On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching

On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour

On July 20, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) sent warning letters to approximately 130 hospital systems and telehealth providers. The letters were intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. The agencies noted that the entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), the FTC Act, and/or the FTC Health Breach Notification Rule (“HBNR”).Continue Reading HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare

For decades, health care providers that are subject to both HIPAA and to the specialized Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (known as “Part 2”) have had to navigate differing, and at times divergent, privacy and confidentiality rules applicable to patient health information and patient records. These disparate privacy rules have, for many

On June 24, 2022, the Supreme Court issued its opinion in Dobbs v. Jackson Women’s Health Organization, overturning precedent that protected access to abortion services before the point of fetal viability. Instead, the Supreme Court stated that state legislatures have the authority to regulate abortion, leading several states to enact laws banning the procedure

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.
Continue Reading Privacy Year in Review: 2020’s Hottest Topics

BillThis article appeared in Law360 on May 14, 2020.  A group of Republican senators have introduced a new privacy bill that would impose strict privacy obligations on contact tracing apps operated by entities not subject to the Health Insurance Portability and Accountability Act.

Most notably, the COVID-19 Consumer Data Protection Act would obligate such entities to obtain express affirmative consent from individual consumers before using their geolocation, proximity or personal health data.
Continue Reading Pandemic-Related Privacy Bill May Be Unconstitutional

remote workOn March 20, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“OCR”) released guidance in the form of FAQs1 clarifying its notification earlier in the week that it would not penalize health care providers for noncompliance with HIPAA rules in the good faith provision of telehealth during the nationwide COVID-19 public health emergency (the “Notification of Enforcement Discretion” or “Notification”).2
Continue Reading OCR Releases FAQs Clarifying Telehealth Enforcement Discretion During COVID-19