Tag Archives: Adam H. Greene

FTC Finalizes Expansion of Health Breach Notification Rule’s Broad Applicability to Unauthorized App Disclosures

by Adam H. Greene and Apurva Dharia

Photos of the authors

Adam H. Greene and Apurva Dharia (photos courtesy of Davis Wright Tremaine LLP)

The FTC issued a final rule to lock in changes to the Health Breach Notification Rule (HBNR) that it proposed in May 2023. While the HBNR began as a breach notification rule seemingly focused on a narrow set of applications that store medical records on behalf of consumers, the final rule continues the FTC’s path toward turning the rule into a means of imposing privacy and breach notification restrictions on virtually all health and wellness apps. Consistent with the FTC’s September 2021 policy statement and recent enforcement actions, the final rule further revises the HBNR to apply to most health and wellness apps and to require breach notification in almost any instance in which a consumer’s identifiable health data is disclosed without their authorization (including unauthorized disclosures to advertising platforms).

The HBNR requires vendors of personal health records (PHRs) and PHR related entities to notify individuals, the FTC, and, in some cases, the media, of a breach of unsecured PHR identifiable health information.[1] It also requires third-party service providers to vendors of PHRs and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. The rule applies to foreign and domestic non-HIPAA covered vendors of “personal health records that contain individually identifiable health information created or received by health care providers.” The HBNR specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. The final rule will go into effect 60 days after its publication in the Federal Register.

Continue reading

New Washington Law Has Broad Implications For Protecting Consumer Health Data

by Nancy Libin, Adam H. Greene, Rebecca L. Williams, David L. Rice, Michael T. Borgia, John D. Seiver, and Kate Berry

Photos of the authors

Top row from left to rugh: Nancy Libin, Adam H. Greene, Rebecca L. Williams, and David L. Rice.
Bottom row from left to right: Michael T. Borgia, John D. Seiver, and Kate Berry. (Photos courtesy of Davis Wright Tremaine LLP)

Landmark ‘My Health My Data’ Act Reaches Beyond Washington and Into the Courts With a Private Right of Action

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the “Act”), which will regulate the collection, use, and disclosure of “consumer health data” (“Consumer Health Data” or “CHD”). The Act is intended to provide stronger privacy and security protections for health-related information not protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but a significant gap remains. In spite of its title and purported focus on the health information of Washington residents, a careful reading of the Act shows that it will have a much broader reach – both geographically and substantively. Most provisions of the Act come into effect on March 31, 2024, with small businesses required to comply by June 30, 2024. Some sections (e.g., Section 10 prohibition against “geofencing”) do not provide effective dates. It is unclear whether those sections become effective on July 22, 2023, which would be 90 days after the end of the legislative session, as provided under Washington law, or whether failure to include an effective date for all sections of the Act was an oversight.

Continue reading