Personal health information is one of the most intimate and sensitive types of personal information for many reasons, including the potential for abuse and even danger, and the natural desire for privacy as it concerns the very essence of our being.
Our health, and by extension, healthcare, is increasingly digital. Whether through connected devices and applications such as smartwatches that monitor our health metrics, cloud storage of sensitive health records for easy access, or processing of massive amounts of health data by artificial intelligence, the potential for improvements in the average person’s health and longevity is increasing, but as with anything good, there are also significant risks lurking.
In light of the expansion of data into the realm of health, it is unsurprising that there is an ever-expanding set of health privacy and security laws emerging around the world requiring a host of compliance measures when a company handles personal information that falls under the broad category of “health information,” which is defined in different ways depending on the law in question.
In our work as privacy lawyers, we counsel clients on the complex compliance landscape that concerns health and related information, including the following laws and regulatory frameworks:
HIPAA Privacy and Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data, and the Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the scope of HIPAA. The HIPAA Privacy Rule establishes national standards for the protection of protected health information (PHI). At the same time, the HIPAA Security Rule specifies safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (e-PHI). We assist clients who are Covered Entities, Business Associates, and those generally operating in the healthcare sector in developing and implementing comprehensive privacy policies, incident response plans, and training programs to ensure compliance with HIPAA’s stringent requirements.
Incident and Breach Reporting to HHS and Other Regulators
In the event of a data breach, healthcare entities must report the breach and certain incidents to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and other regulators within specific timeframes. We guide clients on breach notification procedures, ensuring timely and accurate reporting to HHS. We also help clients develop robust incident response plans to mitigate potential damages and comply with legal obligations.
Washington’s My Health My Data Act
Washington State’s My Health My Data Act (MHMDA) is a pioneering law designed to protect the privacy and security of health data. This law extends beyond traditional healthcare providers to cover any entity that processes health-related data. We assist clients in understanding and complying with this law, ensuring that all necessary privacy protections and security measures are in place.
FTC’s Health Breach Notification Rule
The Federal Trade Commission’s (FTC) Health Breach Notification Rule requires vendors of personal health records and related entities to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured health information. The FTC’s Statement of the Commission on breaches by health apps and other connected devices further clarifies the obligations of entities handling health data.
GDPR and International Compliance
Compliance with the General Data Protection Regulation (GDPR) and other international privacy and health information regulatory frameworks is critical for clients operating in the European Union, the United Kingdom, and beyond. The GDPR imposes strict requirements on the processing of personal data, including health-related information, and mandates robust privacy protections and breach notification procedures. We assist clients in developing GDPR-compliant privacy policies, data processing agreements, and incident response plans to ensure adherence to international standards.
State Privacy Laws
In addition to federal and international regulations and health-specific state laws such as Washington’s MHMDA, various state comprehensive privacy laws impose additional requirements on the handling of sensitive information, including health data. We make it a priority to stay abreast of the dynamic and evolving state regulations and provide tailored legal counsel to ensure compliance with laws such as the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other state-specific privacy legislation.
Genetic Privacy Laws
There are genetics-specific privacy laws, including state laws and the federal Genetic Information Nondiscrimination Act (GINA). 23andMe’s bankruptcy and questions about the future of millions of customers’ sensitive genetic information illustrate the need to protect such data with more stringent privacy and security practices.
Our Health Information Privacy and Security Law Compliance Services
- Compliant Privacy Policies: We assist clients in developing and implementing comprehensive privacy policies that comply with federal, state, and international regulations.
- Incident Response: Our team provides guidance on developing and executing incident response plans to mitigate the impact of data breaches and ensure compliance with reporting requirements.
- Employee Compliance Training: We provide privacy training programs to educate employees on best practices for privacy and security, legal obligations, and incident response procedures.
- Data Processing, Data Transfers, and Business Associate Agreements: We draft, review, and negotiate data processing agreements (DPAs), data transfer agreements (DTAs), such as via SCCs and the Data Privacy Framework (DPF), and business associate agreements (BAAs) to ensure compliance with applicable laws and protect our clients’ interests.
- Trackers, Cookies, and Pixels: Adtech, including the use of trackers, cookies, and pixels on websites that offer healthcare and related services, poses a particular risk vector. From HHS guidance concerning analytics and such tracking to litigation focused on pixels, we help clients stay compliant and avoid risk when implementing these tracking technologies.
- Artificial Intelligence & Machine Learning Compliance: AI and machine learning are increasingly playing a role in almost every part of the healthcare spectrum. While the potential is great, regulators are increasingly focusing on regulating the use of AI, especially in the context of potentially sensitive data processing, such as is often deemed to be the case in the context of AI and healthcare. As AI lawyers operating at the intersection of emerging technologies and healthcare privacy, we are uniquely positioned to ensure compliance when implementing AI in healthcare.
At RICHT, we offer comprehensive legal counsel to clients navigating the complex landscape of health information privacy and security laws. We are focused on helping clients ensure compliance with various stringent regulations governing protected health information (PHI) and other sensitive health data.
Learn How We Can Help You With Health Information Privacy Compliance
Health Information Privacy Compliance News
- AI Healthcare Privacy Risks: Tech giants like OpenAI and Anthropic are launching AI health tools that often bypass HIPAA regulations because these companies are not classified as “covered entities.” While they claim “HIPAA-readiness,” legal experts warn that user data lacks the statutory protections required of traditional healthcare providers. OUR TAKEAWAY: Organizations must scrutinize the “compliance-lite” promises of AI developers to ensure that sensitive patient information does not fall into a regulatory gray area where data can be sold or mishandled. Read More →
- Adequate Email Protections for PHI: Healthcare organizations often underestimate the volume of legacy protected health information stored in email systems, which can turn minor security incidents into major notification events. Implementing straightforward measures like email archiving, internal encryption, and PHI-detecting filters is essential for HIPAA compliance. OUR TAKEAWAY: Organizations must proactively audit and archive legacy email data to minimize the scope of potential breaches and ensure robust regulatory alignment. Read More →
- Parental Access to Minor Records: Healthcare providers face complex challenges navigating the intersection of HIPAA and varying state laws regarding parental access to adolescent health records. These conflicting mandates require careful balancing of parental rights against a minor’s legal right to confidential treatment for specific medical services. OUR TAKEAWAY: Organizations must implement granular data access controls and localized legal reviews to ensure compliance with shifting state-level privacy protections for minors. Read More →
- New Jersey Expands HIPAA Exemptions: New Jersey recently amended its Data Protection Act to exempt non-protected health information when handled by HIPAA-covered entities under federal security standards. This update aligns the state with models that prioritize data-level protections over broad entity-level exclusions. OUR TAKEAWAY: Organizations must meticulously categorize their data streams to ensure non-clinical information qualifies for these expanded exemptions by maintaining rigorous HIPAA-grade safeguards across all processing activities. Read More →
- A View From DC: Some Health Data Is ‘Extra-Super’ Sensitive: The U.S. Federal Trade Commission and Department of Health and Human Services are increasingly focusing on the heightened privacy risks associated with “extra-super sensitive” health data, such as reproductive health information and genetic data. Recent enforcement actions and policy guidance emphasize that standard health privacy protections may be insufficient for this category of information, especially as it is increasingly collected by apps and platforms outside the traditional scope of HIPAA. Regulators are signaling a shift toward more aggressive oversight, suggesting that the mishandling of such data could constitute an unfair or deceptive practice under the FTC Act, regardless of existing sector-specific privacy rules. Read More →
- Healthcare Website Tracking: Lessons from Four Recent ECPA Rulings
Recent rulings on healthcare websites using tracking tools like Meta Pixel and Google Analytics reveal mixed judicial views on Electronic Communications Privacy Act (ECPA) liability. Courts focus on whether plaintiffs plausibly allege that protected health information (PHI) tied to individual users was improperly disclosed, with detailed claims triggering HIPAA-based exceptions. Some cases survive dismissal for precise allegations, while others are rejected for vagueness or insufficient connection to PHI. These decisions underscore the importance for healthcare providers to audit tracking tools, enhance user consent and disclosures, segment patient-sensitive content, and maintain thorough documentation to mitigate legal risks.
Read More → - Medical Wearables Under the Microscope: U.S. Regulatory, Data Privacy, and Cybersecurity Perspectives
Wearable medical devices face a complex regulatory landscape in the U.S., with oversight divided between HIPAA for covered health entities, the FDA for medical device safety, and the FTC for consumer data privacy. The FDA has increased its focus on cybersecurity, requiring medical device manufacturers to implement secure development frameworks and meet new mandates on vulnerability management. Devices posing diagnostic or treatment claims fall under strict FDA scrutiny, while wellness trackers often escape HIPAA but remain subject to other privacy laws. Unique risks like device jailbreaking and legacy system vulnerabilities threaten patient safety and data integrity, emphasizing the need for coordinated efforts among regulators, developers, and users to ensure robust protection in this evolving ecosystem.
Read More → - New Digital Health Ecosystem Enables Broader PHI Sharing Under HIPAA Flexibilities
Launched in July 2025, CMS’s Digital Health Technology Ecosystem promotes seamless sharing of patient data across providers, payers, and patients to improve care and support value-based arrangements. New HHS OCR guidance clarifies that disclosures of protected health information (PHI) for treatment purposes to value-based care organizations do not require individual authorization, even if recipients are not covered by HIPAA, so long as the purpose is treatment. This update facilitates broader, secure data exchange while maintaining HIPAA’s core privacy protections in a modernized health technology landscape.
