Privacy professionals will remember 2023 as the year enforcement of health information privacy protections expanded rapidly. They were no longer focused on HIPAA and OCR investigations. Suddenly new actors and new strategies emerged to champion the privacy of individual health information.
In 2022 cyber security in general was a significant concern and the number of patients affected by breaches of their health information continued to rise. On June 16 of that year The Markup published “Facebook Is Receiving Sensitive Medical Information from Hospital Websites” jolting the health care industry, government regulators and privacy lawyers alike. It spun up public and private privacy protection efforts to an urgent level. Later that year millions of patients received notifications that their protected health information was compromised by tracking technologies on their provider’s website. Some filed class action lawsuits. OCR published a bulletin on December 1, 2022 explaining that widely used online tracking technologies like Meta Pixel and Google Analytics could violate HIPAA.
2023 – New Enforcers
The Federal Trade Commission (FTC)
The Federal Trade Commission (FTC) took the stage as a leading privacy protection player. It settled highly publicized enforcement actions against BetterHelp, GoodRx, Premom and Vitagene, published sternly worded health information privacy guidance and proposed modifications to strengthen and clarify its Health Breach Notification Rule. The FTC also joined OCR in public letters to major health care providers warning of serious privacy and security risks related to their use of online tracking technologies. On September 15, 2023 the FTC underscored its enforcement mission warning, “The FTC Act’s obligations apply to HIPAA-covered entities and business associates, as well as to companies that collect, use, or share health information that aren’t required to comply with HIPAA.
Private Class Action Lawsuits
data breach class action lawsuits focused on tracking technologies. Many of the new lawsuits reflect lessons learned from prior litigation that often was less than successful. For example, multiple class actions targeted Advocate Aurora Health Inc., the first filed slightly more than a week after Advocate Aurora notified patients of a tracking technology breach. Within ten months Advocate Aurora chose to cut its losses by agreeing to a court Order settling the consolidated class actions.
Private class action data breach lawsuits may well be the fastest growing, most aggressive and feared vehicles for protecting health information privacy.
State Laws and Enforcement
A 2023 Washington state law regulates collection, use, and disclosure of “consumer health data” to provide stronger privacy and security protection for health-related information not protected by HIPAA.
Also in 2023 eight states passed strong, comprehensive state consumer data privacy laws. Now 13 states have these new, strong consumer protection laws in place although generally they do not apply to HIPAA protected health information. But the new laws underscore state legislative concerns about protecting individual privacy. And they may apply to consumer personal information held by HIPAA regulated entities that is not PHI.
State Attorneys General are joining together to investigate health data breaches. On October 5, 2023, 49 states and the District of Columbia settled a joint investigation of Blackbaud, a software provider for health care and other types of organizations. On March 29, 2023 the Attorneys General of Oregon, Connecticut and the District of Columbia settled a joint investigation of Easy Healthcare (Premom).
2024 – What’s Ahead
OCR and HIPAA Enforcement
OCR seems to be taking action to increase HIPAA enforcement. Most significantly, joining with the FTC, it rebuffed the American Hospital Association’s objection to its tracking technology bulletin. OCR also created a new Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to improve enforcement of the HIPAA Rules.
The New Enforcers
Expect the FTC, Private Litigants and State Enforcement to continue on course, increase their activities and find even more innovative ways to protect individual health information privacy.