On Wednesday, October 6th, Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act, which expands genetic privacy protections for consumers in California, including those interacting with direct-to-consumer (“DTC”) genetic testing companies.  In a recent Covington Digital Health blog post, our colleagues discussed SB 41 and the growing patchwork of state genetic privacy

Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health record that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  16 C.F.R. §§ 318.3, 318.5.  Third-party service providers also are required to notify covered vendors of any breach.  16 C.F.R. § 318.3.


Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

Legislation that would amend California’s Confidentiality of Medical Information Act (“CMIA”) is working its way through California’s Senate and passed in the Senate Health Committee earlier this week.  The proposed bill passed in the state’s Assembly back in April.  Introduced by Democratic California Assemblymember Edwin Chau, who sits on the Privacy and Consumer Protection Committee, the proposed legislation (AB 1436) expands the definition of “provider of health care.”  Under the CMIA, providers of health care are subject to various obligations, including provisions that restrict the disclosure of medical information without a prior valid authorization, subject to certain exceptions.
Continue Reading Proposed Bill Would Expand the Scope of the CMIA

On May 3, 2021, the European Commission (the “Commission”) opened a further public consultation (“Consultation”) on the European Health Data Space (“EHDS”).

This follows a consultation earlier in the year, on the Commission’s “Inception Impact Assessment” in relation to the EHDS.  (For further information on the earlier consultation and an overview of the EHDS, please see our blog post available here).


Continue Reading European Commission Conducts Further Consultation on the European Health Data Space Initiative

On February 9, 2021, the UK Government’s Department for Health and Social Care (“DHSC”) announced a review into the efficient and safe use of health data for research and analysis for the benefit of patients in the health sector (“Review”). The DHSC encourages stakeholder feedback in the context of the Review, and will be of particular interest to organisations that have, or seek to have, access to NHS patient data for research purposes.

Continue Reading UK Government Announces Review Into Use Of Health Data For Research And Analysis

The Federal Trade Commission (“FTC”) announced this month a proposed settlement against Flo Health, Inc. (“Flo”), the developer of popular menstrual cycle and fertility-tracking application (the “Flo App”), resolving allegations that “the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.”  The proposed settlement requires Flo, among other things, to obtain review by an “independent third-party professional” of its privacy practices, obtain users’ consent before sharing their health information, alert users whose data was disclosed, and require third-parties that previously received that data to destroy it.
Continue Reading FTC Reaches Settlement with Digital Health App, Requires First Notice of Privacy Action

On December 23, 2020, the European Commission (the “Commission”) published its inception impact assessment (“Inception Impact Assessment”) of policy options for establishing a European Health Data Space (“EHDS”).  The Inception Impact Assessment is open for consultation until February 3, 2021, encouraging “citizens and stakeholders” to “provide views on the Commission’s understanding of the current situation, problem and possible solutions”.

Continue Reading European Commission Conducts Open Consultation on the European Health Data Space Initiative

On January 6, 2021 the UK’s Department of Health and Social Care (“DHSC”)  published “A Guide to Good Practice for Digital and Data-Driven Health Technologies” (the “Guidance”).  The Guidance updates the DHSC’s “Code of Conduct for Data-Driven Health and Care Technologies” (the “Code”) (for further information on the Code see our earlier blog, here).

As with the Code, the Guidance is a valuable resource to help parties understand what the National Health Service (“NHS”) looks for when acquiring digital and data-driven technologies for use in health and care.


Continue Reading UK’s Department of Health and Social Care Publishes Updated Guidance on Good Practice for Digital and Data-Driven Health Technologies

On 3 July 2020, the German parliament passed a draft bill (German language) for patient data protection and for more digitalisation in the German healthcare system (Patientendaten-Schutz-Gesetz). The draft bill is currently in the legislative procedure and is expected to enter into force in autumn 2020.

One of the main objectives of the