On December 20, 2023, the National Institute of Standards and Technology (“NIST”) National Cybersecurity Center of Excellence (“NCCoE”) published its Cybersecurity of Genomic Data report (the “Report”). The Report aims to assist organizations in protecting against misuse of genomic data and enabling secure collaborative innovations. Note, however, that the Report is not authoritative with respect to its assessment of the treatment of genomic data under the current U.S. regulatory framework, including with respect to the identifiability of such information.Continue Reading NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report
Health Privacy
The 2023 AI Boom Calls for Further Regulation of the Use of AI Tools in the Health Care and Life Sciences Industries
The past year has seen unprecedented growth and development of artificial intelligence (“AI”) tools, which have been significantly propelled by the rapid deployment of generative AI (“GenAI”) tools. The health care and life sciences industries have increasingly sought the use of AI and GenAI tools to promote innovation, efficiency and precision in the delivery of treatment and care, as well as in the production of biologics and medical devices. For example, AI tools may more accurately predict and analyze diagnostic test results and develop personalized treatments than traditional tools; may improve clinical trial design, eligibility screening and data analysis; may be used as a diagnostic tool in a clinical trial designed to assess the safety or efficacy of a medical device; and may be used to accelerate the drug development timeline. While such uses raise inherent concerns regarding, among other things, the improper use and/or disclosure of personal information, the introduction and/or perpetuation of bias and discrimination, as well as data security, reliability, transparency and accuracy, there is currently no developed federal or cohesive state regulatory framework designed to minimize such risks. Continue Reading The 2023 AI Boom Calls for Further Regulation of the Use of AI Tools in the Health Care and Life Sciences Industries
New York State Proposes New Cybersecurity Program and Incident Reporting Requirements for Hospitals
On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour…
HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare
On July 20, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) sent warning letters to approximately 130 hospital systems and telehealth providers. The letters were intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. The agencies noted that the entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), the FTC Act, and/or the FTC Health Breach Notification Rule (“HBNR”).Continue Reading HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare
Latest Washington Privacy Law Sets New, Broad Course for State-Based Health Information Regulation
On April 27, 2023, Washington Governor Jay Inslee signed into law the “My Health My Data Act,” (the “Act”), beginning the 11-month countdown until this new, broad privacy law takes effect. The Act distinguishes itself from other recent state privacy law legislation in that it is specifically health care focused—aiming to protect health data that…
R&G Tech Studio Presents: IP Transactions and Technology Co-Leader Megan Baca
On this episode of the R&G Tech Studio, intellectual property transactions and technology co-leader Megan Baca, who’s also co-leader of the firm’s digital health initiative, sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss the innovation of AI and its impacts on collaboration, research and development, particularly in the digital health…
Decoding Digital Health: Trans-Atlantic Transfers of Health Data
The Ropes & Gray Decoding Digital Health podcast series discusses the digital health industry and related legal, business and regulatory issues. In this episode, Digital Health Initiative co-lead and health care partner, Christine Moundas, interviews health care partner and member of the digital health group, David Peloquin. They discuss the legal challenges and potential solutions…
Health and Human Services Proposes Changes to Part 2 Regulations Concerning Substance Use Disorder Records to Further Align with HIPAA
For decades, health care providers that are subject to both HIPAA and to the specialized Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (known as “Part 2”) have had to navigate differing, and at times divergent, privacy and confidentiality rules applicable to patient health information and patient records. These disparate privacy rules have, for many…
Four Months after Dobbs, Privacy Concerns Remain in the Spotlight
On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight
FDA Updates Guidance on Cybersecurity Responsibilities for Medical Device Manufacturers
On April 8, 2022, the U.S. Food and Drug Administration (“FDA”) released a draft guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The draft guidance, if finalized, would replace FDA’s 2014 final guidance document titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” adding significant…