Category Archives: Health Care

EU Rules Restricting the International Transfers of Non-Personal Data

by Kristof Van Quathem and Anna Oberschelp de Meneses

Photos of the authors

Kristof Van Quathem and Anna Oberschelp de Meneses (Photos courtesy of Covington & Burling LLP)

While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR.  In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions.  Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted.  In this blog post, we outline the current and forthcoming EU legislation on the international transfer of non-personal data.

Continue reading

White-Collar and Regulatory Enforcement: What Mattered in 2023 and What to Expect in 2024

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Sarah K. Eddy, Randall W. Jackson, and Kevin S. Schwartz

Photos of Authors

Top left to right: John F. Savarese, Ralph M. Levene, Wayne M. Carlin, and David B. Anders.
Bottom left to right: Sarah K. Eddy, Randall W. Jackson, and Kevin S. Schwartz. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

This past year was yet another notable and intensely active one across the entire range of white-collar criminal and regulatory enforcement areas. We heard continued tough talk from law enforcement authorities, especially concerning the government’s desire to bring more enforcement actions against individuals and on the need to keep ramping up corporate fines and penalties. The government largely lived up to its talking points about increasing the numbers of individual prosecutions and proceedings, particularly with respect to senior executives in the cryptoasset industry. But there were some notable stumbles. The most striking example of this was DOJ’s failure to secure convictions in cases where it attempted to extend criminal antitrust enforcement in unprecedented areas, such as no-poach employment agreements and against certain vertical arrangements—neither of which has historically been viewed as involving per se violations of the federal antitrust laws. And, as in years past, many state attorneys general remained active throughout 2023, using broad state consumer-protection statutes to bring blockbuster cases across a wide array of industries, from ridesharing and vaping to opioids and consumer technology offerings.

Continue reading

Top 5 State Privacy Issues We’re Monitoring This Year

by Alysa Z. Hutnik and Alexander I. Schneider

Photos of authors

Alysa Z. Hutnik and Alexander I. Schneider (Photos courtesy of Kelley Drye & Warren LLP)

The year ahead promises to be busy on the state privacy front. States are continuing to fill the gap at the federal level by implementing comprehensive state laws that guarantee consumer privacy rights and regulate data sales, targeted advertising, and sensitive data.

Now, more states than ever are jumping on the bandwagon with comprehensive privacy laws on the books in more than 25 percent of U.S. states and new legislative efforts underway in many other states. In 2024, new laws in Florida, Tennessee, Texas, and Oregon will take effect, joining laws already in effect in California, Colorado, Connecticut, Utah, and Virginia. Laws focused on consumer health data take effect in Washington and Nevada in March as well.

Continue reading

New Jersey Governor Signs Comprehensive Privacy Law

by Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins

Photos of the authors.

From left to right: Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins. (Photos courtesy of Davis Wright Tremaine LLP)

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 322 (“the Act”), making New Jersey the fourteenth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware.  The Act will take effect on January 16, 2025.

Continue reading

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule

by the Federal Trade Commission

FTC logo

Federal Trade Commission

Does your business collect, use, or share consumer health information? When it comes to privacy and security, you’ve probably thought about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules). But did you know you also may need to comply with the Federal Trade Commission Act and the FTC’s Health Breach Notification Rule? Learn more about your obligations under these laws to maintain the privacy and security of consumers’ health information and provide notification if you experience a breach. Continue reading

Delaware’s New Personal Data Privacy Act

by Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin

Photos of the authors.

From left to right: Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin. Photos courtesy of Davis Wright Tremaine LLP.

The Delaware Personal Data Privacy Act (DPDPA or Act) became law on September 11, 2023, making Delaware the 13th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, and Oregon. The DPDPA will become effective on January 1, 2025. We highlight key aspects of the DPDPA below.

Continue reading

Protecting the Privacy of Health Information: A Baker’s Dozen of Takeaways from FTC Cases

by Elisa Jillson

Photo of the author

Photo courtesy of the author

In the past few months, the FTC has announced case after case involving consumers’ sensitive health data, alleging violations of both Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule. The privacy of health information is top of mind for consumers – and so it’s top of mind for the FTC. Companies collecting or using health data, listen up. There are a number of key messages from BetterHelpGoodRxPremomVitagene, and other FTC matters that you need to hear.

Continue reading

FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule

by Libbie CanterAnna D. KrausElizabeth BrimAriel Dukes, Olivia Vega, and Jorge Ortiz

Photos of the authors

Top left to right: Libbie Canter, Anna D. Kraus, and Elizabeth Brim. 
Bottom left to right: Ariel Dukes, Olivia Vega, and Jorge Ortiz.
(Photos courtesy of Covington & Burling LLP)

On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”).  The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR.  The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content. According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.”  Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.

Continue reading

Legal Dispute Surrounding Abortion Pill Has Significant Implications for Broader Healthcare Industry

by Andrew L. Bab, Maura Kathleen Monaghan, Paul D. Rubin, Shannon Rose Selden, Kim T. Le, Jacob W. Stahl, Adam Aukland-Peck, Prakriti Luthra, Melissa Runsten, and Charlotte Blatt

From top left to right: Andrew L. Bab, Maura Kathleen Monaghan, Paul D. Rubin, Shannon Rose Selden, and Kim T. Le.
From bottom left to right: Jacob W. Stahl, Adam Aukland-Peck, Prakriti Luthra, Melissa Runsten, and Charlotte Blatt. (Photos courtesy of Debevoise & Plimpton LLP)

On November 18, 2022, the Alliance for Hippocratic Medicine and several other plaintiffs (“Plaintiffs”) filed suit in federal court against the Food and Drug Administration (the “FDA”), seeking to overturn the FDA’s approval of mifepristone, a drug commonly used for medication abortions, as well as in the management of miscarriage and in the treatment of certain diseases (the “AHM Litigation”). After expedited briefing and a hearing, Northern District of Texas Judge Matthew Kacsmaryk issued a preliminary order that would effectively remove mifepristone from the market nationwide for use in the termination of pregnancy. The court signaled its belief that both the FDA’s initial approval and its subsequent decision to eliminate certain restrictions on its use were arbitrary and capricious because the FDA had allegedly failed to consider relevant safety data.

While the merits of this case have yet to be fully litigated—and the Supreme Court has temporarily preserved the status quo—this case may have significant implications for the broader healthcare industry, including FDA-regulated entities as well as providers, insurers, and even companies that subsidize healthcare for their employees.

Continue reading