Data Dive

On April 27, 2023, Washington Governor Jay Inslee signed the My Health My Data Act (the “Act”) into law, establishing new limits on the collection, use and sharing of “consumer health data” and creating numerous compliance obligations for entities that are in scope. The Act will take effect on July 23, 2023 and specifies that compliance is mandated for most sections by March 31, 2024 generally and June 30, 2024 for small businesses. However, the Act’s prohibitions on geofencing appear to take effect on July 23, 2023. Below, we have provided a summary of key aspects of the Act and outlined some steps potentially impacted entities may want to take.

On February 1, 2023, the Federal Trade Commission (FTC) announced that it had taken enforcement action against prescription drug discount company GoodRx, which agreed to injunctive relief and to pay a $1.5 million civil penalty to settle allegations that the company violated the FTC Health Breach Notification Rule and Section 5 of the FTC Act.

On March 9, 2021, the U.S. Department of Health and Human Services Office for Civil Rights announced that the public comment period for the HIPAA proposed privacy rule would be extended until May 6, 2021. The rulemaking was published in the Federal Register on January 21, 2021, with an initial comment deadline of March 22, 2021. Noting the potential for confusion concerning the impact of the Regulatory Freeze announced on January 20, 2021, the agency determined that “the public may need additional time to review the proposals and submit comments.”

Akin Gump published a client alert on the HIPAA Privacy Proposed Rule and its posting on the Federal Register website for public inspection. The rule is scheduled to be published in the Federal Register on January 21, 2021. If the rule is published as currently scheduled, comments will be due March 22, 2021. Key provisions of the rulemaking focus on:

On April 2, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that the agency will exercise enforcement discretion with respect to certain uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities that would otherwise violate the Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009 (together with their implementing regulations, HIPAA) during the COVID-19 public health emergency.¹

Akin Gump published a client alert outlining key provisions of New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, signed by Governor Cuomo on July 25, 2019. The data breach notification requirements of the SHIELD Act take effect today (October 23, 2019), while the data security protections of the Act take effect March 21, 2020. The data breach notification requirements will have a significant impact on businesses that own or license computerized data that contain the private information of New York residents. Notably, HIPAA covered entities are also subject to additional breach reporting requirements under the Act. Please click here to read the full alert.

Akin Gump published a client alert regarding the broad request for information issued on December 14, 2018 by the U.S. Department of Health and Human Services, Office for Civil Rights to help the agency identify and address undue obstacles to the sharing of protected health information. Any potential updates to the privacy, security and breach notification regulations adopted under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (together, HIPAA) are due February 12, 2019. Please click here to read the full alert.