HIPAA/Health

Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.Continue Reading 2023 Privacy Compliance Year in Review

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Notes from the Asia Pacific Region, December 2023 | Privacy World

Singapore to Amend Cybersecurity Law | Privacy World

The

With its private right of action and expansive scope – extending far beyond Washington state’s borders and applying to a wide swath of health- and non-health-oriented companies alike – Washington’s My Health My Data Act is poised to be more ground-shifting than any other consumer privacy law that came before it. Join Kyle Fath, Bola Shonowo and Gicel Tomimbang for a discussion of:Continue Reading Join us on September 28 for a Webinar on Washington’s My Health My Data Act and other Consumer Health Data Regulation

Key Takeaway: Organizations must conduct a fact-based analysis to determine whether health data collection and tracking technology deployed on their websites and mobile apps complies with the federal Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable laws and guidance.

Cookies, web beacons, and similar technology are used to collect and analyze

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

FTC Emphasizes Commitment to Protection of Highly Sensitive Data

Federal and State Actions to Protect Robocall Invasion of Consumer

Yesterday the Acting Associate Director of the Federal Trade Commission (“FTC”) Division of Privacy & Identity Protection posted a blog underscoring the agency’s “unprecedented” concerns to individuals’ personal privacy with connected devices.  This announcement comes in the wake of an Executive Order from President Biden intended to address, among other issues, the potential threat to

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CPW’s Stephanie Faber Speaks at French Association of Personal Data Protection Correspondents Annual Meeting

Future Uncertain for the American

CPW’s Kristin Bryan and Glenn Brown recently jointed James Lee, Chief Operating Officer of the Identity Theft Resource Center (“ITRC”) and Eva Velasquez, Chief Executive Officer of the ITRC to discuss recent developments in privacy laws and privacy litigation.  Their podcast, which addresses recently enacted privacy laws, litigation trends, and what may be on the

CPW is proud to share with its readers that Global Data Review, a leading data law and regulation publication, has ranked Squire Patton Boggs among 25 Elite firms in its 2022 edition of the GDR 100.  GDR identifies and profiles the world’s leading law firms.  GDR notes that firms with the Elite designation in