Changes to the Health Breach Notification Rule Include Regulations for Health Apps

June 11, 2024July 2, 2024 Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA Breach Notification, cybersecurity, Electronic Health Records, FTC Final Rule, HBNR, healthcare, personal health record, PHR, PHR identifiable health information, privacy, security, technology

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading →

Kentucky Enacts New Consumer Data Privacy Act

June 5, 2024June 13, 2024 Wyatt Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws ad trackers, consumer online privacy, cybersecurity, data privacy, geolocation data, KCDPA, privacy, security, technology

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

April 25, 2024June 11, 2024 Wyatt Data Privacy & Security, HIPAA, Privacy & Security abortion, confidentiality of sud records, HIPAA, notice of privacy practices, NPP, OCR, Part 2, reproductive health, substance use disorder (SUD)

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024June 11, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

FTC Enforcement Action Against Company and CEO Provides Roadmap for Reasonable Data Security Measures

November 8, 2022November 9, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement account credentials, consumer privacy and security, FTC Act Section 5, FTC enforcement action, multi-factor authentication, passwords

Company’s Security Failures Exposed Data of 2.5 Million Consumers

By Kathie McDonald-McClure

On October 24, 2022, the Federal Trade Commission (FTC) announced enforcement action against Drizly, an online alcohol marketplace and subsidiary of Uber, and the Drizly CEO, over allegations that Drizly and the CEO failed to implement safeguards to prevent unauthorized access to consumer data stored on the Amazon Relational Database Service (Amazon RDS) that Drizly used to host its online marketplace platform. The FTC said that Drizly and its CEO were alerted to a security issue two years before the breach yet failed to take appropriate responsive action to secure personal information of consumers stored on Drizly’s Amazon RDS.

Employee posted company account login information on GitHub contributing to 2018 and 2020 security breaches. In 2018, a Drizly employee posted company cloud computing account login information on GitHub. GitHub is a free, online software development and hosting platform used for storing, tracking and collaborating on software projects. Drizly uses GitHub not only to manage and support its e-commerce website, but also to store spreadsheets, data sets, and repositories of past company data and projects.

The GitHub repositories included the AWS credentials used to access Drizly’s production environment. This security lapse allowed hackers to use Drizly’s servers to mine cryptocurrency in 2018. Upon discovering this, Drizly changed the login information for its cloud computing account and publicly claimed that it used adequate data security protections. Its website privacy policy stated: “We use standard security practices such as encryption and firewalls to protect the information we collect from you.”

Company employee is allowed access to GitHub repositories for a hackathon, using compromised credentials. According to the FTC complaint, in 2020 the company granted a company executive access to the GitHub repositories in order to participate in a one-day hackathon. The company failed to terminate the executive’s access after the event was over. At the time of granting such access, Drizly had not required unique and complex passwords nor multifactor authentication for access to the GitHub repositories. As a result, the executive had used a seven-character, alphanumeric password that he had used for other personal accounts and that was the subject of an unrelated data breach. The hacker used the executive’s compromised password to gain access to his GitHub account and to then access the company’s AWS and database credentials stored in the repositories. Ultimately, the hacker located the customer information stored on the company databases and put the information up for sale on two publicly available websites on the dark web.

Large volume of nonpublic, personal information was accessed by hacker. The FTC said Drizly’s security failures led to a breach of the personal information of about 2.5 million consumers. The personal information includes data collected from consumers who visited or placed e-commerce orders on the platform, such as name, age, email address, postal address, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, as well as personal information automatically collected from consumer computers and mobile devices by the website’s data collection tools.

In addition, the personal information included consumer data that Drizly purchased from third parties such as income level, marital status, gender, ethnicity, existence of children, and home value. The Drizly databases also contained consumer account passwords that were hashed using MD5 which the FTC said is “cryptographically broken and widely considered insecure.”

The FTC complaint provides a roadmap for minimum reasonable data security measures. The FTC complaint alleges that Drizly failed to implement “reasonable information security practices” to protect consumers’ personal information. These reasonable security practices include:

Continue reading →