Medical Privacy

Subscribe to Medical Privacy

On July 20, 2023, the Federal Trade Commission (“FTC”) and the Office for Civil Rights of the United States Department of Health and Human Services (“OCR”) announced that they had sent a warning letter to about 130 hospital systems and telehealth providers, alerting them about the risks and concerns of using online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, which can track users’ online activities.

The Health Information Portability and Accountability Act (“HIPAA”) has long been described as the floor for health care privacy laws and that states and regulators are free to enact more restrictive health care privacy laws. Last week, Washington state became the first state in the nation to codify into law broad protections for consumer health data that go well beyond HIPAA.

LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the action under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” An act that causes or is likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition may be deemed unfair.

This month, the Federal Trade Commission (FTC) issued guidance on privacy and security best practices for health-related mobile apps, such as fitness apps connected with wearables, diet and weight loss apps, and health insurance portals.  At the same time, the FTC unveiled an interactive tool designed to direct health app developers to federal laws and regulations that may apply to their apps.  The Mobile Health Apps Interactive Tool, which is the product of collaboration among the FTC, Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA), seeks to unify guidance in a space governed by a complicated web of legal requirements.  It also signals the continued focus of regulators on the protection of consumer health information in this rapidly evolving space.

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of our phones or computers before they are disposed, donated, or recycled.

A recent HIPAA settlement offers a costly reminder that other types of office equipment we use regularly have similar hard drives capable of storing confidential personal information.

We pack tons of personal and sensitive information in our DNA.  While the human genome has been mapped for a decade, legal issues of genetic privacy are just beginning to rise.  Earlier this month, the U.S. Supreme Court decided what Justice Alito described as “perhaps the most important criminal procedure case that this court has heard in decades.”  The case addressed whether police could constitutionally take a DNA sample from a person arrested for a serious crime, and in a 5-4 decision, the Court ruled that DNA collection serves the legitimate government interest in identifying arrestees.  In the majority opinion, however, Justice Kennedy noted that, “If in the future police analyze samples to determine, for instance, an arrestee’s predisposition for a particular disease or other hereditary factors not relevant to identity, that case would present additional privacy concerns not present here.” 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail

For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000