December 14, 2022
Volume XII, Number 348
December 14, 2022
– HHS Bulletin: Covered Entities’ Disclosure of PHI Collected via…by: Ryan P.Blaney and Danielle L.Brooks
– When 2 Minus 1 Still Equals 2: Combining Lots in a Planned Community by: Dana M.Lingenfelser and Kristin D.Mitcham
– GREAT LEGAL WORK: TCPA Defendant Wins a HUGE Certification Victory…
by: Eric J.Troutman
– 401(k) Compliance Check #12: Don’t Borrow Trouble – Correcting…
by: Belinda S.Morgan
– FDA Published Food Safety Culture Literature Review by: Food and Drug Law at Keller and Heckman
– Does a business have to provide a privacy notice directly to a…by: David A.Zetoony
– New Privacy Enforcement Act Commences in Australia by: Cameron Abbott and Rob Pulham
– NYC Delays Enforcement of Automated Employment Decision Tools Law to…by: Lindsay Colvin Stone
– U.S.Department of State to Update Design on Nonimmigrant and…
by: Ashley K.Kerr
– Cannon Fire: Newly-Famous Judge Stays All Discovery in TCPA Class…
by: Eric J.Troutman
– EPA Announces Proposed RFS for 2023-2025, Will Hold Public Hearing in…by: Lynn L.Bergeson and Carla N.Hutton
– Why Do Law Firms Need CRM? by: CRM News and Updates, Lawmatics
– This California Rule by: Keith Paul Bishop
– Unintended Consequences: Legal Compliance Concerns With Long-Term…by: Amber K.Dodds and Robert S.Nichols
– UK Parliament Considers Retained EU Law (Revocation and Reform) Bill…
by: Emma Thomson
December 13, 2022
– DOL Issues Final Rule Amending Investment Duties Regulation –…by: James Frazier
– Third time lucky or Schrems III? The European Union Data Pact with…by: Diletta De Cicco and James Downes
– Renewed Era of Crypto Assets Growth in Hong Kong by: Jay Lee
– Division I Universities Must Be Ready for Changes to the NCAA…by: Paul V.Kelly
– U.S.Supreme Court Hears Oral Argument in Case Testing Limits of…
by: Michelle E.Phillips and Christopher M.
Repole
– Damages in Pre-Certification Discovery are Premature, Discovery…by: Jenniffer Cabrera
– When Chains Change, Do NFTs Stay The Same? How Hard Forks May Affect…by: Jason H.Finger
– COVID-19: A Roadmap to Fraud Investigations: Office of Inspector…by: Stephen D.Bittinger
– DOJ Settlement with Electronic Health Records Provider Highlights…by: Ty E.Howard and Lane M.
Webster
– Update: OFCCP Plans to Disclose EEO-1 Data for Non-Objecting…by: Abby M.Warren
– Increasing US Enforcement Action for Sanctions Violations by Crypto…by: Hannah Laming and Adam Klauder
– DOJ Antitrust Division and HHS OIG Enter into Partnership to Increase…by: Diane Hazel
– Can Discovery Be Compelled from a Party? Possession, Custody, Control…by: Kathryn C.Cole
– Weekly Bankruptcy Alert December 13, 2022 by: Bankruptcy & Creditors’ Rights
– California’s Newly Adopted “Safe Harbor” Warning Label for Acrylamide…by: Taryn McPherson and Whitney Jones Roy
– Considerations for Public Company Bylaw Amendments in View of the New…
by: Frank M.Placenti and Doron Lipshitz
– All Things Chemical® Podcast: TSCA Regulation of Articles: The Saga…
by: Lynn L.Bergeson
– Telecom Alert: Providers Support 10-10.5 GHz NPRM; FCC Blocks Student…by: Jaimy “Sindy” Alarcon and Jim Baller
– New DOL Rule Enables Consideration of ESG Factors in Investing, Plus…by: Johnjerica Hodge and Danette R.Edwards
– Energy & Sustainability M&A Activity — December 2022 by: Thomas R.Burton, III and Sahir Surmeli
– Court Holds NC State Health Plan Constitutes “Health Program or…
by: Caroline Turner English and Alison Lima Andersen
– Energy & Sustainability IP Updates — December 2022 by: Brad M.Scheller
– Another Block Falls: BlockFi Files for Chapter 11 Protection,…by: David A.Lopez-Kurtz and Alex J.Albers
– SEC Reopens Proposal on Stock Buyback Rules by: Erin Reeves McGinnis
– IRS Announces 2023 Increases to Estate and Gift Tax Exclusions by: Katlyn E.Koegel and Stephen C.Rohr
– FDA Letter States that β-Nicotinamide Mononucleotide is Not Lawful…by: Food and Drug Law at Keller and Heckman
– New York City’s Automated Employment Decision Tools Law Enforcement…
by: Adam S.Forman and Nathaniel M.Glasser
– Chips Chatter: December 5-12, 2022 by: Pablo E.Carrillo and Ludmilla L.Kasulke
– FTC Releases Tentative Agenda for December 14 Open Commission Meeting by: Hunton Andrews Kurth’s Privacy and Cybersecurity
– How Many Behavioral Advertising Trackers Do Websites Deploy Currently? by: David A.Zetoony
– FRB Proposes Climate-Related Financial Risk Management Principles by: Daniel Meade
– Energy & Sustainability Litigation Updates — December 2022 by: Jacob H.