Read More → - Four States Secretly Shared Health Data with Big Tech: Health insurance exchanges in Nevada, Maine, Massachusetts, and Rhode Island leaked sensitive patient information to tech giants like Google and LinkedIn via hidden web trackers, a Markup and CalMatters investigation reveals. Some exchanges halted the practice after reporters inquired, but the findings raise major privacy concerns for Americans shopping for health coverage. Read More →
- Virginia Consumer Protection Act Updated to Include Reproductive and Sexual Health Information: Last week, Virginia Governor Glenn Youngkin added his signature to S.B. 354, updating the Virginia Consumer Protection Act to prohibit the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health information without consent. The amendment will take effect on July 1, 2025. Read More →
- Why health care privacy is a mess — and why it isn’t likely to get better soon: The Health Insurance Portability and Accountability Act (HIPAA) has been the primary framework for healthcare privacy since the early 2000s, but its limited scope has led to a proliferation of unregulated health data. This unregulated data, generated by mobile apps, wearable technologies, and social media, poses significant privacy concerns. While some states have enacted their own privacy laws, the resulting patchwork of regulations creates complexity and uncertainty, hindering innovation and potentially harming patient outcomes. Read More →
- My Health, My Dollar: Amazon’s Health Data Troubles in Washington: Amazon faces a lawsuit alleging unauthorized collection of health data through location-based apps, violating Washington’s My Health My Data Act (MHMDA). The MHMDA, enacted in 2023, restricts businesses from collecting, sharing, or selling health data without consumer consent. The case highlights the growing risks for companies handling health data and underscores the importance of compliance with evolving privacy laws. Read More →
- Warby Parker to Pay $1.5 Million To Resolve HIPAA Violations: The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed its first financial penalty under the Trump administration for noncompliance with the HIPAA Rules. Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, must pay a $1.5 million civil monetary penalty to resolve alleged violations of the HIPAA Rules. Read More →
- HHS Proposes Major Overhaul of HIPAA Security Rule: Just before the ball dropped, on 30 Dec. 2024, the U.S. Department of Health and Human Services issued a notice of proposed rulemaking to update the Security Rule under the Health Insurance Portability and Accountability Act. The proposal, which will be open for comment until early March, represents a major undertaking with significant consequences for the health care providers, insurance companies and data processors, or business associates, covered by HIPAA — and for every American. Read More →
- Meta Plans Crackdown On Health-Related User Data: Starting next year, Meta plans to limit certain advertisers’ access to health-related data that could affect how everything from vitamins and supplements to acne treatments and Botox injections are marketed on the platform. Read More →
- USA: OCR Fines Health Consultancy $1.19M for HIPAA Security Rule Violations: The U.S. Department of Health and Human Services’ Office for Civil Rights fined Gulf Coast Pain Consultants $1.19 million for HIPAA Security Rule violations after a former contractor accessed their electronic medical record system without permission, affecting about 34,310 individuals. Read More →
- HHS Files, Then Drops, Its Data-Tracking Lawsuit Appeal: The American Hospital Association is applauding the Office for Civil Rights for opting not to appeal a district court decision that vacated its recent rule regulating online tracking technologies. Read More →
- Healthcare Was Biggest Victim of U.S. Ransomware Attacks Last Year: Health care organizations last year reported the most ransomware attacks of the 16 industries identified as critical U.S. infrastructure, according to a new FBI report on internet crime. Read More →
- FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million: The Federal Trade Commission finalized an order requiring online counseling service BetterHelp to pay $7.8 million and prohibiting it from sharing consumers’ health data for advertising, resolving allegations the firm shared consumers’ sensitive health data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private. Read More →
- New York AG Reaches $4.5M Settlement With Enzo Over Failures In Securing Health Data: On August 13, 2024, the New York Attorney General (AG) published Assurance of Discontinuance No. 24-056, in which it reached a $4.5 million settlement with the Enzo Biochem, Inc. and Enzo Clinical Labs Inc. (collectively, Enzo), for violations of Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule and Breach Notification Rule, following a security breach. Read More →
- Is Your Privacy at Risk with Period Tracking Apps and Wearables? The appeal of this technology is clear. It offers a convenient way to track symptoms, spot patterns, and predict periods, ovulation windows, and even pregnancies, all while helping you gain a deeper understanding of your reproductive health – without the hassle of manually jotting things down. However, with this convenience comes a major concern: privacy. When you input personal information into these apps, do you really know who is handling your data? How secure is it? And in countries where abortion laws are becoming increasingly restrictive, could this data be used against you? These questions are more relevant now than ever, which is why we asked several experts about the real risks involved. Read More →