On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.
On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.
Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
On October 10, California Attorney General Xavier Becerra released proposed regulations to implement certain provisions of the California Consumer Privacy Act. The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized within this post.
The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come. In the latest installment of the CCPA blog series, we describe these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.
On September 19, the Department of Health and Human Services issued new guidance on the “refill reminder” requirements under HIPAA. The new final HIPAA regulations, most of which go into effect on September 23, 2013, limit the remuneration that a covered entity may receive in exchange for making communications to patients about a drug or biologic currently prescribed to that patient.
Today the U.S. Department of Health and Human Services (HHS) issued a voluntary privacy notice for Personal Health Records (PHRs) as well as new proposed rules that would expand the rights of patients to access test result reports directly from clinical laboratories covered by HIPAA. Both announcements were part of a HHS Consumer Health IT […]
The Office of the National Coordinator for Health IT (ONC) has organized a workgroup under the auspices of the HIT Policy Committee to move forward on and maintain consistency with respect to a range of privacy and security issues. This new “Privacy & Security Tiger Team” will be co-chaired by Deven McGraw, Center for Democracy […]
The Health IT Policy Committee’s Privacy and Security workgroup has recommended that patient data exchanged between providers for treatment purposes be governed by policies that “at least” include encryption. The HIT Policy Committee is a federal advisory committee established to provide guidance to the Office of the National Coordinator for Health IT (ONC) on health […]
Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures. HHS’ interim final rule on breach […]
Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released two regulations relating to the Medicare and Medicaid incentives authorized by the American Recovery and Reinvestment Act of 2009 (ARRA). Both rules have public comment periods of 60 days and are scheduled to be […]
Several federal agencies released new rules yesterday implementing the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA prohibits discrimination based on genetic information in health coverage and employment. The Departments of Labor, Treasury, and Health and Human Services (HHS) issued Interim Final Rules, and HHS separately, through the Office of Civil Rights (OCR), issued a Proposed […]
The Department of Health & Human Services (“HHS”) published an electronic notification form for covered entities to submit notice of a breach of security to the Secretary. The electronic form, available on HHS’ website, is for notification of breaches affecting 500 or more individuals and for breaches affecting fewer than 500 individuals. The on-line form includes […]
The health breach notification rule issued by the Federal Trade Commission (“FTC”) went into effect on Thursday, September 24, 2009. The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) […]
The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009. HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a […]