This week, in a significant win for the American Hospital Association plaintiff, the U.S. District Court for the Northern District of Texas issued an opinion vacating the Department of Health and Human Services’ (“HHS”) guidance on the use of online tracking technologies under HIPAA. At the heart of the dispute was the guidance released by HHS in December of 2022 and then updated again in March of 2024 (collectively, the “Guidance”), which suggested that information collected from unauthenticated website visitors could be considered protected health information (“PHI”) under HIPAA. The Guidance was challenged by hospitals and healthcare providers who argued it exceeded HHS’ statutory authority under HIPAA and imposed unreasonable compliance burdens.Continue Reading HIPAA Web Tracking Guidance Vacated

This is the second post in a two-part series on PrivacyCon’s key-takeaways for healthcare organizations. The first post focused on healthcare privacy issues.[1] This post focuses on insights and considerations relating to the use of Artificial Intelligence (“AI”) in healthcare. In the AI segment of the event, the Federal Trade Commission (“FTC”) covered: (1) privacy themes; (2) considerations for Large Language Models (“LLMs”); and (3) AI functionality.Continue Reading Artificial Intelligence Highlights from FTC’s 2024 PrivacyCon

Last month, the Federal Trade Commission (“FTC”) hosted its annual PrivacyCon event, featuring an array of experts discussing the latest in privacy and data security research. This post, covering healthcare privacy issues, is the first in a two-part series on PrivacyCon’s key takeaways for healthcare organizations. The second post will cover topics on artificial intelligence in healthcare.Continue Reading Healthcare Highlights from FTC’s 2024 PrivacyCon

Since its launch in November 2022, ChatGPT (“GPT” stands for Generative Pre-trained Transformer), a type of artificial intelligence model, has gained over a million users. ChatGPT is used by entities in a wide variety of industries. On March 1, 2023, OpenAI, the developer of ChatGPT, updated its data usage policies[1] noting that (i) OpenAI will not use data submitted by customers to train or improve its models unless customers expressly opt-in to share such data, and (ii) OpenAI also will enter into business associate agreements in support of applicable customers’ compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).Continue Reading ChatGPT And Healthcare Privacy Risks

Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), i.e., the California Privacy Rights Act (“CPRA”)). While CDPA has fairly broad exemptions for entities regulated by other laws, such as HIPAA, there is also a new “opt-in” requirement for collecting “sensitive data.”
Continue Reading What Virginia’s New Privacy Law Means for Organizations in the Healthcare Industry