On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

To add to the growing number of bills that would amend or revoke Section 230 of the Communications Decency Act, last month Senator Amy Klobuchar (D-MN) introduced the Health Misinformation Act of 2021 (S.2448).  Senator Ben Lujan (D-NM) cosponsored the bill.

The bill would amend Section 230 to revoke the Act’s liability shield

On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.

Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data).  The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.

Continue Reading Belgian Supervisory Authority Launches Public Consultation on the Use of Biometric Data

On May 20, 2021, there was a major ransomware attack on the Irish health system.  The centralized HSE (Health Service Executive), which provides and manages healthcare for the Irish population, was targeted on May 14 and has seen significant disruption since.  It has described the attack as a ‘zero-day threat with a brand new variant of the Conti ransomware.’


Continue Reading Major Cyber-attack on Irish Health System Causes Commercial Concern

Two recent actions by lawmakers are intended to address certain uses of technology in health. First, two Senators have introduced a bipartisan bill related to the collection and use of identifiable health data from wearable health trackers.  Second, following an appeal from Democratic lawmakers, the Agency for Healthcare Research and Quality (“AHRQ”) plans to review the use of race-based algorithms in medical care.
Continue Reading SMARTWATCH Act and AHRQ’s Inquiry

In February 2021, the European Commission (“Commission”) released a report on European Union (“EU”) Member States’ laws governing the processing of health data.  The report discusses three general types of health data uses:

  • primary use for health care services;
  • secondary use for public health purposes; and
  • secondary use for scientific research purposes.

For each of these general purposes, the report assesses real-world use cases.  For example, for health care services, the report considers e-health applications, among others.  For public health purposes, the report considers pharmacovigilance and product approvals.  The section on scientific research purposes, meanwhile, considers issues such as research by public bodies, sharing of data with third-party researchers, and the use of genetic data.

Continue Reading European Commission Publishes Report on EU Member States’ Rules in Relation to Health Data

On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

Continue Reading European Data Protection Board Answers Commission’s Questions on Health Research

In a new post on the Covington Digital Health blog, our colleagues discuss a recent settlement between the Federal Trade Commission (“FTC”) and Flo Health, Inc. (“Flo”), the developer of a popular menstrual cycle and fertility-tracking application.  The settlement resolves allegations that Flo shared app users’ health information with outside third parties after promising