Photo of Carolyn Metnick

Carolyn Metnick is a partner in the Corporate Practice Group in the firm's Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams.

Last month, the Federal Trade Commission (“FTC”) hosted its annual PrivacyCon event, featuring an array of experts discussing the latest in privacy and data security research. This post, covering healthcare privacy issues, is the first in a two-part series on PrivacyCon’s key takeaways for healthcare organizations. The second post will cover topics on artificial intelligence in healthcare.Continue Reading Healthcare Highlights from FTC’s 2024 PrivacyCon

On November 2, 2023, the American Hospital Association and Texas Hospital Association, in conjunction with the Texas Health Resources and United Regional Health Care System, filed suit against the Secretary of the Department of Health and Human Services (“HHS”) and the Director of the HHS Office for Civil Rights (“OCR”) regarding OCR’s guidance on the use of online tracking technologies by HIPAA entities.[i] This action and its results will impact how healthcare entities must protect and may use certain information collected on their digital sites.Continue Reading Caught in the Web: Hospital Associations Sue OCR on Third-Party Web Tracking Guidance

California is taking steps through Assembly Bill 254 (the “Bill”), approved by the State’s Governor on September 27, 2023, to ensure that patient information collected through reproductive or sexual health applications enjoys protections under the Confidentiality of Medical Information Act (the “CMIA”).[1] In addition to applying to providers and plans, the CMIA applies to businesses that offer software or hardware to consumers, such as mobile applications, which maintain medical information for the purpose of enabling management of such medical information or to otherwise support diagnosis, treatment, or management of a medical condition.[2] As a result, software and application developers may need to consider the CMIA with respect to their obligations relating to this particular data. In addition to certain confidentiality requirements, the CMIA also prohibits certain marketing uses and disclosures and requires breach notification in certain qualifying instances.Continue Reading California Moves to Protect Medical Information Collected Through Reproductive and Sexual Health Applications

On June 16, 2023, nearly half of the State Attorneys General[1] penned a letter (the “Letter”) to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) advocating for broader privacy protections surrounding reproductive health care information. Specifically, the Letter targeted the Notice of Proposed Rulemaking (the “Proposed Rule”) published by OCR in April of 2023, which proposed a number of revisions to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[2]Continue Reading State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information