Search results for: HIPAA

On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).

Continue Reading California Delete Act Imposes New Obligations on Data Brokers

On November 30, 2023, the Illinois Supreme Court unanimously held that an exclusion in the Illinois Biometric Information Privacy Act applies to healthcare workers where their biometric information is collected, used, or stored in the course of providing medical services.  The holding is a significant victory for healthcare institutions and clarifies that the applicable exemption, Section 10 of BIPA, does not only apply to hospital patients, but also extends to other circumstances.

Plaintiffs were healthcare workers who used finger scanning authentication devices in the course of providing patient care, including for medication dispensing systems and to gain authorized access to patient materials and medications. They filed suit against their employer, a hospital, alleging violations of Sections 15(a), (b), and (d) of BIPA.  The defendant hospital filed a motion to dismiss, arguing that the biometric data that it purportedly collected, used, and/or stored was used for internal purposes to restrict access to patients’ protected health information and medication.  Additionally, the defendant also asserted that because the data at issue was used for health care treatment and operations, it was, therefore, specifically exempt under Section 10 of BIPA.  This provision provides that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].”

In this case, an Illinois circuit court ruled that the exemption in Section 10 of BIPA was limited only to patient information.  Defendant timely appealed that ruling.

On appeal, in a case of first impression, the Illinois Supreme Court held that healthcare workers’ use of biometric scanning devices fell within the scope of Section 10’s exemption by the plain language of the statute: “Pursuant to its plain language, [BIPA] excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by HIPAA.”  As such, the Court ruled, using finger scanning devices to access patient medications and provide patient care fell within the scope of “information collected, used, or stored for health care treatment, payment, or operations.”

This ruling is a significant victory for the BIPA defense bar.  However, attorneys should be cautious of reading Mosby too expansively, as the Court cautioned that it did not intend to create a “broad, categorical exclusion of biometric identifiers taken from health care workers.”  It is anticipated that future cases applying the Section 10 exemption will further refine the standard resulting from this decision.  For more, stay tuned; Privacy World will be there to keep you in the loop.

By Julia B. Jacobson, Sasha Kiosse, Alan Friel, Charles Helleputte

Last updated: January 29, 2024

I. BACKGROUND ON DPF

Your Question Our Answer
1. What are Privacy Shield and Safe Harbor?

The Privacy Shield was an agreement between the EU, Switzerland and U.S. under which U.S. businesses could earn a certification that allowed them to

With its private right of action and expansive scope – extending far beyond Washington state’s borders and applying to a wide swath of health- and non-health-oriented companies alike – Washington’s My Health My Data Act is poised to be more ground-shifting than any other consumer privacy law that came before it. Join Kyle Fath and Bola Shonowo for a discussion of:

Continue Reading Join us on September 28 for a Webinar on Washington’s My Health My Data Act and other Consumer Health Data Regulation

After much anticipation, the Securities and Exchange Commission (the “Commission”) has adopted Regulations (the “Regulations”) regarding public companies’ obligations to include disclosure in annual reports on Form 10-K (Form 20-F for foreign issuers) regarding material cybersecurity risks, risk management and governance, and to file current reports on Form 8-K (for 6-K for foreign issuers) to report material cybersecurity incidents. The Commission adopted many of the reporting requirements proposed in the March 2022 draft of the Regulations and discussed in our prior blog post. Notably, the obligation to disclose information regarding the Board of Directors’ cybersecurity expertise was eliminated from the final Regulations based on feedback from commentors who objected to this requirement. In the coming days, we will publish a thorough article regarding public companies’ new reporting obligations, but in this post we briefly summarize the new requirements adopted.

Continue Reading SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations

With Gov. Abbot’s recent signing of the Securing Children Online through Parental Empowerment Act (SCOPE Act), Texas joins Arkansas and Utah (see our blogs here and here) in requiring age verification and parental consent before allowing minors to create accounts on social media platforms. Two key differences among these laws are (i) the SCOPE Act’s scope, which is broader than the other two state laws; and (ii) the duty imposed by the SCOPE Act to prevent harm to minors by preventing their exposure to “harmful material.”  To define “harmful material,” the SCOPE Act borrows from a different Texas law which defines it as material that “taken as a whole” (i) appeals to the prurient interest of a minor in sex, nudity, or excretion, (ii) is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable for minors, and (iii) is utterly without redeeming social value for minors.

Continue Reading Texas Two-Steps into the Childrens Privacy Dance: The Securing Children Online through Parental Empowerment Act

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context. Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include: Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following the “first five” states of California, Colorado, Connecticut, Utah and Virginia (described here).

Following are some FAQs about the Montana CDPA:

When is the Montana CDPA in effect?

The Montana CDPA is in force as of October 1, 2024. It is effective before the new privacy law in Iowa, which is effective January 1, 2025, Indiana, which is effective January 1, 2026 and Tennessee which is effective July 1, 2025.   Only Florida’s new privacy law is effective earlier, on July 1, 2024.

Who are “consumers” in the Montana CDPA?

A consumer is a Montana resident acting in an individual capacity.

