This month, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking in the Federal Register, which is intended to strengthen cybersecurity requirements for HIPAA-covered entities and business associates (the Proposed Rule). The comment period will close on March 7, 2025, with enactment of the proposed rule expected to take place later this year.

If adopted, this would be the first significant update to the HIPAA Security Rule in over a decade, a time when both technology and cybersecurity have advanced rapidly, and cyberattacks in health care have become more frequent and damaging. According to the preamble, the proposed rule seeks to address common compliance gaps identified by HHS’s Office for Civil Rights (OCR) and to build on guidelines from other agencies like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).Continue Reading HIPAA Security Rule to Experience Major Updates in 2025

A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.Continue Reading New Year Rings in New State Privacy Laws

Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Special thanks to Taft summer associates Tanner Wilburn and Lizzie Dobbins for their contributions to this post. 

On June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a portion of guidance issued by the Department of Health and Human Services (HHS) regarding the use of online tracking technologies. This decision is beneficial to healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) which use third-party tracking tools on their public-facing websites, but such entities should be cautious to not read the case too broadly.Continue Reading Federal Court Strikes Down HHS Rule on Website Tracking Technologies… To an Extent

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

Earlier this year, we provided a law bulletin on changes coming to the Health Insurance Portability and Accountability Act (HIPAA). To recap briefly, in April 2024, the Department of Health and Human Services (HHS) issued a final regulation that modified the HIPAA Privacy Rule to safeguard individuals’ protected health information (PHI) concerning reproductive health care.

The regulations go into effect on June 25, 2024, and those subject to the regulations must comply with the requirements by December 23, 2024. HHS also set a special compliance date of February 16, 2026, for the regulations’ changes involving HIPAA notices of privacy practices (NPPs).

With the law going into effect this week and the compliance deadline coming in six months, we’ve put together a breakdown of what must happen, and when. Continue Reading Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence

In an effort to support reproductive health care privacy, the U.S. Department of Health and Human Services (HHS) recently modified the standards for privacy of individually identifiable health information (the “Privacy Rule”) relevant to an individual’s reproductive health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. The new 2024 Privacy Rule has a compliance date of December 2024, except for required updates to health care providers’ Notice of Privacy Practices, which are required to be implemented by February 16, 2026. Continue Reading HHS Amends HIPAA Privacy Rule to Further Protect Reproductive Health Information

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

Last month, Washington Governor Jay Inslee signed the My Health My Data Act (“MHMDA” or the “Act”) into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents (“consumers”) regarding certain personal information. The MHMDA’s unique features are unlike any privacy law we have seen in the last few years – making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know. Continue Reading What You Need to Know About Washington State’s New “My Health My Data” Act

The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:

  • when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
  • when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws.  This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
  • as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.

Continue Reading I’m Done With My Data, Now What?