Hupart
– Investor-State Arbitration: 2022 ICSID Rule Amendments and Update on…by: Joseph J.
Mamounas and Claudia D.Hartleben
– Warning Sign? A New Round of FDA Warning Letters Over CBD Consumer…by: J.Hunter Robinson and Josh Kleppin
– Cross Border Recognition, 25 years on: the view from each side of the…by: Michelle N.Saney
– A New Era of Technology in the Private Markets by: Louis Lehot and Christopher Converse
– New York City Postpones Enforcement of Automated Employment Decision…
by: Simone R.D.Francis
– New Law Seeks To Curtail Coerced Debts by: Keith Paul Bishop
– Republican SEC Commissioners Continue to Criticize Proposed Climate…
by: Jacob H.Hupart
December 12, 2022
– Raters gonna rate…but there’s a bright side! by: Daniel B.Guggenheim
– SEC Awards More than $20 Million to Whistleblower by: Mary Jane Wilmoth
– Duty to Preserve Evidence Covers Climate Review by Higher Educational…by: Monica H.Khetarpal and Laura A.Ahrens
– Preliminary Determination of Circumvention Regarding Solar Energy…by: Gregory Husisian and John E.
Turlais
– Estate Planning for Football Season Ticket Holders by: Katherine M.Szymanski and Rebecca K.
Wrock
– Associate Attorney General Vanita Gupta Issues Statement on 2021 FBI…
by: United States Department of Justice (DOJ)
– NLRB General Counsel Proposes Lower Standard for Requiring Employers…by: Adam C.Abrahms and Steven M.Swirsky
– American Hospital Association Urges DEA to Issue Special Registration…by: Nathaniel M.
Lacktman
– EPA Announces $25.7 Million in Grants to Support Water Systems in…by: EPA
– New York State Expands Workplace Protections for Nursing Employees by: Evandro C Gigante and Laura M.Fant
– Weekly IRS Roundup December 5 – December 9, 2022 by: Tax Practice Group McDermott Will Emery
– CMS Announces Strategy on Value-Based Payments for Specialty Care by: Anahita Anvari
– DOL Proposes Self-Correction Option and Other Changes to Voluntary…by: Justin S Alex
– The City of Los Angeles’ Fair Work Week Ordinance Requires…
by: Tomi Oshita
– Considering Using Biometric Information? Adopt a Biometric Policy Now by: Mike H.Holland and Patrick J.McMahon
– Recent Developments in Telehealth Enforcement by: Sara Helene Shanti and Danielle Vrabie
– ESG INVESTING AND PROXY VOTING: DOL’S NEW FINAL RULE by: Kristina M.Zanotti and Ruth E.Delaney
– IN A NEW YORK MINUTE, Telemarketing Laws Are Changing! by: Angelika Munger
– Fa-La-La Laws: Employer Liability Issues for Office Holiday Parties by: Katharine O.
