On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule to amend the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (“Part 2”) to more closely align Part 2 with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) as required by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  We previously covered the proposed rule (hereinafter, “the NPRM”), which was issued on December 2, 2022.

The final rule, issued through the Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”), increases alignment between certain Part 2 requirements and HIPAA and it clarifies certain existing Part 2 permissions and restrictions to improve the ability of entities to use and disclose Part 2 records. According to HHS, this final rule will decrease burdens on patients and providers, improve coordination of care and access to care and treatment, and protect the confidentiality of treatment records.

Key provisions of the final rule include:

  • Patient Consent: The final rule allows a single Part 2-compliant consent to suffice for all future uses and disclosures for treatment, payment, and health care operations (as defined under HIPAA) (“TPO”). It also permits HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with HIPAA except in legal proceedings against the patient.

The final rule implements other requirements for a patient consent. Among other things, it prohibits combining a patient’s consent for the use and disclosure of Part 2 records for civil, criminal, administrative, or legislative proceedings with consent for any other use or disclosure. The final rule also requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.

  • SUD Counseling Notes: The final rule creates a new definition for SUD counseling notes and requires specific consent from an individual to use or disclose these notes. This definition and heightened protection are meant to mirror HIPAA protections for psychotherapy notes.
  • No Requirement to Segregate of Part 2 Data: The final rule adds an express statement that Part 2 programs, covered entities, and business associates that receive patient records based on a single patient consent for TPO are not required to segregate or segment those records.
  • Public Health Disclosures: The final rule permits disclosure to public health authorities without patient consent, provided that the records are first de-identified in accordance with HIPAA.
  • Breach Notification: The final rule aligns the notification requirements for breaches of records by Part 2 programs with the HIPAA Breach Notification Rule.
  • Patient Rights: The final rule provides patients with additional rights similar to those under HIPAA. Specifically, a patient has the rights to (i) file a complaint directly with the Secretary for an alleged violation of Part 2, (ii) obtain an accounting of disclosures, (iii) request certain restrictions of disclosures, and (iv) opt out of receiving fundraising communications.
  • Patient Notice: The final rule modifies Part 2 patient notice requirements to more closely align with those for HIPAA Notice of Privacy Practices.
  • Enforcement: The final rule also replaces the criminal penalties for a violation of Part 2 with the civil and criminal enforcement authorities that apply to HIPAA violations, including civil monetary penalties.

The final rule does not include the CARES Act antidiscrimination provisions that prohibit the use of patients’ Part 2 records against them; HHS will implement these provisions in a separate rulemaking. An upcoming final rule from OCR will finalize certain changes to the HIPAA Privacy Rule to address uses and disclosures of protected health information that is also protected by Part 2. The rule will become effective on April 16, 2024. Compliance with the rule is required by February 16, 2026.

On February 12, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), published a notice requesting comment on an upcoming information request.  Specifically, OCR invites comments regarding its burden estimate for a “HIPAA Audit Review Survey.”  The Survey consists of “39 online survey questions” and will be sent to “207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA Audits.”  The Survey aims to help OCR determine the 2016-2017 HIPAA Audits efficacy in assessing HIPAA compliance efforts of covered entities.  Specifically, the Survey will:

  • Measure the effect of the 2016-2017 HIPAA Audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA;
  • Give entities an opportunity to provide feedback on the Audit, including whether the Audit helped improve HIPAA compliance;
  • Provide OCR with information on the burden imposed on entities to collect audit-related documents and to respond to audit-related questions; and
  • Seek feedback on the effect of the HIPAA Audit program on entities day-to-day business operations.

The information collected in response to the Survey will “be used to improve future OCR HIPAA audits.”  Comments on the HIPAA Audit Review Survey must be received by April 12, 2024.  This information request may be an indication that OCR is planning to reinvigorate its program to conduct periodic audits of covered entities and business associates to assess their level of HIPAA compliance.

While the EU Directive on Unfair Terms in Consumer Contracts prohibits certain clauses in standard (i.e., unilaterally imposed) contracts between businesses and consumers, some recently enacted EU laws restrict the use of certain clauses in standard contracts between businesses (“B2B”).  The Data Act is the latest example of such a law, as it prohibits certain “unfair contractual terms” (“Unfair Clauses”) in standard contracts between businesses relating to the access and use of data.  As such, it has a potentially very wide scope.  Businesses entering into such a contract should therefore ensure that they do not include any clause that could be considered “unfair” because such a clause would not be binding on the other party to the contract. This blog post focuses specifically on the Data Act’s provision on Unfair Clauses.  For more information on the Data Act, see our previous blog post.

