Tag: protected health information

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Data Privacy, visit the NLR Communications Media Internet section.

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.

Federal Court Strikes Down HIPAA Fee Limitations for Third-Party Medical Records Requests

On Jan. 29, 2020, OCR released a notice regarding a recent federal court ruling in the case of Ciox Health, LLC v. Azar, et al., where a federal judge in the District Court for the District of Columbia vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to protected health information (“PHI”) of an individual … in an electronic format.”Additionally, the court held that the fee limitation set forth at 45 CFR § 164.524(c)(4) should only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.

The Ciox Health case centered on the restrictions the Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) put in place in the 2013 Omnibus Rule 2 and through informal guidance published in 2016 regarding fees that can be charged to patient in searching for, retrieving, and delivering their records and PHI as it pertains to third-party directives. Third-party directives are a mechanism promulgated by the HITECH Act that granted individuals the right to obtain a copy of their PHI maintained electronically, and “if the individual so chooses, to direct the covered entity to transmit such copy directly to an entity or person designed by the individual.”3 Additionally, the HIPAA Privacy Rule permits a reasonable cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct a copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage (this fee is also referred to as the “Patient Rate”).4

The 2013 Omnibus Rule broadened the third-party directives to PHI maintained in any format, not just electronic records. Moreover, the 2013 Omnibus Rule amended the Patient Rate and required actual labor costs associated with the retrieval of electronic information to be excluded.5

In 2016, HHS issued a guidance document titled Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524 (the “2016 Guidance”).6  The 2016 Guidance made two notable requirements that gave rise to the current litigation. Most significantly, HHS declared that the Patient Rate applies “when an individual directs a covered entity to send the PHI to a third party.”7

“This limitation,” HHS said, referring to the Patient Rate, “applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).”8

Additionally, in the 2016 Guidance, HHS provided a methodology to calculate the Patient Rate in requests for an electronic copy of PHI maintained electronically. The methodology would require the entity to determine a fee by calculating the actual allowable costs to fulfill each request or by using a schedule of costs based on the average allowable labor costs to fulfill standard requests. HHS also provided an option for entities to charge a flat rate for requests for electronic copies of PHI not to exceed $6.50 as an alternative to going through the process of calculating these costs.

In this case, HHS was sued by Ciox Health, a medical record retrieval company, over the changes to the Patient Rate set forth in both the 2013 Omnibus Rule and the 2016 Guidance. Ciox Health argued that the $6.50 flat fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee has negatively impacted its business. Ciox Health claims the 2013 Omnibus Rule and the 2016 Guidance, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

The district court, in declaring the changes to the Patient Rate set forth in the 2013 Omnibus Rule unlawful, held that HHS cannot rely on its general rulemaking authority to supplement the limited-scope, third-party directive enacted by Congress in the HITECH Act. The court held that the 2013 Omnibus Rule’s expansion of the third-party directive is therefore arbitrary and capricious. Moreover, the district court held that the 2016 Guidance that worked a change into the Patient Rate was akin to a legislative rule that HHS had no authority to adopt without notice and comment. As a result, the court vacated the 2013 Omnibus Rule’s expansion of the HITECH Act’s third-party directive beyond requests for a copy of electronic records with respect to PHI of an individual in an electronic format. The court also declared unlawful and vacated the 2016 Guidance as it extended the Patient Rate to third-party directives without going through notice and comment.

Health care providers and medical records access companies are no longer required to limit the fees charged to their average costs, or charge a $6.50 flat fee, when a patient requests their medical records be transmitted to a third party. The fee limitations will still apply to individuals when they request their own records, however, as decided in the Ciox Health decision, on January 23, 2020.

OCR released a notice on Jan. 29, 2020 that the right of individuals to access their own records and any fee limitations that apply when exercising this right still apply. However, OCR appears to have at least accepted this ruling for now, as it pertains to third-party directives. OCR stated that it will continue to enforce the right of access provisions in 45 CFR § 164.524 that are not restricted by the court order. The court order can be viewed here.

[1] Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020)

[2] See Modifications to the HIPAA Privacy, Security,

Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic

Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566

(Jan. 25, 2013).

[3] 42 U.S.C. § 17935(e);

[4] 45 CFR § 164.524(c)(4)

[5] 78 Fed. Reg. at 5,636.

[6] This guidance is available at this link: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

[7] Id. at 16.

[8] Id.

© 2020 Dinsmore & Shohl LLP. All rights reserved.

For more on HIPAA medical-records regulation, see the National Law Review Health Law & Managed Care section.