Beattie and Victoria Stockton Breese
– More Places, Less Spaces: California is Driving Down Development Costs by: Amanda S.Lee
– Bereavement Leave Becomes Mandatory in the Golden State by: Kaleb N.Berhe
– BETO Postpones December 13, 2022, Webinar on SAF Grand Challenge…
by: Lynn L.Bergeson and Carla N.Hutton
– New Year Brings New Laws for Illinois Employers by: Mikela T.Sutrina and Katherine H.
Oblak
– Decision in U.S.v.Holland by: Gabriel L.Imperato
– New Jersey Senate Labor Committee WARNs Effective Date of Amendments…by: Mark Diana and Brandon R.Sher
– Crypto Punked? Industry Bankruptcies Rattle Markets and Expose Major…by: George P.Angelich and Dan Jasnow
– Global M&A Trends: A Wider Slowdown but Still on Track to Surpass…
by: Louis Lehot and Brandee L.Diamond
– Top Five Labor Law Developments for November 2022 by: Jonathan J.Spitz and Richard F.Vitarelli
– “Cold-Pressed Juice” Lawsuit Permanently Dismissed by: Food and Drug Law at Keller and Heckman
– December 2022 AFS Privacy Report: Pandora’s Virtual Try-On Tool…by: Eva J.
Pulliam and D.
Reed Freeman Jr.
– USPTO Releases New Guidelines Shortening the Response Deadline in…by: Luna M.Samman
– ‘No Exit’: SEC Sanctions Investment Adviser for Impeding…by: Peter D.
Hutcheon
– TradeTalk China: December 2 – December 9, 2022 by: Pablo E.Carrillo and Ludmilla L.Kasulke
– $10.3 Million in Grants Awarded to Improve the Health of Long Island…
by: EPA
– RE-STRUC: Tax Changes as of 2023 by: Thomas van der Vliet and Louisa van Isselmuden
– Episode 23: The Emerging Investigatory Focus on Telehealth: What You…by: Nathaniel M.
Lacktman and Maureen M.Stewart
– The CAC Assessment Collection – Part 2: What Must Be Done Before…by: Amigo L.Xie and Dan Wu
– CFIUS Clearance: GIC Private Limited and STORE Capital Corporation by: International Trade Practice at Squire Patton Boggs
– Here We Go Again: Lesser Prairie-Chicken Re-Listed Under the…by: Karma B.
Brown and Linda Trees
– What’s more common: opt-in, opt-out, or notice cookie banners? by: David A.Zetoony
– An Unstoppable Force Meets an Immovable Object: Microsoft to Fight…by: Jonathan Rubin
– Who Qualifies As An Expert Witness? by: Keith Paul Bishop
December 11, 2022
– Ex-Wall Street Trader Convicted of Fraud in Precious Metals Spoofing…by: United States Department of Justice (DOJ)
– Former Navy Sailor Sentenced for Producing Images of Child Sexual…
by: United States Department of Justice (DOJ)
HHS Bulletin: Covered Entities’ Disclosure of PHI Collected via Online Tracking Technologies Falls under HIPAA
On December 1, 2022, the Office for Civil Rights (OCR) of the U.S.Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what OCR describes as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app,” which is then analyzed by website owners, app operators or third parties to create user profiles or garner insights into users’ online activities.
These might include cookies, web beacons, pixels, session replay software and fingerprinting scripts that track and profile users’ web activities, whether on web portals behind an authentication wall or on unauthenticated webpages or mobile apps, and, in some cases, disclose the collected user data to technology vendors for marketing purposes without HIPAA-compliant authorization.As the OCR stated: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors or any other violations of the HIPAA Rules.”
Beyond the health privacy issues for providers and vendors, this Bulletin brings to mind several topics we discussed in an October post on Amazon’s recent acquisitions (including the potential strategic value of One Medical, “a human-centered and technology-powered primary care organization).Under 45 CFR 160.103, a “covered entity” is a health plan, a health care provider, or a health care clearinghouse.Thus, as a primary care organization, One Medical falls under the category of a HIPAA-covered entity and is within this data-valuable environment where the OCR issued the Bulletin on PHI disclosed to tracking technology vendors.
Overview of the OCR Bulletin
PHI.The OCR reiterates throughout the Bulletin that HIPAA applies when covered entities collect user data that include PHI via tracking technologies and also if such data is then shared with technology vendors.
