Health Privacy

Last month, the Federal Trade Commission (“FTC”) announced its enforcement action against telehealth firm, Cerebral, Inc. (“Cerebral”), for its alleged unauthorized disclosures of consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes in violation of the FTC Act.  The complaint also alleges that Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act (“OARFPA”), and the Restore Online Shoppers’ Confidence Act (“ROSCA”), which permits the court to order permanent injunctive relief, civil penalties, and other monetary relief for actions in violations of specific sections of the FTC Act, the OARFPA, and the ROSCA.  According to the proposed order, Cerebral must pay more than $7 million in civil penalties and consumer refunds.  In addition, Cerebral will be banned from using or disclosing consumers’ personal and health information (including online identifiers, such as IP addresses or other persistent identifiers) for advertising and must obtain consumers’ affirmative express consent before disclosing such information to outside parties.

Below is a discussion of the complaint and proposed order.Continue Reading FTC Announces Health Privacy Enforcement Action Against Telehealth Company, Cerebral

On April 26, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health. We previously covered the proposed rule (hereinafter, “the NPRM”), which was published on April 17, 2023. The final rule aligns closely with the NPRM.Continue Reading HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy

On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates.  We previously covered the proposed rule, which was issued on May 18, 2023.

In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.”  Key provisions of the final rule include:Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule

On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal.  In April 2024,we wrote several blog posts on EHDS based on a provisional compromise text.  We have now updated those to reflect the final version and included references to the correct provisions.

This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines

On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal (see here).  In April 2024,we wrote several blog posts on EHDS based on a provisional compromise text.  We have now updated those to reflect the final version and included references to the correct provisions.

This article focuses on the implications for “wellness applications” and medical devices; for an overview of the EHDS generally, see our first post in this series.Continue Reading EHDS Series – 4: The European Health Data Space’s Implications for “Wellness Applications” and Medical Devices

On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal (see here).  In early April 2024,we wrote several blog posts on EHDS based on a provisional compromise text.  We have now updated those to reflect the final version and included references to the correct provisions.

This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.Continue Reading EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective

On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal (see here).  In early April 2024,we wrote several blog posts on EHDS based on a provisional compromise text.  We have now updated those to reflect the final version and included references to the correct provisions.

This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal (see here).  In early April 2024, we wrote several blog posts on EHDS based on a provisional compromise text.  We have now updated those to reflect the final version and included references to the correct provisions.Continue Reading EHDS Series – 1: Five Key Take Aways on Secondary Use of Health Data

On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”) updated its “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” guidance addressing how regulated entities may use tracking technologies on their websites and mobile applications in a manner compliant with the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”).  The guidance, originally published in December 2022, states that HIPAA-regulated entities are not permitted to leverage tracking technologies in ways that would result in an impermissible disclosure of protected health information (“PHI”) or other violation of HIPAA.  The guidance also emphasizes the importance of safeguarding PHI and notes that regulated entities may not share PHI with tracking technology vendors (e.g., third-party advertisers) absent a business associate agreement (“BAA”) with the vendor or pursuant to a patient authorization. Continue Reading HHS OCR Updates Tracking Technologies Guidance

Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA