Photo of Olivia Vega

Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Contact:Read more about Olivia VegaEmail

On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.

NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”

Where such an authorization is required, a valid authorization must, among other requirements: 

  • Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
  • If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.

Continue Reading New York Legislature Passes Health Privacy Act

On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule.  According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.
Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule

Last month, the Federal Trade Commission (“FTC”) announced its enforcement action against telehealth firm, Cerebral, Inc. (“Cerebral”), for its alleged unauthorized disclosures of consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes in violation of the FTC Act.  The complaint also alleges that Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act (“OARFPA”), and the Restore Online Shoppers’ Confidence Act (“ROSCA”), which permits the court to order permanent injunctive relief, civil penalties, and other monetary relief for actions in violations of specific sections of the FTC Act, the OARFPA, and the ROSCA.  According to the proposed order, Cerebral must pay more than $7 million in civil penalties and consumer refunds.  In addition, Cerebral will be banned from using or disclosing consumers’ personal and health information (including online identifiers, such as IP addresses or other persistent identifiers) for advertising and must obtain consumers’ affirmative express consent before disclosing such information to outside parties.

Below is a discussion of the complaint and proposed order.Continue Reading FTC Announces Health Privacy Enforcement Action Against Telehealth Company, Cerebral

On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”) updated its “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” guidance addressing how regulated entities may use tracking technologies on their websites and mobile applications in a manner compliant with the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”).  The guidance, originally published in December 2022, states that HIPAA-regulated entities are not permitted to leverage tracking technologies in ways that would result in an impermissible disclosure of protected health information (“PHI”) or other violation of HIPAA.  The guidance also emphasizes the importance of safeguarding PHI and notes that regulated entities may not share PHI with tracking technology vendors (e.g., third-party advertisers) absent a business associate agreement (“BAA”) with the vendor or pursuant to a patient authorization. Continue Reading HHS OCR Updates Tracking Technologies Guidance

On September 15, the Federal Trade Commission (“FTC”) and U.S. Department of Health and Human Services (“HHS”) announced an updated joint publication describing the privacy and security laws and rules that impact consumer health data.  Specifically, the “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule” guidance provides an overview of the Health Insurance Portability and Accountability Act, as amended, and the implementing regulations issued by HHS (collectively “HIPAA”); the FTC Act; and the FTC’s Health Breach Notification Rule (“HBNR”) and how they may apply to businesses.  This joint guidance follows a recent surge of FTC enforcement in the health privacy space.  We offer below a high-level summary of the requirements flagged by the guidance.Continue Reading FTC and HHS Announce Updated Health Privacy Publication

The Connecticut legislature passed Connecticut SB 3 on June 2, 2023.  If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.

The health-related provisions would take effect on July 1, 2023.  Most provisions related to minors’ data would take effect on October 1, 2024.  However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.

As reflected in this bill, state legislatures appear increasingly focused on health privacy.  Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data.  Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope.  For additional detail on Washington’s My Health My Data Act, please review our blog post hereContinue Reading Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act

On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”).  The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR.  The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content.  According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.”  Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.Continue Reading FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule

On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.Continue Reading HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care

On April 11, the Indiana legislature passed comprehensive state privacy legislation in the form of S.B. 5. S.B. 5 shares similarities with the state privacy laws in Virginia, Connecticut, Colorado, Utah, and most recently Iowa.  If signed into law, S.B. 5 would take effect on January 1, 2026.  This blog post summarizes the statute’s key takeaways.Continue Reading Indiana Passes Comprehensive Privacy Statute