Search right to access

Since the privacy and security regulations were issued under the federal Health Insurance Portability and Accountability Act (HIPAA), critics pointed to the limitations on the reach of those rules. A critical limitation advanced by privacy advocates is that the popular health data privacy rule extends only to certain covered entities and their business associates, not to health data generally. On April 17, 2022, Washington’s legislature passed House Bill 1155, also known as the My Health, My Data Act. The bill aims to address health data collected by entities not covered by HIPAA, including certain apps and websites.

If signed by the governor, most sections of the law would take effect on March 31, 2024, though certain parts of the legislation may take effect sooner.

When would the law apply?

A “regulated entity” for purposes of the law is defined as:

  • Conducts business in the State of Washington, or produces or provides products or services that are targeted to consumers in Washington, and
  • Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.

The legislation creates a subgroup of regulated entities, known as “small businesses,” largely to provide a few more months to comply. Small businesses are regulated entities that satisfy one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or,
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or shares of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Who is protected by the law?

Under the legislation, a protected consumer is defined as a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington.

A consumer is only protected for actions taken as an individual or on behalf of a household and does not include actions taken by an individual acting in an employment context.

What data is protected by the law?

The law would protect “consumer health data,” defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Health status includes but is not limited to the following:

  • Individual health conditions, treatment, diseases, or diagnosis
  • Social, psychological, behavioral, and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medications
  • Bodily functions, vital signs, symptoms, or measurements of health-related functions
  • Diagnoses or diagnostic testing, treatment, or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies
  • Data that identifies a consumer seeking health care services.

What are the rights of consumers?

Under HIPAA, individuals have several rights with respect to their protected health information (PHI). These rights include the right to authorize disclosures in certain contexts (and revoke those authorizations), to request an amendment, to request an accounting of disclosures, to request a restriction on use and disclosure, and to be notified of a breach. The Washington legislation would provide consumers with the right to:

  • Confirm whether their consumer health data is being collected, shared, or sold, including a list of all third parties and their affiliates to whom the data has been shared and their contact information.
  • Consent to or deny collection or sharing of health data.
  • Withdraw consent from a regulated entity or small business to collect or share health data.
  • Delete health data collected by a regulated entity or small business, including on archived or backup systems.
  • Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data.

The provisions concerning the administration of these rights look a lot like the provisions in the California Consumer Privacy Act (CCPA) and other recently enacted state comprehensive data privacy laws.

What obligations do businesses have?

The Washington law would add to the growing compliance burden on company websites as it would require regulated entities and small businesses to maintain a consumer health data privacy policy prominently on their homepages. That policy must that clearly and conspicuously disclose:

  • Categories of consumer health data collected and the purpose for which the data is collected.
  • Categories of sources from which the consumer health data is collected
  • Categories of consumer health data that are shared.
  • A list of the categories of third parties and specific affiliates with whom consumer health data is shared.
  • How a consumer can exercise the rights provided under the law.

This too is very similar to obligations under the CCPA. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They also must respond to requests from consumers to withdraw consent to collect or share health data. Moreover, they must respond to requests from consumers to delete their consumer health data. The law also would mandate contracts be in place with processors of consumer health data and codify specific data security obligations for regulated entities and small businesses, including specific access management requirements.

Additionally, the law would make it unlawful for “any person” (apparently not just regulated entities or small businesses) to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

How is the law enforced?

Under the new legislation, violations of the requirements for health care data would be enforceable either by the prosecution by the State’s Attorney General’s Office or by private actions brought by affected consumers.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Last week, a New York Times’ article discussed ChatGPT and AI’s “democratization of disinformation,” along with their potentially disruptive effects on upcoming political contests. Asking a chatbot powered by generative AI to produce a fundraising email is not the main concern, according to the article. Leveraging that technology to create and disseminate disinformation and deepfakes is. Some of the tactics described in the article intended to further political goals are unsettling for and well beyond politics, including the workplace.

“Now any amateur with a laptop can manufacture the kinds of convincing sounds and images that were once the domain of the most sophisticated digital players. This democratization of disinformation is blurring the boundaries between fact and fake…”

Voice-cloning tools could be used, for example, to create convincing audio clips of political figures. One clip might convey a message that is consistent with the campaign’s platform, albeit never uttered by the candidate. Another clip might be produced to position the candidate in a bad light by suggesting the candidate was involved in illicit behavior or conveyed ideas damaging to the campaign, such as using racially-charged language. Either way, such clips would be misleading to the electorate. The same would be true of AI-generated images or videos.

And as synthetic media gets more believable, the question becomes: What happens when people can no longer trust their own eyes and ears?”

