Data Dive

On April 27, 2023, Washington Governor Jay Inslee signed the My Health My Data Act (the “Act”) into law, establishing new limits on the collection, use and sharing of “consumer health data” and creating numerous compliance obligations for entities that are in scope. The Act will take effect on July 23, 2023 and specifies that compliance is mandated for most sections by March 31, 2024 generally and June 30, 2024 for small businesses. However, the Act’s prohibitions on geofencing appear to take effect on July 23, 2023. Below, we have provided a summary of key aspects of the Act and outlined some steps potentially impacted entities may want to take.

The United States Department of Health and Human Services (HHS), working in coordination with industry leaders, has stepped up efforts to play a central role in helping health care organizations defend against cybersecurity threats.

Multiple policy documents relating to software and digital health have been issued by the U.S. Food and Drug Administration (FDA). The documents offer: a framework for the use of digital health tools in the context of drug development; draft guidance for predetermined change control plans (PCCPs) for artificial intelligence (AI)/machine learning (ML)-enabled device software; and final guidance issuing cybersecurity requirements for device authorization submissions.  

On February 1, 2023, the Federal Trade Commission (FTC) announced that it had taken enforcement action against prescription drug discount company GoodRx, which agreed to injunctive relief and to pay a $1.5 million civil penalty to settle allegations that the company violated the FTC Health Breach Notification Rule and Section 5 of the FTC Act.

The Federal Trade Commission (FTC) reached a settlement with weight loss company WW International (formerly known as Weight Watchers) requiring the company to pay a $1.5 million penalty, delete the personal information of children under the age of 13 that was allegedly obtained unlawfully and delete any work product—including algorithms—derived from that data.¹ This case marks the second time in two years that the FTC has ordered algorithm destruction as a result of alleged improprieties in a company’s data collection practices. 

On March 9, 2021, the U.S. Department of Health and Human Services Office for Civil Rights announced that the public comment period for the HIPAA proposed privacy rule would be extended until May 6, 2021. The rulemaking was published in the Federal Register on January 21, 2021, with an initial comment deadline of March 22, 2021. Noting the potential for confusion concerning the impact of the Regulatory Freeze announced on January 20, 2021, the agency determined that “the public may need additional time to review the proposals and submit comments.”

The U.S. Food and Drug Administration (FDA) announced that the newly-created post of Acting Director of Medical Device Security has been filled by Kevin Fu, a University of Michigan associate professor and founder of the Archimedes Center for Medical Device Security.  Fu, who was appointed for a one-year term, is expected to “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”¹ The creation of the position reflects the FDA’s ongoing efforts to ensure the safety and effectiveness of Internet of Things and medical devices such as insulin pumps, pacemakers, and hospital imaging machines.  These devices, which increasingly rely on software and the cloud to operate, are particularly vulnerable to threat actors targeting hospitals and other medical providers with ransomware and other attacks.  Such attacks have been on the rise, particularly given the shift to telehealth and remote operation of medical devices in the wake of COVID-19.

In the wake of the California voters’ approval of Proposition 24, or the California Privacy Rights Act of 2020 (CPRA), a ballot initiative that expanded data privacy obligations for businesses beyond those in the California Consumer Privacy Act (CCPA), several states promptly introduced new privacy laws of their own at the outset of 2021. Lawmakers in Washington state have notably revamped the Washington Privacy Act (WPA), while the landmark New York Privacy Act (NYPA) has also been reintroduced. Other state lawmakers continue to introduce measures to enhance their states’ data privacy and cybersecurity efforts. Below, please find a high-level overview of states’ new legislative efforts in this space.