Personal health information is one of the most intimate and sensitive types of personal information for many reasons, including the potential for abuse and even danger and the natural desire for privacy as it concerns the very essence of our being.
Our health, and, by extension, healthcare, is increasingly digital. Whether through connected devices and applications such as smartwatches that monitor our health metrics, cloud storage of sensitive health records for easy access, or processing of massive amounts of health data by artificial intelligence, the potential for improvements in the average person’s health and longevity is increasing but as with anything good, there are also significant risks lurking.
In light of the expansion of data into the realm of health, it is unsurprising that there is an ever-expanding set of health privacy and security laws emerging around the world requiring a host of compliance measures when a company handles personal information that falls under the broad category of “health information,” which is defined in different ways depending on the law in question.
In our work as privacy lawyers, we counsel clients on the complex compliance landscape that concerns health and related information, including the following laws and regulatory frameworks:
HIPAA Privacy and Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data as well as the expansion of HIPAA by the the Health Information Technology for Economic and Clinical Health Act (HITECH). The HIPAA Privacy Rule establishes national standards for the protection of protected health information (PHI), while the HIPAA Security Rule specifies safeguards to ensure the confidentiality, integrity, and security of electronic PHI (EPHI). We assist clients who are Covered Entities, Business Associates, as well as generally operating in the health sector in developing and implementing comprehensive privacy policies, incident response plans, and training programs to ensure compliance with HIPAA’s stringent requirements.
Incident and Breach Reporting to HHS and Other Regulators
In the event of a data breach, healthcare entities must report the breach and certain incidents to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and other regulators within specific timeframes. We guide clients on breach notification procedures, ensuring timely and accurate reporting to HHS. We also help clients develop robust incident response plans to mitigate potential damages and comply with legal obligations.
Washington’s My Health My Data Act
Washington State’s My Health My Data Act (MHMDA) is a pioneering law aimed at protecting the privacy and security of health data. This law extends beyond traditional healthcare providers to cover any entity that processes health-related data. We assist clients in understanding and complying with this law, ensuring that all necessary privacy protections and security measures are in place.
FTC’s Health Breach Notification Rule
The Federal Trade Commission’s (FTC) Health Breach Notification Rule requires vendors of personal health records and related entities to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured health information. The FTC’s Statement of the Commission on breaches by health apps and other connected devices further clarifies the obligations of entities handling health data.
GDPR and International Compliance
Compliance with the General Data Protection Regulation (GDPR) and other international privacy and health information regulatory frameworks is critical for clients operating in the European Union, the United Kingdom, and beyond. The GDPR imposes strict requirements on the processing of personal data, including health-related information, and mandates robust privacy protections and breach notification procedures. We assist clients in developing GDPR-compliant privacy policies, data processing agreements, and incident response plans to ensure adherence to international standards.
State Privacy Laws
In addition to federal and international regulations and health-specific state laws such as Washington’s MHMDA, various state comprehensive privacy laws impose additional requirements on the handling of sensitive information, including health data. We make it a priority to stay abreast of the dynamic and evolving state regulations and provide tailored legal counsel to ensure compliance with laws such as the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other state-specific privacy legislation.
Our Health Information Privacy and Security Law Compliance Services
- Compliant Privacy Policies: We help clients develop and implement comprehensive privacy policies that comply with federal, state, and international regulations.
- Incident Response: Our team provides guidance on developing and executing incident response plans to mitigate the impact of data breaches and ensure compliance with reporting requirements.
- Employee Compliance Training: We offer privacy training programs to educate employees on privacy and security best practices, legal obligations, and incident response procedures.
- Data Processing, Data Transfers, and Business Associate Agreements: We draft, review, and negotiate data processing agreements (DPAs), data transfer agreements (DTAs) such as via SCCs and the Data Privacy Framework (DPF), and business associate agreements (BAAs) to ensure compliance with applicable laws and protect our client’s interests.
- Trackers, Cookies, and Pixels: Adtech, including the use of trackers, cookies, and pixels on websites offering healthcare and related services, is a particular risk vector. From HHS guidance concerning analytics and such tracking to litigation focused on pixels, we help clients stay compliant and avoid risk when implementing these tracking technologies.
- Artificial Intelligence & Machine Learning Compliance: AI and machine learning are increasingly playing a role in almost every part of the healthcare spectrum. While the potential is great, regulators are putting an increasing focus on regulating the use of AI, especially in the context of potentially sensitive data processing, such as is often deemed to be the case in the context of AI and health. As AI lawyers operating at the intersection of emerging technologies and health privacy, we are uniquely suited to ensure compliance when undertaking AI in healthcare.
At RICHT, we offer comprehensive legal counsel to clients navigating the complex landscape of health information privacy and security laws. We are focused on helping clients ensure compliance with a variety of stringent regulations governing protected health information (PHI) and other sensitive health data.
Learn How We Can Help You With Health Information Privacy Compliance
Health Information Privacy Compliance News
- HHS Files, Then Drops, Its Data-Tracking Lawsuit Appeal: The American Hospital Association is applauding the Office for Civil Rights for opting not to appeal a district court decision that vacated its recent rule regulating online tracking technologies.
- Healthcare Was Biggest Victim of U.S. Ransomware Attacks Last Year: Health care organizations last year reported the most ransomware attacks of the 16 industries identified as critical U.S. infrastructure, according to a new FBI report on internet crime.
- FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million: The Federal Trade Commission finalized an order requiring online counseling service BetterHelp to pay $7.8 million and prohibiting it from sharing consumers’ health data for advertising, resolving allegations the firm shared consumers’ sensitive health data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.
- New York AG Reaches $4.5M Settlement With Enzo Over Failures In Securing Health Data: On August 13, 2024, the New York Attorney General (AG) published Assurance of Discontinuance No. 24-056, in which it reached a $4.5 million settlement with the Enzo Biochem, Inc. and Enzo Clinical Labs Inc. (collectively, Enzo), for violations of Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule and Breach Notification Rule, following a security breach.
- Is Your Privacy at Risk with Period Tracking Apps and Wearables? The appeal of this technology is clear. It offers a convenient way to track symptoms, spot patterns, and predict periods, ovulation windows, and even pregnancies, all while helping you gain a deeper understanding of your reproductive health – without the hassle of manually jotting things down. However, with this convenience comes a major concern: privacy. When you input personal information into these apps, do you really know who is handling your data? How secure is it? And in countries where abortion laws are becoming increasingly restrictive, could this data be used against you? These questions are more relevant now than ever, which is why we asked several experts about the real risks involved.