Health Privacy

On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”).  This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA)

Continue Reading California Enacts Health AI Bill and Protections for Neural Data

On April 26, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health. We previously covered the proposed rule (hereinafter, “the NPRM”), which was published on April 17, 2023. The final rule aligns closely with the NPRM.

OCR noted that the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization (holding that there is no constitutional right to abortion) created a legal landscape that “increase[s] the potential that use and disclosure of PHI about an individual’s reproductive health will undermine access to and the quality of health care generally.” According to OCR, the final rule aims to “continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care” by “limit[ing] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.”

The final rule prohibits a regulated entity from using or disclosing an individual’s PHI:

  • to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided; and
  • to identify an individual, health care provider, or other person to initiate an investigation or proceeding against that person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

“Lawful under the circumstances in which it is provided” means that the reproductive health care is either:

  • lawful under the circumstances in which the health care is provided and in the state in which it is provided; or
  • protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.

Continue Reading HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy

On December 20, 2022, the Federal Trade Commission (“FTC”) announced its issuance of Health Products Compliance Guidance, which updates and replaces its previous 1998 guidance, Dietary Supplements: An Advertising Guide for Industry.  While the FTC notes that the basic content of the guide is largely left unchanged, this guidance expands the scope of the previous guidance beyond dietary supplements to broadly include claims made about all health-related products, such as foods, over-the-counter drugs, devices, health apps, and diagnostic tests.  This updated guidance emphasizes “key compliance points” drawn from the numerous enforcement actions brought by the FTC since 1998, and discusses associated examples related to topics such as claim interpretation, substantiation, and other advertising issues.

Identifying Claims and Interpreting Advertisement Meaning

The updated guidance first discusses how claims are identified and interpreted, including the difference between express and implied claims.  The updated guidance emphasizes that the phrasing and context of an advertisement may imply that the product is beneficial to the treatment of a disease, which in turn would require that the advertiser be able to substantiate the implied claim with competent and reliable scientific evidence, even if the advertisement contains no express reference to the disease.

In addition, the updated guidance provides examples of when advertisers are expected to disclose qualifying information, such as when a product is targeted to a small percentage of the population or contains potentially serious risks.  When the qualifying information is necessary to avoid deception, the updated guidance contains a discussion of what constitutes a clear and conspicuous disclosure of that qualifying information.  Specifically, the guidance states that a disclosure is required to be provided in the same manner as the claim (i.e., if the claim is made visually, the disclosure is required to be made visually).  A visual claim should stand out, and based on its size, contract, location, and length of time is appears, must be easily noticed, read, and understood.  An audible disclosure should be at a volume, speed, and cadence so as to be easily heard and understood.  On social media, the guidance states a disclosure should be “unavoidable,” which the FTC clarifies does not include hyperlinks.  The qualifying information should not include vague qualifying terms, such as that a product “may” have benefits or “helps” achieve a benefit.Continue Reading FTC Issues New Guidance Regarding Health Products

In a new post on the Covington Digital Health blog, our colleagues discuss the Office for Civil Rights’ (“OCR”) recently published request for information (“RFI”) seeking comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The RFI seeks input as to
Continue Reading OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act