Washington’s My Health My Data Act (MHMDA), signed into law last year, is here and goes into effect on March 31, 2024, with small businesses having until June 30, 2024 to comply. As previously reported, the new data privacy law is broad and will have significant impact for both Washington residents and persons whose business or data flows through the state. In brief, the legislation is intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Health Law Scan
Legal Insights and Perspectives for the Healthcare Industry
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued long awaited updates to the regulations at 42 CFR Part 2 (Part 2) on February 16, 2024. Part 2 is a critical set of rules protecting the privacy of patients receiving substance use disorder (SUD) treatment services and their associated clinical records.
In the first win for defendants facing Illinois Biometric Information Privacy Act (BIPA) litigation before the Illinois Supreme Court, the Court in Mosby v. Ingalls Memorial Hospital held that BIPA excludes from its protections the biometric information of healthcare workers where that information is collected, used, or stored for healthcare treatment, payment, or operations.
The US Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement agreement on June 15, 2023 with not-for-profit community hospital Yakima Valley Memorial Hospital (Yakima) related to Yakima employees’ snooping in medical records that resulted in the breach of protected health information (PHI).
Throughout the COVID-19 pandemic and related public health emergency (PHE), the US Department of Health and Human Services, Office for Civil Rights (OCR) issued four Notifications of Enforcement Discretion (referred to as “waivers”) designed to offer flexibility to healthcare providers battling the virus. On April 11, the OCR announced that these waivers will officially expire on May 11, 2023, in conjunction with the end of the PHE. While it is not unexpected that the OCR is pulling back these waivers, healthcare providers must ensure that their ongoing operations are fully compliant with the OCR’s HIPAA-related requirements. This blog post details the list of waivers issued by the OCR that will expire on May 11.
On February 9, 2022, US Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced bipartisan legislation designed to modernize health privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and account for emerging healthcare technologies not addressed by existing law.
The new Civil Cyber-Fraud Initiative of the US Department of Justice’s use of the punitive False Claims Act (FCA) and its whistleblower provisions has some important legal and risk management considerations for the health industry. Because enforcement will initially occur largely through civil investigations applying the FCA in the broadest possible way, healthcare organizations should undertake a priority assessment of their cybersecurity status to ensure that their practices can withstand hacks, whistleblowers, and government scrutiny.
Members of our emerging business and technology team recently hosted a webinar on seed financing structures for digital health companies. The program, led by partner Benjamin David Novak and associate Jessica Lee, discussed the market trends in digital health company financings as well as the various deal structures frequently used in seed financings.
We invite Health Law Scan readers to join members of our digital health team for a webinar set to discuss the various deal structures frequently used in digital health company seed financings, as well as the range of market terms for each.
Members of our labor and employment team recently published a LawFlash discussing the US Department of Labor’s (DOL’s) April 14 issuance of three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, vendors, and plan participants respectively. This resource, which includes our team’s analysis and observations, may be of particular interest to employers in the healthcare sector, who are all too familiar with how important it is to keep data secure.