In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in Health + Biotech, Health Privacy, HIPAA, State Legislation

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The patient had requested that a single lab result—unrelated to her reproductive health—be sent to the potential employer. OCR asserts that this disclosure exceeded the scope of the patient’s authorization and was not made another permissible purpose.

The agreement comes as covered entities and their business associates prepare to comply with OCR’s new Privacy Rule To Support Reproductive Health Care Privacy by December 23, 2024. OCR’s focus on the disclosure of reproductive health information in this settlement agreement signals the Office’s commitment to enforcing the rule.

To settle these allegations, Holy Redeemer has agreed to pay HHS $35,581.00 (USD) to enter and comply with the requirements of a two-year “Corrective Action Plan” (CAP). This proscriptive CAP requires Holy Redeemer to:

Submit a breach notification report to HHS about the alleged unauthorized disclosure described above that meets the requirements of 45 C.F.R. § 164.408;

Review, revise, and maintain written “policies and procedures” (a protocol) that meet the requirements of HIPAA and include:
- a description of Privacy Rule’s prohibition on unauthorized use/disclosure of PHI,
- a policy for evaluating authorization for the use / disclosure of PHI,
- internal procedures for the reporting of HIPAA or protocol violations,
- a mandate of timely investigation and remediation of protocol violations and sanctions for non-compliance,
- clear definitions of and standards for risk assessments and defining breaches, and requirements for compliance with the HIPAA Breach Notification Rule;

Provide this protocol to HHS, implement any HHS-requested revisions to it, and distribute the finalized protocol to all staff;

Train all staff on compliance with this protocol using HHS-approved training materials and report any non-compliance with the protocol to HHS;

Submit an “Implementation Report” to HHS that attests to describes its compliance with the CAP and renew this report annually for two years.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.

California Legislature Passes the Delete Act

September 19, 2023 in CPPA, CCPA, State Legislation, Privacy

By Taylor Widawski

On September 15, 2023, the California Legislature passed Senate Bill 362, known as the Delete Act, which amends the California data broker law. The bill now awaits a signature from the governor. If signed, certain aspects of the law will go into effect as soon as January 31, 2024.

Florida's Comprehensive Privacy Law Enacted

June 08, 2023 in State Legislation, Privacy

By Leslie Veloz

Florida’s SB 262 was signed into law Tuesday, June 6, 2023, making it the 10th comprehensive state privacy law enacted in the United States. SB 262 consists of several parts.

Washington My Health My Data Act - Part 8: Notice Obligations

May 13, 2023 in State Legislation, Privacy, Health and Biotech

By Mike Hintze

When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).

Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.

Washington My Health My Data Act – Part 7: Biometric Data

April 27, 2023 in State Legislation, Privacy, Health and Biotech

By Mike Hintze & Jevan Hutson

Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). In light of MHMDA’s broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action, the Act dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.

Washington My Health My Data Act - Part 6: Data Subject Rights

April 24, 2023 in State Legislation, Privacy, Health and Biotech

By Mike Hintze

The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.

Washington My Health My Data Act - Part 5: Consent Requirements

April 19, 2023 in State Legislation, Privacy, Health and Biotech

By Mike Hintze

When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.

Washington My Health My Data Act - Part 4: Effective Dates

April 18, 2023 in State Legislation, Privacy, Health and Biotech

By Mike Hintze

Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.

Washington My Health My Data Act - Part 3: The Scope of Entities and Consumers Captured by the Act

April 17, 2023 in Privacy, State Legislation, Health and Biotech

By Mike Hintze

The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.

Washington My Health My Data Act - Part 2: The Scope of “Consumer Health Data”

April 12, 2023 in Privacy, State Legislation, Health and Biotech

By Mike Hintze

The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.

The Washington My Health My Data Act - Part 1: An Overview

April 10, 2023 in State Legislation, Privacy, Health and Biotech

By Mike Hintze

The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.

Utah's Social Media Regulation Act - Overview of Privacy & Business Impact

March 27, 2023 in State Legislation, Privacy

By Alex Schlight and Leslie Veloz

Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates minors' access to, and use of, social media sites. The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design.

