Health Privacy

On September 27, 2023, Governor Newsom signed AB 254 and AB 352, which both amend the California Confidentiality of Medical Information Act (“CMIA”).  Specifically, AB 254 expands the scope of the CMIA to expressly cover reproductive or sexual health services that are delivered through digital health solutions and the associated health information generated from these services.  AB 352 imposes new requirements on how electronic health record (“EHR”) systems must store medical information related to gender affirming care, abortion and related services, and contraception and the ability of providers of health care, health care service plans, contractors, or employers to disclose such information.

Continue Reading California Enacts Amendments to the CMIA

Innovative digital solutions intended to address health issues typically experienced by women have been an area of increased focus.  Ranging from reproductive-related mobile applications to AI-enabled breast cancer screening devices, digital solutions for women+ health show promise to serve an enormous market with medical needs that have often failed to get the level of attention

On December 2, 2022, the U.S. Department of Health and Human Services (“HHS”), through the Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”), issued a proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive

On Wednesday, October 6th, Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act, which expands genetic privacy protections for consumers in California, including those interacting with direct-to-consumer (“DTC”) genetic testing companies.  In a recent Covington Digital Health blog post, our colleagues discussed SB 41 and the growing patchwork of state genetic privacy

Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus

The Federal Trade Commission (“FTC”) announced this month a proposed settlement against Flo Health, Inc. (“Flo”), the developer of popular menstrual cycle and fertility-tracking application (the “Flo App”), resolving allegations that “the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.”  The proposed settlement requires Flo, among other things, to obtain review by an “independent third-party professional” of its privacy practices, obtain users’ consent before sharing their health information, alert users whose data was disclosed, and require third-parties that previously received that data to destroy it.
Continue Reading FTC Reaches Settlement with Digital Health App, Requires First Notice of Privacy Action

California Attorney General Xavier Becerra (“AG”) announced in September a settlement against Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information.”  In the complaint, the AG alleged violations of certain state consumer protection and privacy laws, stemming from privacy and security “failures” in Glow’s mobile application

Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Notably, three settlements stem from data breaches in which hackers were able

In a new post on the Covington Inside Privacy blog, our colleagues discuss the passage of California’s AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”) for certain information that has been deidentified in accordance with the Health Insurance Portability and Accountability Act of