Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

In an effort to support reproductive health care privacy, the U.S. Department of Health and Human Services (HHS) recently modified the standards for privacy of individually identifiable health information (the “Privacy Rule”) relevant to an individual’s reproductive health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. The new 2024 Privacy Rule has a compliance date of December 2024, except for required updates to health care providers’ Notice of Privacy Practices, which are required to be implemented by February 16, 2026. Continue Reading HHS Amends HIPAA Privacy Rule to Further Protect Reproductive Health Information

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

The EU is gearing up for massive reform concerning the use and accessibility of health data, and Germany is taking note. Recently, Germany proposed several draft legislation focusing on the use of health data. The Health Data Use Act, (Gesundheitsdatennutzungsgesetz, (GDNG)); The Digital Act, and A Law to Promote the Quality of Inpatient Care through Transparency (Hospital Transparency Act) are just a few of the newest pieces of proposed legislation designed to improve the use and accessibility of health data for German citizens. This move by the German Federal Ministry of Health is part of an EU-wide reform effort under the European Commission’s (“Commission”) European Health Data Space (EHDS).

Germany’s new legislation is designed to align with EHDS principles and these laws not only impact healthcare providers and hospitals in Germany but also companies that collect the health data of German residents. Below are the main takeaways of these proposed laws and what U.S. companies can expect moving forward.Continue Reading Germany’s Gearing up for European Health Data Space (EHDS) Compliance