Iowa Passes Sixth State Comprehensive Privacy Law

March 20, 2023 in State Legislation, Privacy

By Sheila Sokolowski

Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.

Hintze Cybersecurity + Breach Response Group Publishes U.S. State Breach Notice Guide

December 14, 2022 in Cybersecurity, State Legislation

By Sam Castic

The Hintze Cybersecurity + Breach Response Group has published a new guide to U.S. state and territory data breach notification laws – the Hintze Data Breach Notice Guide accessible here. We include in our guide an overview section with a high-level summary of the common provisions that U.S. breach notice laws contain. We also provide a set of detailed charts covering each of the 54 states and jurisdictions. We gathered our collective decades of experience working with breaches to organize these charts in a way we think is more usable in the midst of a breach crisis.

What California’s New Age-Appropriate Design Code Means for Your Business

September 15, 2022 in State Legislation

By Charlotte Lunday

On September 15, Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (CAADC). The law which received bipartisan support in the Legislature has a goal of protecting the wellbeing, data, and privacy of children, including teens, using online platforms. Businesses will be required to comply with significant new documentation and privacy by design and privacy default obligations by July 1, 2024. These obligations are largely adopted from the United Kingdom’s Age-Appropriate Design Code, and the statute’s preamble points to this law and the UK’s Information Commissioner’s Office (ICO) guidance to interpret the CAADC.

First CCPA Fine Shows Need for Cookie Governance and Vendor Management

August 30, 2022 in State Legislation

By Sam Castic

Last week the California Attorney General’s office announced a settlement with beauty retailer Sephora for $1.2 million - the AG’s first monetary penalty for CCPA violations. Sephora has also agreed to a 2-year consent decree with ongoing monitoring and reporting obligations. This enforcement action confirms the AG’s interpretation that: (1) the CCPA requires specific CCPA-mandated contractual terms with each cookie, pixel, and tracking technology provider that companies use on their websites for personal information sharing not to be a “sale” of data under the CCPA, and (2) companies that engage in “sales” of personal information on their websites must honor the Global Privacy Control signal from consumers who choose to use the GPC.

What to Expect: The California Privacy Protection Agency Releases Notice of Proposed Regulatory Action

July 12, 2022 in State Legislation

By Laura Lemire

On Friday, July 8, the California Privacy Protection Agency (CPPA) released a notice of proposed rulemaking to adopt regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), the law that amends the California Consumer Privacy Act (CCPA) (the “Proposed Regulations”). The Proposed Regulations were previously made available on May 27, 2022, and those remain unchanged. What’s new in the materials released with the notice of proposed rulemaking is rich context on the CPPA’s positions, particularly from the Economic Impact Statement and its supporting Notes.

NY Employee Privacy Law Updates

November 12, 2021 in State Legislation

By Jennifer Ruehr

This week, two pieces of important employee privacy legislation were passed in New York. The first is an amendment to New York’s civil rights law that adds new requirements for businesses that conduct employee monitoring activities in the state. And, the second only applies to businesses in New York City in relation to automated employment decision tools used for hiring and promotion purposes.

Direct-to-Consumer Genetic Testing Privacy Laws: California Joins the Party

November 03, 2021 in State Legislation, Privacy, Health and Biotech

By Sheila Sokolowski

On October 6, 2021, California’s governor signed the Genetic Information Privacy Act (the “Act”), adding the state to the growing number enacting laws requiring direct-to-consumer genetic testing companies to protect the privacy and security of their customers’ genetic data.

Virginia Passes Comprehensive Data Privacy Law

March 08, 2021 in State Legislation, Privacy

By Charlotte Lunday

On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA, which takes effect January 1, 2023, will look familiar to those who work with the GDPR and California’s Consumer Privacy Act and Privacy Rights Act (CCPA and CPRA, respectively). Companies that have already invested in GDPR and CCPA/CPRA compliance will find that most VCDPA obligations are similar to what they have already addressed in some form for Europe and California. But the new Virginia law also contains some novel provisions, such as excluding a broad range of “publicly available information” from the definition of personal data, contractual requirements for sharing de-identified data, and establishing an appeals process for data rights requests.