Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus on increased genetic privacy protections.  A growing number of states, including Utah, Arizona, and California, have begun developing a net of genetic privacy protections to fill gaps in federal and other state legislation, often focused on the privacy practices of direct-to-consumer (“DTC”) genetic testing companies.  While some processing of genetic information is covered by federal law, the existing patchwork of federal genetic privacy protections do not clearly cover all forms of genetic testing, including DTC genetic tests.
Continue Reading Newly Effective Florida Law Imposing Criminal Sanctions Adds to Developing Nationwide Patchwork of State Genetic Privacy Laws

On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements:
Continue Reading California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule

By Anna Kraus

On Monday, the U.S. Department of Health and Human Services (HHS) released guidance on methods for de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  The guidance, which was required under Section 13424(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, answers questions about the two methods that can be used to satisfy the HIPAA de-identification standard in  45 C.F.R. § 164.514.  It also incorporates input from stakeholders that HHS received at a workshop held in March 2010.

As summarized in the figure below, the two methods by which health information can be designated as de-identified under HIPAA are (1) the “expert determination” method and (2) the “safe harbor” method.

de-identification chart 1.pngSource: HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule


Continue Reading HHS Releases Guidance on HIPAA De-Identification Standard