades, health care providers that are subject to both HIPAA and to the specialized Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (known as “Part 2”) have had to navigate differing, and at times divergent, privacy and confidentiality rules applicable to patient health information and patient records. These disparate privacy rules have, for many…
Privacy of Health Information Post-Dobbs and OCR Guidance on the Protections Afforded under HIPAA
On June 24, 2022, the Supreme Court issued its opinion in Dobbs v. Jackson Women’s Health Organization, overturning precedent that protected access to abortion services before the point of fetal viability. Instead, the Supreme Court stated that state legislatures have the authority to regulate abortion, leading several states to enact laws banning the procedure…