On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”). This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA)
Continue Reading California Enacts Health AI Bill and Protections for Neural DataElizabeth Brim
Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.
Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.
Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.
Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.
FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule
On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates. We previously covered the proposed rule, which was issued on May 18, 2023.
In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.” Key provisions of the final rule include:
- Revised definitions: The final rule includes changes to current definitions in the HBNR that codify the FTC’s recent position on the expansiveness of the HBNR. Specifically, among other definition changes, the HBNR contains key updates to the definitions of:
- “Personal health records (‘PHR’) identifiable information.” In the final rule, the FTC adopts changes to the definition of PHR identifiable information that were included in the proposed rule to clarify that the HBNR applies to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”). In the final rule, the FTC discusses the scope of the definition, noting that “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information constitute ‘PHR identifiable health information’ if these identifiers can be used to identify or re-identify an individual.”
- “Covered health care provider.” In the proposed rule, the FTC proposed adding a definition of “health care provider” to include providers of medical or other health services, or any other entity furnishing “health care services or supplies” (i.e., websites, apps, and Internet-connected devices that provide mechanisms to track health conditions, medications, fitness, sleep, etc.). The final rule does not make substantive changes to this proposed definition but does contain a slight terminology change to “covered health care provider” to distinguish that term from the definition of “health care provider” in other regulations.
Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule
HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion
By Libbie Canter, Anna D. Kraus, Olivia Vega, Elizabeth Brim & Jorge Ortiz on April 14, 2023
On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health…
Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement DiscretionFTC Issues New Guidance Regarding Health Products
On December 20, 2022, the Federal Trade Commission (“FTC”) announced its issuance of Health Products Compliance Guidance, which updates and replaces its previous 1998 guidance, Dietary Supplements: An Advertising Guide for Industry. While the FTC notes that the basic content of the guide is largely left unchanged, this guidance expands the scope of the previous guidance beyond dietary supplements to broadly include claims made about all health-related products, such as foods, over-the-counter drugs, devices, health apps, and diagnostic tests. This updated guidance emphasizes “key compliance points” drawn from the numerous enforcement actions brought by the FTC since 1998, and discusses associated examples related to topics such as claim interpretation, substantiation, and other advertising issues.
Identifying Claims and Interpreting Advertisement Meaning
The updated guidance first discusses how claims are identified and interpreted, including the difference between express and implied claims. The updated guidance emphasizes that the phrasing and context of an advertisement may imply that the product is beneficial to the treatment of a disease, which in turn would require that the advertiser be able to substantiate the implied claim with competent and reliable scientific evidence, even if the advertisement contains no express reference to the disease.
In addition, the updated guidance provides examples of when advertisers are expected to disclose qualifying information, such as when a product is targeted to a small percentage of the population or contains potentially serious risks. When the qualifying information is necessary to avoid deception, the updated guidance contains a discussion of what constitutes a clear and conspicuous disclosure of that qualifying information. Specifically, the guidance states that a disclosure is required to be provided in the same manner as the claim (i.e., if the claim is made visually, the disclosure is required to be made visually). A visual claim should stand out, and based on its size, contract, location, and length of time is appears, must be easily noticed, read, and understood. An audible disclosure should be at a volume, speed, and cadence so as to be easily heard and understood. On social media, the guidance states a disclosure should be “unavoidable,” which the FTC clarifies does not include hyperlinks. The qualifying information should not include vague qualifying terms, such as that a product “may” have benefits or “helps” achieve a benefit.Continue Reading FTC Issues New Guidance Regarding Health Products
OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act
In a new post on the Covington Digital Health blog, our colleagues discuss the Office for Civil Rights’ (“OCR”) recently published request for information (“RFI”) seeking comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The RFI seeks input as to…
Continue Reading OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act