Health Privacy

Following a trend from the past few years, several states have introduced bills related to genetic privacy in recent months. These bills have focused on a range of issues, including the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, the national security implications of “foreign adversaries” accessing genetic information, and other topics related to genetic privacy and testing.  We summarize a subset of such recently introduced bills below.Continue Reading Several States Introduce New Genetic Privacy Bills in Early 2026

On November 12, 2025, UNESCO’S General Conference adopted its Recommendation on the Ethics of Neurotechnology (“the Recommendation”)–the first attempt at establishing a global legal framework for the ethical development and use of neurotechnology. The Recommendation aims to set out a comprehensive rights-based framework for the entire life cycle of neurotechnology, from the design of neurotechnology products and services to their disposal.

While not legally-binding, the Recommendation states that its provisions should be considered by, among others, UNESCO Member States, research organizations, and private companies involved in neurotechnology, and that they establish how best to honor fundamental human rights in the development, deployment and disposal of this technology. It is therefore possible that in the future, they may be a starting point for binding legislation, or could be used as persuasive authority to support enforcement actions arising under existing legislation protecting fundamental human rights, e.g., the GDPR and other privacy laws around the world. In that regard, it is notable that the EU AI Act was inspired, at least in part, on UNESCO’s November 2021 Recommendation on the Ethics of Artificial Intelligence. There is, therefore, a real possibility that private sector companies developing neurotechnologies will be subject to rules specifically regulating such technologies in the future.Continue Reading UNESCO Adopts First Global Framework on Neurotechnology Ethics

On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”).  While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.Continue Reading New York Governor Vetoes Restrictive Health Privacy Law

On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act.  The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector.  The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here.  In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”).  This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials

On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to certain health information collected by entities not currently regulated by HIPAA. HIPRA also proposes modifications and calls for guidance related to certain existing provisions of HIPAA as well as Part 2 (related to substance use disorder medical history).Continue Reading U.S. Senate Introduces the Health Information Privacy Reform Act

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic

Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research

Recently, California Governor Gavin Newsom signed into law several privacy and related proposals, including new laws governing browser opt-out preference signals, social media account deletion, data brokers, reproductive and health services, age signals for app stores, social media “black box warning” labels for minors, and companion chatbots. This blog summarizes

Continue Reading California Enacts New Privacy Laws

In late September, plaintiffs announced details regarding Google LLC’s (“Google”) and women’s health app developer, Flo Health Inc.’s (“Flo”) proposed settlements to resolve a class action lawsuit stemming from the Flo app’s allegedly unlawful sharing of health data with Google and others through online tracking technologies.

As part of the proposed settlements, Google agreed to pay $48 million and Flo agreed to pay $8 million, for a combined $56 million to resolve plaintiffs’ claims against these two entities.Continue Reading Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million

On September 24, Senate Democratic Leader Chuck Schumer (D-N.Y.), Senator Maria Cantwell (D-Wash.), and Senator Ed Markey (D-Mass.) introduced the Management of Individuals’ Neural Data (“MIND”) Act of 2025, which would require the Federal Trade Commission (“FTC”) to conduct a study and provide a report examining the governance of “neural

Continue Reading Congress Introduces Neural Data Bill

On August 7, Massachusetts Governor Maura Healey signed into law a new Shield Law (S.2543) – the Shield Act 2.0 – that restricts providers’ ability to disclose information in certain health care-related investigations, among other provisions.  Like the Washington Shield Law that was enacted in 2023, the Shield Act 2.0 covers gender-affirming treatment in addition to reproductive health care.  The passage of the Shield Act 2.0 follows Massachusetts’s enactment, in 2022, of a Shield Law that provided protections for Massachusetts healthcare providers from sanctions for providing or assisting in the provision of legally protected reproductive healthcare services or gender-affirming healthcare services in the state.Continue Reading Massachusetts Enacts New Shield Law Expanding Protections for Certain Health Data