The Federal Trade Commission’s Revised Health Breach Notification Rule to Take Effect

By Felicity Slater 

In one month’s time, on July 29, 2024, the Federal Trade Commission’s (“FTC”) revised Health Breach Notification Rule (“HBNR”) will take effect. The rule obliges regulated entities to disclose breaches of personally identifying health information to consumers, the FTC, and, in some cases, the press. The revisions establish that a broad range of entities operating in the consumer health and wellness space are covered by the rule, and that unauthorized disclosures of personally identifying health information, along with data breaches as traditionally conceived of, trigger the rule’s notification obligations. Violators risk substantial fines. 

Read More

Regulator Insights into the HIPAA Privacy Rule to Support Reproductive Health Privacy

Regulator Insights into the HIPAA Privacy Rule to Support Reproductive Health Privacy

By Cameron Cantrell and Sheila Sokolowski

On Thursday, June 20, 2024, the Department of Health and Human Services’ Office of Civil Rights and Office of Health Information Technology (collectively, “HHS”) jointly presented a webinar on the HIPAA Privacy Rule to Support Reproductive Health Privacy (the “Reproductive Health Privacy Rule” or “Rule”). HHS published the final Reproductive Health Privacy Rule on April 26, 2024, and provided the webinar as part of building out the agency’s guidance on the Rule’s novel requirements.

Read More

New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users

in , ,
New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users

By Cameron Cantrell and Sam Castic

This week the California Attorney General and Los Angeles City Attorney announced a proposed $500,000 settlement to a complaint against mobile app game developer and publisher Tilting Point Media LLC for  alleged violations of the California Consumer Privacy Act (“CCPA”), unfair competition law, and federal Children’s Online Privacy Protection Act (“COPPA”). This post summarizes the alleged practices that led to the enforcement action, how it fits with regulatory enforcement priorities including on data sales via tracking technologies and children’s privacy, and steps for companies to consider to reduce risk.

Read More

Hintze Law and Attorneys Recognized in Chambers USA Guide 2024 Rankings

in

We’re pleased to share that Hintze Law and attorneys at the firm have been recognized once again by Chambers & Partners for expertise in a number of Privacy and Data Security areas in the 2024 Chambers USA Guide. These recognitions include Hintze Law’s fourth year being ranked as an Elite Law Firm for Privacy and Data Security – USA Nationwide. One of Hintze Law’s clients that Chambers interviewed shared that "Hintze's team has unique experience that allows them to dig into complex issues and provide practical, actionable advice."

Read More

New York Legislature Considers Dramatically Restrictive Health Data Privacy Bill

New York Legislature Considers Dramatically Restrictive Health Data Privacy Bill

By Mike Hintze and Felicity Slater

With just six days left in the state’s 2024 legislative session, the New York Legislature is considering a health data privacy bill that would dramatically impact companies that handle data related to health or wellness. Companies and other organizations should watch this bill carefully and understand its highly disruptive and costly implications should it pass the legislature and be signed by the governor.

Read More

Washington My Health My Data Act - Part 10: The Purchase of Medication

By Mike Hintze

Last week, the Washington State Office of the Attorney General (OAG) updated its guidance on the Washington My Health My Data Act (MHMDA). Specifically, the OAG added an eighth question and answer addressing whether information about a consumer purchasing non-prescription medication would be considered “consumer health data” subject to the law. 

This post explains the shortcomings of this new guidance. And in doing so, it takes a long overdue deep dive into how MHMDA treats personal information related to prescription and over-the-counter medications. It concludes that while this guidance may provide some comfort to entities regulated under MHMDA that process information about the purchase of non-prescription medications like aspirin or vitamins, it is only part of a bigger picture that should be considered along with the statutory text and other factors in determining an appropriately risk-based approach to complaince with this challenging law.

Read More

EDPB Adopts Opinion on the Validity of the “Consent or Pay” Model for Behavioral Advertisement

By Destiny Ginn

On April 17, 2024, The European Data Protection Board (‘EDPB’) issued an opinion on whether “consent or pay” models used by large online platform services are valid consent mechanisms under the GDPR. The EDPB stated, “In most cases, it will not be possible for large online platforms to comply with requirements for valid consent if they confront users only with a binary choice between consenting to the processing of personal data for behavioral advertising purposes and paying a fee.”  If adopted, this opinion would ultimately change how valid legitimate consent is obtained by large and possibly small businesses.

Read More

Assessing 'necessity' under state health privacy laws

By Felicity Slater and Kate Black in partnership with Future of Privacy Forum’s Jordan Wrigley, and Niharika Vattikonda

Washington state's My Health My Data Act and Nevada's Senate Bill 370 took effect 31 March, prompting entities that collect "consumer health data," as broadly defined by these laws, to assess their data collection, use and sharing through a novel lens. A unique requirement born out of these laws requires that entities analyze which elements of their health data collection, use and sharing are "necessary" to provide products or services requested by their consumers.

Read More