Privacy Matters
Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
- The Federal Trade Commission's penalization of GoodRx for sharing users’ sensitive health information with advertisers marks the agency’s first enforcement action under the Health Breach Notification Rule
- Congress probes telehealth startups for sharing health data with advertising platforms
- Cybersecurity dominates the conversation as HHS settles a HIPAA investigation following a hacking incident
Leading Stories
FTC orders GoodRx to stop sharing users’ health data with advertisers, issues $1.5M fine
Healthcare Dive (February 1, 2023)
"The Federal Trade Commission is penalizing GoodRx for sharing users’ sensitive health information with advertisers, in the agency’s first enforcement action under the Health Breach Notification Rule. The FTC filed an order with the Department of Justice on Wednesday that would prohibit GoodRx from sharing user health data with third parties for advertising purposes, among other guardrails. GoodRx has also agreed to pay a $1.5 million fine, though the company admitted no wrongdoing. The order needs to be approved by a federal court in order to go into effect." Keep reading
- The Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.
Senators probe telehealth companies for tracking and monetizing sensitive health data
STAT News (February 7, 2023)
"A bipartisan group of senators fiercely criticized several prominent telehealth startups for failing to protect sensitive health information, citing an investigation by STAT and The Markup which found dozens of telehealth companies sharing patient data with Facebook, Google and other major advertising platforms. 'This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,' wrote Sens. Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.) and Cynthia Lummis (R-Wyo.) in letters sent this month to telehealth companies Monument, Workit Health, and Cerebral requesting information on their data sharing policies." Keep reading
HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking
HHS (February 2, 2023)
"Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a [$1.25 million] settlement with [Banner Health], a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers. The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks." Keep reading
- Background: On October 3, 2008, Illinois set forth the Biometric Information Privacy Act in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. Also known as BIPA, the first-of-its-kind law has, since 2008, made Illinois the only state that grants a private right of action to sue over the improper collection and mishandling of biometric data.
- Latest Developments:
Illinois’ biometric privacy law strengthened by latest high court ruling
Longview News Journal (February 4, 2023)
"People who’ve been subject to fingerprinting, face or retinal scans as either employees or customers of Illinois companies have five years to file lawsuits if they believe the business violated a stringent state privacy law, the Illinois Supreme Court ruled Thursday. It’s the latest in a handful of cases that have reached Illinois’ high court in recent years, all refining the state’s Biometric Information Privacy Act." Keep reading
California Consumer Privacy Act
- Background: The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill, which established a foundation for consumer privacy regulations, was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code, and it was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020.
- Latest Developments:
Proposed CPRA regulations finalized; CPPA targets April effective date
IAPP (February 6, 2023)
"Covered entities under the California Consumer Privacy Act are on the cusp of long-awaited legal certainty regarding updated compliance efforts. The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations. The final rulemaking package, which consists of the proposed regulations and a draft final statement of reasons from the CPPA, will soon be sent to the California Office of Administrative Law for review and approval. Barring setbacks during the OAL's 30-day review window or other unforeseen circumstances, the agency said in its FAQ it expects the final regulations to take effect sometime in April ahead of CPRA enforcement beginning July 1." Keep reading
Food for Thought
Benefits of HIPAA for Patients
HIPAA Journal (January 27, 2023)
Editorial by Steve Alder
"This is the third article in the ‘Benefits of HIPAA’ series, this time around exploring how the Health Insurance Portability and Accountability Act (HIPAA) and its subsequent amendments have benefited patients. The first article in the series explored how HIPAA has benefited healthcare organizations and the second covered the key benefits of HIPAA for healthcare professionals." Keep reading
-
- Steve Alder is the Editor-in-Chief of HIPAA Journal.
- Steve Alder is the Editor-in-Chief of HIPAA Journal.
Department of Health and Human Services Offers HIPAA Guidance on Online Tracking Technologies
Holland & Knight (March - April 2023 Issue)
Article in the Journal of Federal Agency Action
"Data privacy and healthcare attorneys Paul Bond, Shannon Hartsfield, Ilenna Stein, Mark Melodia wrote an article that was featured in the Journal of Federal Agency Action, about privacy issues between patients and healthcare companies relating to cookies, pixels and other tracking technologies. The authors talk about the stance that the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), has taken after getting involved in this public debate." Keep reading
A HIPAA Privacy Notice A Day Keeps The Doctor Away (And Out Of Trouble)
Darrow Everett (January 2023)
Article by Kevin P. Gildea
"The start of 2023 has brought with it significant changes to data privacy – new state laws concerning data privacy came into effect January 1 (the California Privacy Rights Act and the Virginia Consumer Data Protection Act), and other privacy laws are slated to become effective later this year (the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act). These new state laws add to the complex mesh of laws, regulations, and acts that govern data privacy in the United States. But despite this recent focus by legal commentators on new trends in state privacy laws, U.S. businesses should not forget that they are subject to core federal data privacy laws as well." Keep reading
-
- Kevin P. Gildea is a Partner and the Practice Leader for Darrow Everett’s Healthcare and Life Sciences, a Practice Leader in its Regulatory & Compliance Practice Group, a Practice Leader in the Data Privacy & Cybersecurity Group, and the co-head of the Corporate Department.
Best of the Rest
PATENT:
Patent Issued for Linking of tokenized trial data to other tokenized data (USPTO 11550956): Datavant Inc.
Insurance Newsnet (January 26, 2023)
"NewsRx journalists report that a patent by the inventors Gupta, Serena; LaBonte, Jason A.; Mucaj, Vera; O’brien, James; Roosz, Samuel A.; Suresh, Anjali filed on September 1, 2021, was published online on January 10, 2023. The patent’s assignee for patent number 11550956 is Datavant Inc. . . 'There is a need for a solution that can link data from a trial, where the subject is anonymized with a subject identifier (Subject ID), to other data that has been de-identified by tokenizing the personal identifying information (PII) for the individual associated with the data while maintaining the privacy of the subject. The present invention is directed toward further solutions to address this need, in addition to having other desirable characteristics." Keep reading
Reach us at privacymatters.privacyhub@datavant.com
