Privacy & Information Security Law Blog

The Supreme Judicial Court of Massachusetts, the state’s highest appellate court, recently held that website operators’ use of third-party tracking software, including Meta Pixel and Google Analytics, is not prohibited under the state’s Wiretap Act.

On October 31, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced two settlements over medical providers’ failures to comply with the HIPAA Security Rule, one with Plastic Surgery Associates of South Dakota and one with Bryan County Ambulance Authority.  The settlements mark the sixth and seventh OCR enforcement actions related to ransomware attacks with the latter being the first enforcement action in OCR’s Risk Analysis Initiative.

On November 1, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights and the Assistant Secretary for Technology Policy announced the release of a new version of the Security Risk Assessment Tool.

On September 26, 2024, the U.S. Department of Health and Human Services Office for Civil Rights entered into a resolution agreement and corrective action plan with Cascade Eye and Skin Centers, P.C. following a ransomware attack that impacted approximately 291,000 files containing electronic PHI.

On October 3, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a monetary penalty of 240,000 dollars against Providence Medical Institute, an interstate network of medical providers, for violations of the HIPAA Security Rule in relation to a series of ransomware attacks against an orthopedics practice acquired by the entity.

On June 20, 2024, the U.S. District Court for the Northern District of Texas Fort Worth Division ruled that guidance issued by the U.S. Department of Health and Human Services (“HHS”) relating to online tracking technologies exceeded HHS’ authority and ordered that it be vacated. 

On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services (“HHS”) published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” 

On September 13, 2023, the National Coordinator for Health Information Technology (“ONC”) and the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services released version 3.4 of the Security Risk Assessment (“SRA”) Tool under the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.

On February 10, 2023, an Illinois federal district court ordered the dismissal of a putative class action lawsuit alleging that an online tool that allowed users to virtually try on sunglasses violated the Illinois Biometric Privacy Act (“BIPA”).

On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

Following the ruling in Dobbs, the National Institutes of Health’s (“NIH’s”) certificates of confidentiality offer an important layer of privacy protection to reproductive health research data. The Public Health Service Act created the certificates of confidentiality program, which prohibits the disclosure of identifiable, sensitive research data “in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding” without the research subject’s consent. These certificates add a layer of protection to abortion and fertility data collected as part of NIH research.

On June 29, 2022, the U.S. Department of Health and Human Services (“HHS”) issued two guidance documents to “help protect patients seeking reproductive health care, as well as their providers” following the Supreme Court’s decision in Dobbs vs. Jackson Women’s Health Organization. These guidance documents address the legal protections for individuals’ protected health information (“PHI”) relating to abortion and other reproductive health care, as well as how individuals can protect their medical information on personal devices, menstruation tracking apps and other health-related apps.