Tag: PHI

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Data Privacy, visit the NLR Communications Media Internet section.

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.

The FTC Announces First Health Breach Notification Rule Enforcement Action

On February 1, the Federal Trade Commission (“FTC”) announced enforcement action for the first time under its Health Breach Notification Rule[1]. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement, the FTC warned health apps and connected devices that they must comply with the rule.

According to the FTC’s complaint, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.  Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—such as including its users’ prescription medications and personal health conditions.

The FTC also alleges GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health and medication-specific advertisements on Facebook and Instagram.

The FTC further alleges that GoodRx:

  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for advertising: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: GoodRx must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties.  It also prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require the company to seek deletion of data: GoodRx must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
  • Implement a Mandated Privacy Program: GoodRx must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

© 2023 Dinsmore & Shohl LLP. All rights reserved.

For more Cybersecurity and Privacy Legal News, click here to visit the National Law Review

FOOTNOTES

[1] 16 CFR Part 318

OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

OCR alleged that, on March 31, 2021, a specimen containing PHI was found by a third-party security guard in the parking lot of the New England Dermatology and Laser Center (“NEDLC”). The PHI included patient name, patient date of birth, date of sample collection, and the name of the provider who took the specimen, in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

As part of the settlement, NEDLC agreed to pay HHS $300,640. According to NEDLC’s Resolution Agreement and the Corrective Action Plan, there were two potential violations by NEDLC. First, NEDLC allegedly failed to maintain appropriate safeguards to protect the privacy of PHI,” as required by 45 C.F.R. § 164.530(c). Second, NEDLC allegedly permitted the impermissible disclosure of PHI, in violation of Rule 45 C.F.R. § 164.502(a). The Corrective Action Plan requires NEDLC to develop, maintain and appropriately revise written policies and procedures in accordance with HIPAA.

Several highlights of the settlement include:

  1. Changes to Policies and Procedures. NEDLC must develop, maintain and revise, as necessary, its written HIPAA policies and procedures, and provide such policies and procedures to HHS for review and approval. NEDLC also must assess, update and revise, as necessary, such policies and procedures at least annually, or as needed, and seek HHS’s approval of the revised policies and procedures.
  2. Designation of Privacy Official. NEDLC must designate a privacy official who is responsible for the development and implementation of NEDLC’s HIPAA policies and procedures, and a contact person or office who is responsible for receiving relevant complaints.
  3. Training Requirements. NEDLC must provide HHS with training materials for its workforce members and seek HHS’s approval of such training materials. NEDLC must also distribute the HIPAA policies and procedures to its workforce members and relevant business associates, and obtain a written compliance certification from all such individuals. NEDLC must provide HIPAA training for new workforce members, and all workforce members at least every 12 months. Each workforce member must certify, in electronic or written form, that they received training. NEDLC must review the training at least annually, and update the training where appropriate. NEDLC must promptly investigate, review, report to HHS, and sanction any workforce member that does not comply with its HIPAA policies and procedures.
  4. Implementation Report and Annual Report.  NEDLC is required to submit to HHS a written report summarizing the status of its implementation of the requirements provided set forth in the settlement, and annual compliance reports.

For more Health Care legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Bring Your Own Device To Work Programs: Regulatory and Legal Risks and How To Minimize Them

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm

If you’ve ever left your mobile phone on an airplane, in a restaurant, or somewhere other than in your possession, you know it’s frightening enough to think of losing the device itself, which costs a premium, as well as your personal photos or information stored on the device. Now imagine if you lost your mobile phone, but it also had protected health information (PHI) associated with your health care work stored on it.  The lost device suddenly presents the potential for reputational damage and legal or regulatory obligations, in addition to the inconvenience and cost of replacement.

Mobile phones are lightweight, palm sized, and cordless, which makes them convenient and easily portable. These same features make mobile phones highly susceptible to theft or loss. As such, there are serious compliance risks to consider and mitigate when allowing personal mobile device use for work purposes, or a bring your own device (BYOD) program, especially in a healthcare setting. Despite the known risks, current research shows that in some industries, up to 90% of employees are using their personal devices for work purposes whether “allowed” or not.  For example, an assisted living nurse using a personal device for work purposes might send a text message to a patient’s primary care physician (PCP) to obtain guidance or to provide an update.  That communication includes PHI, raising compliance obligations, such as state laws or HIPAA security requirements. In the long term care setting, it’s also a clear violation of applicable privacy laws and the Centers for Medicare and Medicaid Services will, and has been, citing such infractions on surveys.  We suspect the Division of Health Service Regulation would do likewise under state law if this occurred in an adult care home.

There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices. However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients. One such step is implementing a mobile device management (MDM) solution. An MDM solution allows a secure connection for employees to access work networks and information resources remotely, using an application installed on their personal device. That solution keeps “work applications” such as the employer’s email program technically separated from “personal applications” like social media apps. In addition, an MDM solution allows the employer to force technical controls on the device, such as password requirements, encryption or the ability to remotely wipe all data from the device.

Recognizing that employers must relinquish ownership and technical control to make a BYOD program work, employers also must implement robust policies and procedural controls. For example:

  • Permissible Uses. Document the permissible uses of personal devices for work purposes, including whether employees are ever permitted to transfer PHI or other types of sensitive personal information on a personal device and the employment terms associated with such uses.

  • Device Security Controls. Document the policies that govern device controls (such as requiring employees to use passwords, up-to-date malware protection, device time-out, authentication or encryption on the device).

  • Training and Sanctions. Enforce training requirements and frequency as part of the terms of use and implement clear sanctions policies for unauthorized access or use.  Employers may also consider whether the same training and policies/procedures will apply to vendors or contractors.

  • HR Policies.  Review other important employment law considerations such as employee privacy rights, social media policies, and policies for removing applicable data from the devices of terminated or exiting employees.

There are many compliance considerations to keep in mind when deciding whether to implement a BYOD program. A comprehensive security framework, including technical controls, policies, procedures, and training, can reduce the high risks associated with the use of personal mobile devices for work purposes.

ARTICLE BY

Tara N. Cho
OF
Poyner Spruill LLP