Since the beginning of 2025, there have been a flurry of bills introduced at the state and federal level related to genetic privacy, which follows a similar trend over the past several years. These bills have focused on a range of issues, including general genetic privacy, national security implications of “foreign adversaries” accessing genetic information, the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, and the transfer of genetic data as part of bankruptcy proceedings, among others. We summarize a subset of such bills moving through state and federal legislatures below.Continue Reading Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025
Health Privacy
European Health Data Space Published
On March 5, 2025, the Regulation on the European Health Data Space (“EHDS”) was published in the Official Journal (see here). The text enters into force on March 25, 2025, however it only becomes applicable in a staggered manner over several years.
The section on secondary use of the…
Continue Reading European Health Data Space PublishedNew York Legislature Passes Health Privacy Act
On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.
NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”
Where such an authorization is required, a valid authorization must, among other requirements:
- Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
- If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.
Continue Reading New York Legislature Passes Health Privacy Act
HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule
On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule. According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).
Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.
Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule
Health Privacy Developments to Watch in 2025
2024 was an incredibly busy year for health privacy. As the year draws to a close and we look ahead to 2025, we share several areas that we are watching in the coming year, which we expect to be similarly busy with federal- and state-level activity:Continue Reading Health Privacy Developments to Watch in 2025
HHS OCR Settles Ransomware Cybersecurity Investigation for $250,000
On September 26, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) announced that it had settled its cybersecurity investigation with Cascade Eye and Skin Centers, P.C. (“Cascade”), a privately-owned health care provider in Washington. For background, HHS OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, which include the HIPAA Privacy, Security, and Breach Notification Rules (collectively, “HIPAA”). Among other things, HIPAA requires that regulated entities take steps to protect the privacy and security of patients’ protected health information (“PHI”).Continue Reading HHS OCR Settles Ransomware Cybersecurity Investigation for $250,000
Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devices
On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog…
Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical DevicesCNIL Opens Public Consultation on Its Standards for Processing Health Data
On May 16, 2024, the CNIL launched a public consultation on all of its health data standards. Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.
French law has specific requirements for the processing of health data. In particular, it…
Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health DataItalian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research
On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.
The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code. The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.
We provide below an overview of the legal framework and the safeguards identified by the Garante.Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research
France Publishes Updated Certification Standard for the Hosting of Health Data
The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification. In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard. On May 16, 2024, France officially published an updated version of this “HDS”…
Continue Reading France Publishes Updated Certification Standard for the Hosting of Health Data