On May 16, 2024, Alabama enacted a genetic privacy bill (HB 21), which regulates consumer-facing genetic testing companies. HB 21 continues the recent trend of states enacting genetic privacy legislation aimed at regulating direct-to-consumer (“DTC”) genetic testing companies, such as in Nebraska and Virginia, with more than 10 states now having similar laws on the books. Continue Reading Alabama Enacts Genetic Privacy Bill
Elizabeth Brim
Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.
Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.
Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.
Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.
Congress Passes Bill Prohibiting Sharing or Selling Americans’ Sensitive Data to Entities Controlled by Foreign Adversaries
On April 24, 2024, President Biden signed into law H.R. 815, which includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“the Act”), a bill that passed the House 414-0 as H.R. 7520 on March 20. The Act is one of several recent actions by the U.S. government to regulate transfers of U.S. personal data for national security reasons, with a particular focus on China. While the ultimate policy objectives are similar, the Act takes a different approach by comparison to the Biden Administration’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (“the EO”), which the U.S. Department of Justice (“DOJ”) is in the process of implementing. We summarize below some key features of the Act, which will go into effect on June 23, 2024.Continue Reading Congress Passes Bill Prohibiting Sharing or Selling Americans’ Sensitive Data to Entities Controlled by Foreign Adversaries
FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule
On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates. We previously covered the proposed rule, which was issued on May 18, 2023.
In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.” Key provisions of the final rule include:Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule
HHS OCR Updates Tracking Technologies Guidance
On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”) updated its “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” guidance addressing how regulated entities may use tracking technologies on their websites and mobile applications in a manner compliant with the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”). The guidance, originally published in December 2022, states that HIPAA-regulated entities are not permitted to leverage tracking technologies in ways that would result in an impermissible disclosure of protected health information (“PHI”) or other violation of HIPAA. The guidance also emphasizes the importance of safeguarding PHI and notes that regulated entities may not share PHI with tracking technology vendors (e.g., third-party advertisers) absent a business associate agreement (“BAA”) with the vendor or pursuant to a patient authorization. Continue Reading HHS OCR Updates Tracking Technologies Guidance
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework
On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era”, which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework
Nebraska Enacts Direct-to-Consumer Genetic Privacy Law as Several Other States Propose Similar Bills at the Start of 2024
On February 14, 2024, Nebraska enacted a genetic privacy law (LB 308) regulating direct-to-consumer (“DTC”) genetic testing companies. The law is one of a flurry of bills regarding DTC genetic testing that have been introduced in several states since the beginning of 2024, following the enactment of several DTC genetic testing laws in 2023, such as in Virginia.Continue Reading Nebraska Enacts Direct-to-Consumer Genetic Privacy Law as Several Other States Propose Similar Bills at the Start of 2024
HHS Publishes Final Rule to Align Part 2 and HIPAA
On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule to amend the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (“Part 2”) to more closely align Part 2 with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”)…
California Enacts Amendments to the CMIA
In a new post on the Covington Digital Health blog, our colleagues discuss recent amendments to California’s Confidentiality of Medical Information Act (“CMIA”) that (i) expand the scope of the law to cover reproductive or sexual reproductive or sexual health services that are delivered through digital health solutions and the associated health information generated from…
FTC Enters Consent Decree with Direct-to-Consumer Genetic Testing Company On Heels of Other Significant Health and Genetic Privacy Developments
On Friday, the FTC announced that was entering a consent decree with 1Health.io Inc., which also does business as Vitagene, Inc. This is the fourth health-related FTC enforcement action announced this year (see here and here).
In addition, it comes on the heels of Virginia, Montana, and, as recently as last week, Texas joining California, Utah, and Arizona in adopting legislation specifically regulating the privacy practices of direct-to-consumer genetic testing companies. The recently adopted Montana law has a broader scope and narrower exceptions that raise questions about whether it will impede research, whereas the Texas law adopted last week is more similar to the other state models. Continue Reading FTC Enters Consent Decree with Direct-to-Consumer Genetic Testing Company On Heels of Other Significant Health and Genetic Privacy Developments