Continue Reading EU Data Act Regulates Business-to-Business Contracts Relating to Access and Use of Data

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on the notion of “main establishment” of a controller in the context of Article 4(16)(a) of GDPR.  The opinion aims to clarify (i) the relevant conditions for the determination of whether a controller has a “main establishment” in the EU, for controllers that have more than one establishment in the EU; and (ii) the application of the so-called “one-stop-shop” mechanism in these scenarios.  

We provide below an overview of the EDPB’s opinion.

Continue Reading EDPB Clarifies the Notion of “Main Establishment” under the GDPR

2023 was marked by the adoption of key EU legislation in the field of data privacy, such as the Digital Services Act (“DSA”) and Digital Markets Act (“DMA”). Both introduce limitations and obligations on online platforms that process personal data for digital advertising. Ahead of the DSA and DMA’s implementation deadlines in February and March 2024 respectively, we will discuss below the key requirements they introduce specifically in relation to online targeted advertising. This blog post complements our previous blog post on the EU’s targeted advertising rules.

Continue Reading Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?

On January 24, 2024, the European Commission (“Commission”) announced that, following the political agreement reached in December 2023 on the EU AI Act (“AI Act”) (see our previous blog here), the Commission intends to proceed with a package of measures (“AI Innovation Strategy”) to support AI startups and small and medium-size enterprises (“SMEs”) in the EU.

Alongside these measures, the Commission also announced the creation of the European AI Office (“AI Office”), which is due to begin formal operations on February 21, 2024.

This blog post provides a high-level summary of these two announcements, in addition to some takeaways to bear in mind as we draw closer to the adoption of the AI Act.

Continue Reading European Commission Announces New Package of AI Measures

On February 9, the Third Appellate District of California vacated a trial court’s decision that held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations could not commence until one year after the finalized date of the regulations.  As we previously explained, the Superior Court’s order prevented the CPPA from enforcing the regulations it finalized on March 29, 2023 until March 29, 2024.  However, the Appellate court held that “because there is no ‘explicit and forceful language’ mandating that the [CPPA] is prohibited from enforcing the [California Consumer Privacy Act (“CCPA”)] until (at least) one year after the [CPPA] approves final regulations, the trial court erred in concluding otherwise.” 

The Appellate court acknowledged that the CPPA failed to meet its statutory deadline (i.e., July 1, 2022) for adopting final regulations and that the statute provided an enforcement date of one year after this deadline, but nonetheless concluded that the CCPA does not require a “one-year delay” between the CPPA’s approval of a final regulation and the CPPA’s authority to enforce that regulation.  The Appellate court noted that there “are other tools” to protect relevant interests, such as the CPPA’s regulation that, in deciding to pursue an investigation, it will consider “all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good-faith efforts to comply with those requirements.”

In a statement released by the CPPA shortly after the order, the Deputy Director of Enforcement for the CPPA said that “[t]his decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

On February 6, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), announced that it had settled a cybersecurity investigation with Montefiore Medical Center (“Montefiore”), a non-profit hospital system based in New York City, for $4.75 million.  As brief background, OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).  Among other things, HIPAA requires that regulated entities take steps to protect the privacy and security of patients’ protected health information (“PHI”).

Continue Reading HHS Settles Malicious Insider Cybersecurity Investigation for $4.75 Million

The FTC recently announced proposed consent orders with Outlogic (formerly X-Mode Social) and InMarket Media concerning their collection and monetization of precise geolocation data.  Both companies collect location data using software development kits (“SDKs”) installed in first and third party apps, among other data sources.  According to the FTC’s complaints, Outlogic sold this data to third parties (including in a manner that revealed consumer’s visits to sensitive locations) without obtaining adequate consent, and InMarket used this data to facilitate targeted advertising without notifying consumers that their location data will be used for targeted advertising.  In both cases, the FTC alleged that these acts and practices constituted unfair and/or deceptive acts or practices under Section 5 of the FTC Act. 

Continue Reading FTC Announces Proposed Consent Orders Related to Location Data