It’s not hard to see how these same technologies, which are increasingly accessible by most anyone and relatively easy to use, can create significant disruption and legal risk in workplaces across the country. Instead of creating a false narrative about a political figure, a worker disappointed in his annual review might generate and covertly disseminate a compromising “video” of his supervisor. The failure to investigate a convincing deepfake video could have substantial and unintended consequences. Of course, the creation of this kind of misinformation can be directed at executives and the company as a whole.

Damaging disinformation and deepfakes are not the only risks posed by generative AI technologies. To better understand the kinds of risks an organization might face, assessing how workers are using ChatGPT and other similar generative AI technologies is a good first step. If a group of workers are like the millions of other people using ChatGPT, activities might include performing research, preparing draft communications such as the fundraising email in the NYT article discussed above, coding, and other tasks. Workers in different industries with different responsibilities likely will be approaching the technology with different needs and identifying a range of creative use cases.

Greater awareness about the uses of generative AI in an organization can help with policy development, but there are some policies that might make sense for most if not all applications of this technology.

Other workplace policies generally apply. As good example of this is harassment and nondiscrimination policies. As with an employee’s activity in social media, an employee’s use of ChatGPT is not shielded from existing policies on discrimination or harassment of others. Existing policies should apply.

Follow the application’s terms and understand its limitations. Using online resources for company business in violation of the terms of use of those resources could create legal exposure for organizations. Also, employees should be aware of the capabilities and limitations of the tools they are using. For instance, while ChatGPT may seem omniscient, it is not, and it may not be up to date – OpenAI notes “ChatGPT’s training data cuts off in 2021.” Employees can avoid a little embarrassment for the organization (and themselves) knowing this kind of information.

Avoid impermissible sharing of data. ChatGPT is just that, a chat or conversation with OpenAI that employees at OpenAI can view:

Who can view my conversations?

As part of our commitment to safe and responsible AI, we review conversations to improve our systems and to ensure the content complies with our policies and safety requirements.

Employees should avoid sharing personal information as well as confidential information about the company or its customers without understanding the applicable obligations that may apply. For example, there may be contractual obligations to customers of the organization prohibiting the sharing of their confidential information with third parties. Similar obligations could be established through website privacy policies or statements through which an organization has represented how it would share certain categories of information.

Establish a review process to avoid improper uses. Information generated through AI-powered tools and platforms may not be what it seems. It may be inaccurate, incomplete, biased, or it may infringe on another’s intellectual property rights. The organization may want to conduct a review of certain content obtained through the tool or platform to avoid subpar service to customers or an infringement lawsuit.

There is a lot to think about when considering the impacts of ChatGPT and other generative AI technologies. This includes carefully wading through political blather during the imminent election season. It also includes thinking about how to minimize risk related to these technologies in the workplace. Part of that can be accomplished through policy, but there are other steps to consider, such as employee training, monitoring utilization, etc.

On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act, which relates to consumer data and privacy protection. Once signed by Iowa’s governor, the statute will become operative on January 1, 2025, and  Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing a comprehensive consumer privacy statute.

Covered Businesses

Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.

Consumer Defined

Under the statute, a consumer is defined as a natural person who is a resident of Iowa and acting only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.

Personal Data

The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.

Consumer Data Rights

 The statute provides consumers with the following rights:

  • To confirm that covered businesses are processing the consumer’s personal data and access that personal data.
  • To delete personal data provided by the consumer.
  • To port the personal data.
  • To obtain a copy of the consumer’s personal data with certain limitations.
  • To opt out of processing for the sale of personal data or targeted advertising.

Covered Business Obligations

Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:

  • Respond to consumer requests without undue delay, but in all cases within 90 days of receipt of the request. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
  • If the covered business declines to take action, it must inform the consumer.
  • Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.

In addition to complying with consumer requests covered businesses must:

  • Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Protect sensitive data, which is a broad category under the statute that includes racial information, biometric data, and even geolocation under the statute but not processing such data without the consumer having been presented clear notice and an opportunity to opt-out of such processing.
  • Avoid processing data in such a way as to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute including denying goods or services or changing the prices or rates.
  • Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.  
  • Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.

Enforcement

The statute does not include a private right of action and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.

For additional information on Iowa’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

After a significant delay, on February 3, 2023, the California Privacy Protection Agency (CPPA) unanimously approved amended regulations. The new regulations have not yet gone into effect as they must first be approved by the Office of Administrative Law (OAL). The CPPA’s General Counsel advised that there is no guarantee that the regulations would be approved on the first go-around. As the OAL has 30 business days to determine whether the CPPA complied with all rulemaking requirements, it is anticipated the regulations may take effect as early as April 2023.

The revised regulation is intended to do the following:

  1. Update existing regulations to fit with amendments made by the California Privacy Rights Act (CPRA).
  2. To put into operation new rights and concepts introduced by the CPRA
  3. Make the regulations more streamlined and easier to understand.

The revised regulations include regulations on data processing agreements, consumer opt-out mechanisms, mandatory requirements for recognition of opt-out preference signals, and consumer request handling.

