Photo of Elizabeth Brim

Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Contact:Read more about Elizabeth BrimEmail

Following a trend from the past few years, several states have introduced bills related to genetic privacy in recent months. These bills have focused on a range of issues, including the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, the national security implications of “foreign adversaries” accessing genetic information, and other topics related to genetic privacy and testing.  We summarize a subset of such recently introduced bills below.

Continue Reading Several States Introduce New Genetic Privacy Bills in Early 2026

On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”).  While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.

Continue Reading New York Governor Vetoes Restrictive Health Privacy Law

On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to certain health information collected by entities not currently regulated by HIPAA. HIPRA also proposes modifications and calls for guidance related to certain existing provisions of HIPAA as well as Part 2 (related to substance use disorder medical history).

Continue Reading U.S. Senate Introduces the Health Information Privacy Reform Act

In late September, plaintiffs announced details regarding Google LLC’s (“Google”) and women’s health app developer, Flo Health Inc.’s (“Flo”) proposed settlements to resolve a class action lawsuit stemming from the Flo app’s allegedly unlawful sharing of health data with Google and others through online tracking technologies.

As part of the proposed settlements, Google agreed to pay $48 million and Flo agreed to pay $8 million, for a combined $56 million to resolve plaintiffs’ claims against these two entities.

Continue Reading Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million

On September 24, Senate Democratic Leader Chuck Schumer (D-N.Y.), Senator Maria Cantwell (D-Wash.), and Senator Ed Markey (D-Mass.) introduced the Management of Individuals’ Neural Data (“MIND”) Act of 2025, which would require the Federal Trade Commission (“FTC”) to conduct a study and provide a report examining the governance of “neural

Continue Reading Congress Introduces Neural Data Bill

On June 19, 2025, the U.S. District Court for the Northern District of Texas vacated the majority of the Biden Administration rule (the “2024 Rule”) modifying the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health.  As discussed in further detail in our previous blog post, the 2024 Rule “limit[ed] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.” 

Continue Reading District Court Enjoins Privacy Rule Modifications Regarding Reproductive Health Care

Since the beginning of 2025, there have been a flurry of bills introduced at the state and federal level related to genetic privacy, which follows a similar trend over the past several years.  These bills have focused on a range of issues, including general genetic privacy, national security implications of “foreign adversaries” accessing genetic information, the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, and the transfer of genetic data as part of bankruptcy proceedings, among others.  We summarize a subset of such bills moving through state and federal legislatures below.

Continue Reading Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025

On March 5, 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) introduced the federal Genomic Data Protection Act (“GDPA”).  The Senators introduced the same bill at the end of last year, but the bill stagnated, and Congress adjourned soon after.  Notably, as part of his February 2024 white paper, Senator Cassidy specifically called for the regulation of genetic data collected by direct-to-consumer genetic testing companies, pointing to several states that have enacted laws regulating these companies over the past several years.

Continue Reading U.S. Senate Introduces Genomic Data Protection Act

On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.

NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”

Where such an authorization is required, a valid authorization must, among other requirements: 

  • Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
  • If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.
Continue Reading New York Legislature Passes Health Privacy Act