Health and Biotech
By Sheila Sokolowski and Kate Black
In a joint letter sent to 130 hospital systems and telehealth providers, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) warned health care providers, both those covered by HIPAA and those not, about their potential to violate the HIPAA Rules, FTC Act and FTC Health Breach Notification Rule (HBNR) when they use technology that tracks users’ activities on their websites and apps.
Read MoreHintze Law PLLC is pleased to announce that Chambers & Partners has once again recognized Hintze Law and its partners Sheila Sokolowski, Susan Hintze, and Mike Hintze in its 2023 USA Privacy & Data Security rankings. The firm was also recently recognized in The Legal 500’s 2023 US Cyber Law rankings.
Read MoreBy Mike Hintze
When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).
Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.
Read MoreBy Mike Hintze & Jevan Hutson
Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). In light of MHMDA’s broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action, the Act dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.
Read MoreBy Mike Hintze
The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.
Read MoreBy Mike Hintze
When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.
Read MoreBy Mike Hintze
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.
Read MoreBy Mike Hintze
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
Read MoreBy Mike Hintze
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
Read MoreBy Mike Hintze
The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Read MoreBy Kate Black and Sam Castic
The Federal Trade Commission recently announced two enforcement actions under the FTC Act against digital health companies that focus on the use and disclosure of information for online advertising purposes. The agency's complaints against GoodRx and BetterHelp exhibit several shared themes and offer five lessons for companies that are looking to make sense of the enforcement actions. While these cases are both focused on companies in the health sector, these lessons relate to the FTC's current interpretation of unfair acts and deceptive practices that are unlawful for all types of companies under Section 5 of the FTC Act. For this reason, they should be considered by any company engaging in common online advertising practices.
Read MoreOn March 2, 2023, the Federal Trade Commission (FTC) issued a proposed consent order with BetterHelp, Inc. (BetterHelp), an online counseling service, for allegedly misrepresenting its privacy practices and sharing information about consumers’ interest in or use of mental health counseling services (which the FTC alleges to be sensitive health information), in violation of Section 5 of the FTC Act. The proposed order also requires BetterHelp to pay $7.8 million to the FTC for redress to consumers. This is to settle charges that it injured consumers when its unfair business practices led to consumers’ information being shared with third parties, such as Facebook and Snapchat, for advertising purposes after promising consumers it would keep such data private.
Read MoreBy Sheila Sokolowski, Kate Black, and Mason Fitch
On February 1st, 2023, the Federal Trade Commission (FTC) issued a proposed order against GoodRx Holdings, Inc. (GoodRx), a digital health platform, for allegedly violating Section 5 of the FTC Act by making deceptive statements about its sharing of health data. In addition, in its first enforcement action under a decade-old Health Breach Notification Rule, the FTC alleged that GoodRx failed to notify its users of the unauthorized disclosure of their health data to advertising platforms. The Department of Justice filed the order along with a complaint on behalf of the FTC in California federal court. GoodRx subsequently agreed to the FTC’s stipulated order.
Read MoreBy Mason Fitch
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a new bulletin last week that may have significant implications for online activities of Covered Entities and Business Associates. The bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” explains how HIPAA’s reach extends to information collected on websites or mobile apps, including information collected from a user who visits a HIPAA-regulated entity’s website but has no further interaction with that entity. While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well.
Read MoreBy Mason Fitch
The Supreme Court’s reversal of Roe v. Wade amplifies attention to concerns around the privacy of abortion-related services, including the provision of healthcare, period tracking apps, and even payment methods and mobile location data. In a direct response to Roe’s reversal, the Department of Health and Human Services (HHS) released guidance underscoring the protections applicable to protected health information (PHI) relating to abortion and other reproductive care under the Health Insurance Portability & Accountability Act (HIPAA), which we outline below. HIPAA, however, is limited in scope and does not protect a vast swath of information relating to abortion care.
Read MoreOn October 6, 2021, California’s governor signed the Genetic Information Privacy Act (the “Act”), adding the state to the growing number enacting laws requiring direct-to-consumer genetic testing companies to protect the privacy and security of their customers’ genetic data.
Read MoreOn December 10, 2020, the Department of Health and Human Services (the Department) issued a Notice of Propose Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
Read More