But what exactly is PHI? As the Bulletin explains, PHI would include “individually identifiable health information” (IIHI), such as an individual’s medical record number, home or email address, or appointment dates, as well as an individual’s IP address or geolocation, medical device ID, or any unique online or mobile identifying code.The Bulletin stresses that “IIHI collected on a regulated entity’s website or mobile app generally is PHI,” even if the user does not have an existing relationship with the covered entity and even if the IIHI does not include specific treatment or billing information (e.g., appointment dates or type of healthcare services).
User-Authenticated Webpages.
Patient portals and telehealth platforms generally collect and have access to PHI, including diagnosis and treatment information, billing information and other sensitive data.Therefore, the Bulletin states that a covered entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose (and secure) PHI in compliance with HIPAA.The OCR also reminds covered entities that tracking technology vendors are business associates IF they create, receive, maintain, or transmit PHI on behalf of a regulated entity “for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.” For example, this can come into play in the case of authenticated portals where users log in to a medical provider’s website or app.The Bulletin states that if an individual makes a medical appointment through the website of a covered health clinic and that website uses third party tracking technologies (which might automatically transfer PHI and other consumer data to an outside vendor), then the tracking technology vendor is a business associate and a business associate agreement (BAA) is required.
Unauthenticated Webpages.
The OCR takes a slightly different stance on the collection of consumer data on unauthenticated webpages, which are publicly available pages that allow anyone to access the content and typically only contain basic information about a covered entity; as a result, and according to the Bulletin, tracking on such webpages is generally not regulated under HIPAA.However, the OCR states that in some cases, tracking technologies on such unauthenticated webpages may have access to user PHI and may disclose such data to outside vendors, thus triggering the HIPAA Rules.For example, the Bulletin mentions that if a login page of a covered entity’s patient portal requires a user to enter registration information such as one’s name and/or email address, such webpage then contains PHI and becomes subject to HIPAA.Alternatively, the OCR points to webpages that allow users to search for doctors, view appointment availability or make appointments, or view information about specific symptoms or conditions (e.g., pregnancy) without first logging in and warn that such webpages could potentially collect an individual’s email address and/or IP address, thereby potentially disclosing PHI to the tracking technology vendor, and thus triggering the HIPAA Rules.
Mobile Tracking.
Mobile tracking often occurs when tracking technologies and mobile software development kits (SDKs) are developed by an outside marketer and embedded in a mobile app.The Bulletin states that information typed in by a user, as well as device-level data (e.g., network location, geolocation, device ID, advertising ID, etc.) collected by a covered entity must comply with HIPAA for any PHI the mobile app uses or discloses.In a nod to the Supreme Court’s Dobbs decision, the Bulletin states that HIPAA applies to “any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy….” However, the Bulletin clarifies that the HIPAA Rules do not protect data that users voluntarily enter into “mobile apps that are not developed or offered by or on behalf of regulated entities, regardless of where the information came from.” [emphasis added].This would include health information entered into lifestyle- or fitness-related mobile apps operated by an entity not regulated by HIPAA.Though, such data collection would still be regulated by the FTC and potentially under applicable state privacy laws, and perhaps even a comprehensive federal privacy law, if one should ever pass Congress.
Compliance Obligations.
The Bulletin restates that regulated entities are required to comply with the HIPAA Rules when using tracking technologies and reminds covered entities to ensure that “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.” It also suggested that regulated entities “should evaluate its relationship with a tracking technology vendor to determine whether such vendor meets the definition of a business associate and ensure that the disclosures made to such vendor are permitted by the Privacy Rule.” The OCR closes the Bulletin with a few compliance reminders:
The HIPAA Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals of this possibility or occurrence in its privacy policy or privacy notice (“Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI”).
The use of cookie consent banners does not constitute a valid HIPAA authorization to a vendor when PHI is being collected, disclosed, used, or stored with the vendor.
It is insufficient for a technology vendor to agree to remove PHI from the information it receives or de-identify PHI before the vendor saves the information (“Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure”).
In addition to the Bulletin, technology and health care companies that are collecting health data should also ensure that they are complying with state privacy and consumer protection laws.HIPAA has often been described as the floor for health care privacy compliance and states may choose to pass and enforce more onerous privacy and consumer protection laws.
Jonathan Mollod also contributed to this article..