Photo of Michael Sutton

Michael Sutton

Subscribe to Michael Sutton's Posts

Michael Sutton is an associate in the Corporate Practice Group in the firm's Dallas office.

Contact:Read more about Michael Sutton

On October 8, 2025, Governor Newsom signed the California Opt Me Out Act (the “Act”) into law, which expands on the California Consumer Privacy Act (“CCPA”). Most notably, the Act mandates that businesses developing or maintaining internet browsers must include functionalities enabling consumers to automatically communicate their preference to opt out of the sharing or selling of personal information. The functionalities must be readily accessible to consumers and must be “easy for a reasonable person to locate and configure,” which will spare consumers from the hardships of navigating oftentimes confusing mechanics to identify and enable opt outs.Continue Reading Opting Out of Web Tracking Has Never Been Easier in California

Regulators and courts are expanding enforcement against digital health apps and online platforms that share sensitive health data without true consent, though these companies fall outside the scope of the Health Insurance Portability and Accountability Act (“HIPAA”). In order to reach non-covered entities, agencies and private claimants are now drawing on a patchwork of authorities to rein in misleading or undisclosed data practices:Continue Reading A New Era of Privacy Enforcement: Lessons for Digital Health Players

The White House announced it is launching a health data tracking system early next year that involves an unprecedented partnership between the federal government, providers, payors, and private sector technology companies. The stated objective is to enable patients to more easily access and share their personal health data and medical records across different platforms, including through apps operated by private technology companies (the “Tracking System”). While the initiative may ultimately aspire to improve patient care through expanded data sharing, it raises notable legal and privacy concerns.Continue Reading White House Announces National Health Data Tracking System of Personal Health Data

At the end of June, Texas enacted the “Texas Responsible Artificial Intelligence Governance Act” (the “Act”), adding to the patchwork of growing AI laws. This summary addresses the Act’s most significant provisions.Continue Reading Texas Enacts Responsible AI Governance Act Adding to Patchwork of AI Laws

Since the Dobbs v. Jackson Women’s Health Organization decision (which overturned the landmark Roe v. Wade decision), the healthcare industry has continued to grapple with renewed concerns over patient privacy and reproductive healthcare. Legislators and regulators have not been idle, establishing a patchwork of authorities which require careful navigation and consideration. It is worth noting that reproductive healthcare privacy is not a concern exclusive to women. Rather, such privacy concerns also apply to services traditionally received by men, such as testosterone replacement and male fertility treatments.Continue Reading The State of Reproductive Healthcare Privacy

“Kicking Off Accountable Care” served as the theme for this year’s America’s Physician Groups’ (“APG”) Spring Conference, a three-day event packed with compelling speakers and breakout sessions focused on the state of accountable or value-based care. While the overall tone of the conference was optimistic, primarily being focused on the promises and expansion of value-based care models, there was also another theme which colored many of the presentations and breakout sessions: expect turbulent times.Continue Reading Takeaways from the America’s Physician Groups’ Spring Conference: Turbulent Times Call for Change and Innovation

In an era where cyber threats are escalating, healthcare has emerged as a critical battleground for security. Its significance has become increasingly crucial as the intersection of healthcare, cybersecurity, and technology permeates every aspect of our lives. In the fifteenth episode of Sheppard Mullin’s Health-e Law Podcast, Jonathan Meyer, former General Counsel of the Department of Homeland Security and current partner at Sheppard Mullin, offers a deep dive into the implications of cybersecurity threats on the healthcare industry as well as national security.Continue Reading Healthcare Security is Homeland Security: A Discussion with Jonathan Meyer

2024 marked a notable year in AI and healthcare, with AI being top of mind for all healthcare players, including providers, technology companies, developers and regulators. The adoption of AI into clinical settings became more common, as scribe and clinical-decision support products gained popularity and EMR vendors incorporated AI tools into their products. The federal government released guidance, established task forces and implemented the directives of the 2023 Executive Order on AI. Similarly, state regulation began to unfold with some states passing legislation around AI’s use in healthcare.Continue Reading Healthy AI: 2024 Year in Review

Cyberattacks on healthcare organizations are on the rise, with the number of affected individuals nearly tripling between 2022 and 2024, according to data compiled by the Department of Health and Human Services Office for Civil Rights (“OCR”).[1] OCR data also reveals a 239% and 278% increase in hacking incidents and ransomware attacks, respectively, between January 2018 and September 2023.Continue Reading New York Adopts Comprehensive Hospital Cybersecurity Requirements

The U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (the “Proposed Rule”) on December 27, 2024, to significantly amend HIPAA’s Security Rule, which sets forth the security standards for the protection of protected health information by covered entities and their business associates. The Proposed Rule’s issuance was expected, especially in light of the growing number of health data breaches and disclosures of large scale foreign cyberattacks.Continue Reading HHS’ Last-Minute Holiday Gift: Proposed Changes to the HIPAA Security Rule

Texas is joining a growing number of states in considering comprehensive laws regulating use of AI. In particular, the Texas Legislature is scheduled to consider the draft “Texas Responsible AI Governance Act” (the “Act”), which seeks to regulate development and deployment of artificial intelligence systems in Texas. Critically, as most states continue to grapple with the emergence of AI, the Act could serve as a model for other states and could prove tremendously impactful.Continue Reading Texas Considers Comprehensive AI Bill