Following the Supreme Court decision to overturning Roe v. Wade on June 24, 2022, the Dobbs v. Jackson Women’s Health Organization ruling that gutted the long-established right to an abortion has been a constant focus, both inside and outside of the legal and healthcare communities. Notably, the ruling has remained a central focus within both the government, federal and state, and surrounding the tech sector. And these Dobbs-related conversations have a theme – the topic of health data privacy. But more specifically, discussions about data privacy surrounding reproductive healthcare.
In June 2022, a nonprofit news site called The Markup released a report stating that hospitals using Meta Pixel may be releasing patient data to Meta Platforms, Inc. (previously Facebook, Inc.). Since this report was released, many of the hospitals identified in the report removed pixel technology from their websites. In addition, some hospitals have released public breach notices and reported potential data privacy breaches to the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR). Most recently, on October 20, 2022, Advocate Aurora Health, a large health system located in the Midwest, released a notice publicly announcing its potential pixel breach, which may affect as many as three million patients.
In an effort to improve cybersecurity in the healthcare sector, a bipartisan bill was introduced in Congress on September 13, 2022, by Republican Brian Fitzpatrick of Pennsylvania and Democrat Jason Crow of Colorado. The Healthcare Cybersecurity Act relies on a partnership between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to work together in improving cybersecurity in the healthcare sector. The Act has been introduced as a result of record high increases in health data breaches across the country over the last several years. The goal is to provide resources for training and heighten efforts taken across the nation to mitigate cybersecurity risk. The Act would not only improve patient care but save healthcare cost by taking a proactive approach.
A privacy class action that first exploded in September of this year highlights consumers suing a handful of companies for violating the federal Video Privacy Protection Act. The multitude of class actions hold the Meta Platforms Inc’s Pixel tracking tool accountable for the tracking of consumer data from online platforms. News outlets, sports organizations, and streaming services are all facing lawsuits related the alleged complaints.
A recent class action lawsuit alleges Meta (the parent company of Facebook) used an illegal tracking tool to retrieve patient information from over 664 hospitals for marketing purposes. Meta and a handful of US-based hospitals have violated privacy laws such as HIPAA that control the means and methods for lawfully handling covered medical information. John Doe filed the case on June 17, 2022, in the U.S. District Court for the Northern District of California, seeking class action certification for a jury trial to recover compensatory damages and attorney’s fees.
On February 9, a group of senators led by Tammy Baldwin of Wisconsin and Bill Cassidy of Louisiana introduced a new bill, the Health Data Use and Privacy Commission Act (the “Act”), in attempt to revitalize current legislation regarding the protection and use of health data. The bill also has the support of a number of representatives from within the healthcare industry, including Epic, IBM, and Teladoc Health, as well as a number of professional associations like the American College of Cardiology, the Association for Behavioral Health and Wellness, and the Association of Clinical Research Organizations.
As businesses begin to reopen and resume operations after the pandemic, there are discussions surrounding possible vaccine passports and the concerns protecting individuals’ personal health information. COVID-19 vaccines are becoming more available within the country and more Americans feel safe to resume their normal lives. Many states and businesses are contemplating the idea of making vaccine passports a requirement for travel and large events. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was created to protect personal health information. As other countries are beginning to require proof of vaccination, many are contemplating whether vaccine passports are permitted by HIPAA or if the requirement will actually violate the federal health privacy law.
This spring I had the pleasure of attending a conference entitled Digital Platforms: Innovation, Antitrust, Privacy & the Internet of Things hosted by the UIC John Marshall Law School Center for IP, Information & Privacy Law. Throughout the day, panelists spoke about various topics of intellectual property, including artificial intelligence antitrust issues, and more. But for me, the highlight of the afternoon was the session on privacy issues. Here is a bit of what I learned…
The Health Insurance Portability and Accountability Act – enacted in 1996 by the U.S. Congress and signed by then-President Bill Clinton – has long served to maintain the standards of electronic health records and patient privacy, among many other provisions. Violating HIPAA can result in both criminal prosecution as well as steep civil penalties. As the healthcare industry transitioned from the use of paper records to storing patient data on electronic health records over the last two decades, health organizations have learned to adapt to HIPAA compliance, with many increasing their compliance programs by hiring full-time compliance officers, designating an individual as the compliance manager, and/or appointing a compliance committee within the organization.
On January 31, 2020, the Secretary of Health and Human Services (“HHS”) Alex Azar declared a public health emergency (“PHE”) over the outbreak of the new coronavirus. The PHE response requires coordination with a complex set of federal, state, tribal and local laws and effective compliance calls for a comprehensive understanding of the legal implications and ramifications—which impose challenges from adherence to certain federal laws.