On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacks.Continue Reading European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers
OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act
On April 6, 2022, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) seeking public comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, indicating that a rulemaking or further guidance related to the HITECH Act may be forthcoming. Specifically, the RFI seeks input as to how covered entities and business associates are voluntarily implementing recognized security practices. OCR will consider the implementation of such practices when making certain determinations relating to the resolution of potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The RFI also seeks input on the process for distributing to harmed individuals a percentage of civil monetary penalties (“CMPs”) or monetary settlements collected pursuant to the HITECH Act. Although HIPAA does not provide a private right of action, the potential for sharing in monetary penalties or settlements could incentivize individuals to report potential HIPAA violations to OCR.
Continue Reading OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act
OIG Issues Advisory Opinion on Digital Program for the Treatment of Substance Use Disorders
On March 2, 2022, the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”) posted an advisory opinion concluding that a digital program for the treatment of substance use disorders would raise minimal fraud and abuse risk. OIG advisory opinions address the application of certain
Continue Reading OIG Issues Advisory Opinion on Digital Program for the Treatment of Substance Use Disorders
California Governor Signs Legislation to Expand Genetic Privacy Protections After Last Year’s Veto
On Wednesday, October 6th, Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act, which expands genetic privacy protections for consumers in California, including those interacting with direct-to-consumer (“DTC”) genetic testing companies. In a recent Covington Digital Health blog post, our colleagues discussed SB 41 and the growing
Continue Reading California Governor Signs Legislation to Expand Genetic Privacy Protections After Last Year’s Veto
EDPB Issues New Guidance on the Use of Location Data and Contact Tracing in the Context of the COVID-19 Outbreak
As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.
The EDPB’s new guidelines complement and build on similar guidance previously issued by the Board itself (see here, here and here), and by the European Commission (see our blog post here).
The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).
The guidelines aim to clarify the data protection conditions and principles that should be followed when:
- using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
- using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.
The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic. However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.Continue Reading EDPB Issues New Guidance on the Use of Location Data and Contact Tracing in the Context of the COVID-19 Outbreak
FDA Issues COVID-19 Policy for Certain Digital Health Solutions
On April 14, 2020, FDA issued a direct-to-final guidance outlining its “Enforcement Policy for Digital Health Devices for Treating Psychiatric Disorders During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency.” The guidance intends to “expand the availability of digital health therapeutic devices” – possibly the first time FDA has used such term in its written policies – to facilitate consumer and patient use and reduce potential exposure to COVID-19. The guidance applies to two groups of products: (1) computerized behavioral therapy devices and other digital health devices for psychiatric disorders; and (2) low-risk wellness and digital health products for mental health or psychiatric conditions. Like FDA’s many other COVID-19 enforcement policies, the policy will remain in effect “only for the duration of the public health emergency related to COVID-19.”
Continue Reading FDA Issues COVID-19 Policy for Certain Digital Health Solutions
Ideation Question #5: Who Will Pay for the Offering?
This is the fifth of our video posts on 10 questions that can help lawyers contribute to the digital health ideation process. Today’s video explores the question: who will pay for the offering?
Continue Reading Ideation Question #5: Who Will Pay for the Offering?
Reconciling Personalized Nutrition with the GDPR
As with anything personalized, be it advertising, medicines or training schedules, also personalized nutrition — using information on individual characteristics to develop targeted nutritional advice, products, or services — risks being affected by the feared GDPR. Kristof Van Quathem discusses the topic in Vitafoods’ Insights magazine of January 2019,
Continue Reading Reconciling Personalized Nutrition with the GDPR
IoT Update: The UK Government’s Response to Centre for Data Ethics and Innovation Consultation
On 20 November 2018, the UK government published its response (the “Response”) to the June 2018 consultation (the “Consultation”) regarding the proposed new Centre for Data Ethics and Innovation (“DEI”). First announced in the UK Chancellor’s Autumn 2017 Budget, the DEI will identify measures needed to strengthen the way data and AI are used and regulated, advising on addressing potential gaps in regulation and outlining best practices in the area. The DEI is described as being the first of its kind globally, and represents an opportunity for the UK to take the lead the debate on how data is regulated.
Continue Reading IoT Update: The UK Government’s Response to Centre for Data Ethics and Innovation Consultation
Medicare Policies Modified to Support Smart Devices Use for Sharing Glucose Data
The Centers for Medicare & Medicaid Services (CMS) recently announced that Medicare coverage policies would be revised “to support the use of [continuous glucose monitors] in conjunction with a smartphone, including the important data sharing function they provide for patients and their families.” In turn, the agency’s contractors, known as
Continue Reading Medicare Policies Modified to Support Smart Devices Use for Sharing Glucose Data