Consumers are not Montana residents acting in a commercial or employment context, or otherwise in a business-to-business or government agency context, e.g., employee, owner, director, officer, or contractor.

What organizations are subject to the Montana CDPA?

Montana CDPA applies to any “person” (which means a natural person or legal entity, subject to the exceptions described below) that:

  • conducts business in Montana or produce products or services that are targeted to consumers and
  • either (i) controls or processes the personal data of 50,000 or more consumers (but excluding personal data processed solely for completing a payment transaction) or (ii) processes the personal data of at least 25,000 consumers and derives 25% or more of gross revenue from the sale of personal data.

The Montana CDPA follows the same role-based processing model as the other state privacy laws; a controller determines the purpose and means of processing personal data; processors to assist controllers in meeting their obligations; and a controller must have a contract with its processors.

What organizations are not subject to the Montana CDPA?

The Montana CDPA does not apply to non-profit organizations, financial institutions regulated by the Gramm-Leach-Bliley Act, national securities associations under the Securities Exchange Act, or to HIPAA covered entities and protected health information (among other exclusions).

What rights are available for consumers under the Montana CDPA?

The Montana CDPA grants the following rights to consumers:

  • Right to confirm processing and access personal data
  • Right to correct inaccuracies in the consumer’s personal data
  • Right to delete personal data about the consumer
  • Right to obtain a copy of the personal data previously provided by the consumer
  • Right to opt-out of the processing of the consumer’s personal data for the purposes of:
    • targeted advertising
    • sale
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

Consumers can designate an authorized agent to exercise the rights of the consumer to opt out of targeted advertising, sale, and profiling.

What obligations apply to businesses under the Montana CDPA?

Responding to Consumer Rights.  A covered business acting as a controller:

  • must respond to a consumer rights request within 45-days after receipt of the request, subject to a 45-day extension when “reasonably necessary”
  • establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request
  • within sixty days after receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Montana Attorney General to submit a complaint.

Special Requirements for Opt-out Requests relating to Targeted Advertising and Personal Data Sale: by January 1, 2025 (three months after Montana DCPA is in force), a controller must allow consumers to opt out of targeted advertising or sale of their personal data through an opt-out preference signal. The consumer’s chosen opt-out preference signal must be easy to use, not unfairly disadvantage another controller, require the consumer to make an affirmative choice to opt out (i.e., not a default setting), and allow the controller to accurately determine whether the consumer is a Montana resident.

Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.

Revocation of Consent: Controllers must provide a mechanism for consumers to revoke their consent that is as easy to use as the mechanism by which the consumer provided their consent. Within 45 days of the revocation, the controller must cease processing the consumer’s personal data.

Privacy Notice: A controller must make available a privacy policy that includes the categories of personal data processed by the controller, the purpose for processing personal data, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, the controller’s contact information, and how consumers may exercise their rights, including one or more reliable means to submit a request, and appeal a controller’s decision regarding the request.

Sensitive Data Processing: Controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent.

Minors: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sale without the consumer’s consent when a controller has actual knowledge that the consumer is at least age 13 but younger than age 16.

Data Protection Assessments: A controller is obligated to conduct and document a data protection assessment for each of the controller’s processing activities created or generated after January 1, 2025 that present a heightened risk of harm to a consumer, including (1) processing personal data for targeted advertising, (2) selling personal data, (3) processing sensitive data, and (4) processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury to consumers, intrusion on the solitude or seclusion or the private affairs of consumers, or other substantial injury. Data protection assessments generally must identify and weigh the benefits and risks of the processing, as mitigated by safeguards that the controller may be employ. These requirements generally track the data protection requirements in Virginia’s, Connecticut’s, and Indiana’s consumer privacy laws.

What are the consequences of not complying with the Montana CDPA?

Montana CDPA does not have a private right of action and is enforceable only by the Montana Attorney General. The Montana AG may bring an action if, after notice of a violation, the controller fails to cure the violation within a sixty-day cure period. The cure period expires on April 1, 2026.

Are regulations forthcoming under the Montana CDPA?

The Montana CDPA does not provide for future rulemaking.

2024 and 2025 promise to be busy years for privacy professionals with five new privacy laws coming into effect and likely more on the way. Businesses that already have built compliance programs for one of more of the “first five” state privacy laws will, however, have a much lighter lift.

Privacy World will continue to cover updates in Montana, as well as other state and federal privacy legislation. Please contact the authors or your relationship partner at SPB for more information.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Today, Governor Jay Inslee signed into law the My Health My Data Act (SB 1155) (the “Act” or “MHMD”), a first-of-its-kind consumer health data law. Passage of the Act was, in part, a direct response by Washington state lawmakers to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. overturning Roe v. Wade. Recognizing that the nation’s federal health law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has blind spots in protecting health-related information collected outside of contexts involving HIPAA covered entities (e.g., healthcare institutions), the legislature in passing MHMD sought to “close the gap” in privacy protections for health data that falls outside the scope HIPAA, including information related to reproductive health and gender-affirming care. Continue Reading Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained