Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Special thanks to Taft summer associates Tanner Wilburn and Lizzie Dobbins for their contributions to this post. 

On June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a portion of guidance issued by the Department of Health and Human Services (HHS) regarding the use of online tracking technologies. This decision is beneficial to healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) which use third-party tracking tools on their public-facing websites, but such entities should be cautious to not read the case too broadly.Continue Reading Federal Court Strikes Down HHS Rule on Website Tracking Technologies… To an Extent

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

Earlier this year, we provided a law bulletin on changes coming to the Health Insurance Portability and Accountability Act (HIPAA). To recap briefly, in April 2024, the Department of Health and Human Services (HHS) issued a final regulation that modified the HIPAA Privacy Rule to safeguard individuals’ protected health information (PHI) concerning reproductive health care.

The regulations go into effect on June 25, 2024, and those subject to the regulations must comply with the requirements by December 23, 2024. HHS also set a special compliance date of February 16, 2026, for the regulations’ changes involving HIPAA notices of privacy practices (NPPs).

With the law going into effect this week and the compliance deadline coming in six months, we’ve put together a breakdown of what must happen, and when. Continue Reading Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence

In an effort to support reproductive health care privacy, the U.S. Department of Health and Human Services (HHS) recently modified the standards for privacy of individually identifiable health information (the “Privacy Rule”) relevant to an individual’s reproductive health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. The new 2024 Privacy Rule has a compliance date of December 2024, except for required updates to health care providers’ Notice of Privacy Practices, which are required to be implemented by February 16, 2026. Continue Reading HHS Amends HIPAA Privacy Rule to Further Protect Reproductive Health Information

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

Last month, Washington Governor Jay Inslee signed the My Health My Data Act (“MHMDA” or the “Act”) into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents (“consumers”) regarding certain personal information. The MHMDA’s unique features are unlike any privacy law we have seen in the last few years – making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know. Continue Reading What You Need to Know About Washington State’s New “My Health My Data” Act

The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:

  • when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
  • when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws.  This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
  • as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.

Continue Reading I’m Done With My Data, Now What?

Following the publication of the U.S. Supreme Court opinion in Dobbs v. Jackson Women’s Health Organization, on June 29, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) issued guidance regarding disclosures of protected health information (PHI) concerning reproductive health procedures such as abortion. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the disclosure of PHI by most health care providers, as well as employer-sponsored health plans, (Covered Entities), generally restricting the use or disclosure of PHI without the individual’s authorization other than in specifically excepted circumstances. Specifically, HIPAA does permit Covered Entities to disclose PHI without a patient’s authorization (or in some instances, notice and an opportunity to object), including 1) Disclosures required by law; 2) Disclosures for law enforcement purposes; and 3) Disclosures to avert a serious threat to health or safety. In the guidance, HHS notes that under each of these exceptions, HIPAA permits but does not require disclosure of PHI by a Covered Entity. HHS further reasserts that any disclosure made pursuant to one of the above permitted disclosures must be limited to the minimum PHI necessary to respond to the permitted disclosure request.
Continue Reading A HIPAA Right to Privacy Remains: Federal Government Issues Guidance and Orders Following Supreme Court Decision in Dobbs

In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
Continue Reading HIPAA: Its Confidentiality Protections (And Limits)