Photo of Elizabeth Brim

Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Contact:Read more about Elizabeth BrimEmail

In late September, plaintiffs announced details regarding Google LLC’s (“Google”) and women’s health app developer, Flo Health Inc.’s (“Flo”) proposed settlements to resolve a class action lawsuit stemming from the Flo app’s allegedly unlawful sharing of health data with Google and others through online tracking technologies.

As part of the proposed settlements, Google agreed to pay $48 million and Flo agreed to pay $8 million, for a combined $56 million to resolve plaintiffs’ claims against these two entities.Continue Reading Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million

On September 24, Senate Democratic Leader Chuck Schumer (D-N.Y.), Senator Maria Cantwell (D-Wash.), and Senator Ed Markey (D-Mass.) introduced the Management of Individuals’ Neural Data (“MIND”) Act of 2025, which would require the Federal Trade Commission (“FTC”) to conduct a study and provide a report examining the governance of “neural data” under existing law and identify additional areas for federal regulation.  The bill would also require the Office of Science and Technology Policy (“OSTP”) to issue guidance regarding federal agencies’ use of certain neurotechnology.Continue Reading Congress Introduces Neural Data Bill

On June 19, 2025, the U.S. District Court for the Northern District of Texas vacated the majority of the Biden Administration rule (the “2024 Rule”) modifying the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health.  As discussed in further detail in our previous blog post, the 2024 Rule “limit[ed] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.” Continue Reading District Court Enjoins Privacy Rule Modifications Regarding Reproductive Health Care

Since the beginning of 2025, there have been a flurry of bills introduced at the state and federal level related to genetic privacy, which follows a similar trend over the past several years.  These bills have focused on a range of issues, including general genetic privacy, national security implications of “foreign adversaries” accessing genetic information, the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, and the transfer of genetic data as part of bankruptcy proceedings, among others.  We summarize a subset of such bills moving through state and federal legislatures below.

State Legislation

Montana SB 163

On May 1, the Montana governor signed SB 163 to amend the state’s Genetic Information Privacy Act (“MT GIPA”), which was originally enacted in 2023.  Effective October 1, 2025, there will be several changes to the law, including:

  • Creating Deidentification Exemption: The original version of MT GIPA did not contain an express exemption for deidentified data.  SB 163 amends the law to include an express exemption for the use of deidentified genetic data for certain research purposes.  Specifically, SB 163 includes an exemption for “deidentified genetic data obtained from a third party to the extent that the data is used to conduct internal, medical, or scientific research.”  The deidentification standard is similar to the standard adopted under many comprehensive state privacy laws and other state DTC genetic privacy laws.
  • Waiver of Certain Rights in the Clinical Trial Context: The law provides that consumers’ rights to access and delete data, destroy samples, and revoke consent must be waived in a limited context related to the collection of genetic data as part of a clinical trial if certain conditions are met, including prescriptive requirements for consent.  Specifically:
    • The relevant entity generally must obtain express and informed written consent for participation in a clinical research trial, including the collection and use of any genetic data, which must, among others, be in accordance with the good clinical practice (“GCP”) guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for home use and include the entity’s biological sample and data retention, sharing, and use policies.
    • The biological sample and genetic data must be utilized for clinical research purposes only.

SB 163 states that these requirements are meant to “supersede all exceptions to, and waivers of” informed consent pursuant to the federal Common Rule.  However, it is not clear how this new limited exemption is meant to interact with the existing exemption for entities that are engaged in collecting, using, or analyzing genetic data or biological samples in the context of scientific or clinical research with express consent of the individual and in accordance with human subject research frameworks, including GCP, the federal Common Rule, or FDA’s human subjects research regulations at 21 C.F.R. parts 50 and 56.Continue Reading Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025

On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”).  This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA)

Continue Reading California Enacts Health AI Bill and Protections for Neural Data

On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates.  We previously covered the proposed rule, which was issued on May 18, 2023.

In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.”  Key provisions of the final rule include:

  • Revised definitions:  The final rule includes changes to current definitions in the HBNR that codify the FTC’s recent position on the expansiveness of the HBNR.  Specifically, among other definition changes, the HBNR contains key updates to the definitions of:
    • “Personal health records (‘PHR’) identifiable information.”  In the final rule, the FTC adopts changes to the definition of PHR identifiable information that were included in the proposed rule to clarify that the HBNR applies to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”).  In the final rule, the FTC discusses the scope of the definition, noting that “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information constitute ‘PHR identifiable health information’ if these identifiers can be used to identify or re-identify an individual.”
    • “Covered health care provider.”  In the proposed rule, the FTC proposed adding a definition of “health care provider” to include providers of medical or other health services, or any other entity furnishing “health care services or supplies” (i.e., websites, apps, and Internet-connected devices that provide mechanisms to track health conditions, medications, fitness, sleep, etc.).  The final rule does not make substantive changes to this proposed definition but does contain a slight terminology change to “covered health care provider” to distinguish that term from the definition of “health care provider” in other regulations. 

Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule

By Libbie CanterAnna D. KrausOlivia VegaElizabeth Brim & Jorge Ortiz on April 14, 2023

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health

Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion

On December 20, 2022, the Federal Trade Commission (“FTC”) announced its issuance of Health Products Compliance Guidance, which updates and replaces its previous 1998 guidance, Dietary Supplements: An Advertising Guide for Industry.  While the FTC notes that the basic content of the guide is largely left unchanged, this guidance expands the scope of the previous guidance beyond dietary supplements to broadly include claims made about all health-related products, such as foods, over-the-counter drugs, devices, health apps, and diagnostic tests.  This updated guidance emphasizes “key compliance points” drawn from the numerous enforcement actions brought by the FTC since 1998, and discusses associated examples related to topics such as claim interpretation, substantiation, and other advertising issues.

Identifying Claims and Interpreting Advertisement Meaning

The updated guidance first discusses how claims are identified and interpreted, including the difference between express and implied claims.  The updated guidance emphasizes that the phrasing and context of an advertisement may imply that the product is beneficial to the treatment of a disease, which in turn would require that the advertiser be able to substantiate the implied claim with competent and reliable scientific evidence, even if the advertisement contains no express reference to the disease.

In addition, the updated guidance provides examples of when advertisers are expected to disclose qualifying information, such as when a product is targeted to a small percentage of the population or contains potentially serious risks.  When the qualifying information is necessary to avoid deception, the updated guidance contains a discussion of what constitutes a clear and conspicuous disclosure of that qualifying information.  Specifically, the guidance states that a disclosure is required to be provided in the same manner as the claim (i.e., if the claim is made visually, the disclosure is required to be made visually).  A visual claim should stand out, and based on its size, contract, location, and length of time is appears, must be easily noticed, read, and understood.  An audible disclosure should be at a volume, speed, and cadence so as to be easily heard and understood.  On social media, the guidance states a disclosure should be “unavoidable,” which the FTC clarifies does not include hyperlinks.  The qualifying information should not include vague qualifying terms, such as that a product “may” have benefits or “helps” achieve a benefit.Continue Reading FTC Issues New Guidance Regarding Health Products

In a new post on the Covington Digital Health blog, our colleagues discuss the Office for Civil Rights’ (“OCR”) recently published request for information (“RFI”) seeking comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The RFI seeks input as to
Continue Reading OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act