The regulations were not substantively changed from the second modification in October 2023, which included:

  • Sections clarifying how consumers can opt out of having their data sold or shared, including via opt-out preference signals.
  • Provisions providing allowances for enforcement flexibility, which are intended to assuage businesses’ concerns that the current delay in adopting final regulations will present compliance challenges.
  • Allowances for businesses, service providers, and contractors to delay compliance with requests to correct archived or backup systems until the data is restored to an active system or is next accessed or used.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On the eve of Data Privacy Day, the California Attorney General announced a new investigative focus for compliance with the California Consumer Privacy Act (CCPA) on mobile applications, specifically popular apps in the retail, travel, and food service industries. The Attorney General sent letters to businesses with mobile applications that have allegedly failed to comply with consumer opt-out requests, do not offer any mechanism for consumers who want to stop the sale of their data, or failed to process consumer requests submitted via an authorized agent, including via third-party applications such as Permission Slip.

The Attorney General stated this new focus on mobile application compliance comes due to the wide array of sensitive information applications can access on an individual’s mobile device.

Under the CCPA, businesses that receive notices have 30 days to fix the alleged violations before an enforcement action may be initiated by the state.

This announcement of further potential enforcement actions comes only four months after the state’s first enforcement action and settlement under the CCPA, which resulted in a settlement of $1.2 million in penalties, as well as injunctive relief.

Businesses with mobile applications should review compliance requirements and whether their mobile applications are following these and other CCPA requirements, including the changes made by the California Privacy Rights Act (CPRA).

If you have questions about compliance with the CCPA or related issues, contact a Jackson Lewis attorney or the CCPA Team.

The Colorado Privacy Act (CPA), effective July 1, 2023, provides expansive protections to the personal data of Colorado residents acting in an individual or household context (a “consumer”). Similar to the California Consumer Privacy Act (CCPA), the CPA requires providing notice of an entity’s (“controller”) data collection activities, provides for consumer rights including the right to opt out of certain processing, and creates an affirmative duty to safeguard personal data. Notably, the CPA does not apply to employee personal data or data collected in a commercial context. 

On December 22, 2022, the Colorado Attorney General published Version 2 of Proposed Draft Rules for implementing the CPA and invited public comment. A rulemaking hearing on the proposed rules is scheduled for February 1, 2023.

While not an exhaustive list, the Proposed Draft Rules:

  • provide an extensive list of defined terms;
  • set forth presentation and accessibility requirements for consumer disclosures and notices (e.g., readable on all devices, straightforward and accurate, accessible to the target audience);
  • address the exercise of personal data rights (e.g., opt-out, access, correct, delete, and port data) and authentication of requests (i.e., establishing reasonable methods to authenticate a consumer based on the specific rights exercised, the risk of harm from improper access and the value, amount, and sensitivity of the personal data associated with the request);
  • require using a universal opt-out mechanism that enables opting out of processing for targeted advertising or the sale of personal data in an affirmative, freely given, and unambiguous manner; and prohibits using pre-installed, the default setting, universal opt-out mechanisms since they do not constitute freely given, affirmative consent to opt out; include technical specifications;
  • address privacy notice content (e.g., disclosing the processing purpose; whether the data is sold, used for targeted advertising, or used for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; data rights, etc.);
  • detail use of loyalty programs (e.g., prohibiting an increase in cost or decrease in the availability of a product or service based on a consumer’s exercise of a right; permitting a controller to offer bona fide loyalty program benefits based on a consumer’s voluntary participation);
  • detail duties regarding processing sensitive data (i.e., obtaining consent);
  • outline the affirmative obligation to safeguard consumer personal data;
  • set forth requirements for valid consent (e.g., informed, affirmative, freely given, specific and unambiguous);
  • detail the performance of a data protection assessment (e.g., identify and describe the heightened risk of harm to a consumer posed by processing; document measures taken to offset those risks; and demonstrate the benefits of processing outweigh the risks as offset by implemented safeguards).

The following non-exhaustive list notes substantive changes to the Proposed Draft Rules in the recently published Version 2. These changes: 

  • add key definitions (e.g., “employee”, “employer”, “employment records” since the CPA does not apply to data maintained for employment purposes; “non-commercial purpose” since the CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado consumers);  amends “biometric identifiers” to mean data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics. The definition of biometric identifier is significant since consumer consent must be obtained prior to collecting biometric data;
  • permit delayed compliance with a consumer’s request to correct data when the data is archived or in backup systems;
  • detail the scope and application of a universal opt-out mechanism including an affirmative obligation to safeguard data processed with respect to the use of a universal opt-out mechanism;
  • provide controllers with six (6) months to recognize mechanisms added to the public list of recognized universal opt-out mechanisms published by the Colorado Department of Laws;
  • provide examples of substantive or materials changes that require a controller to notify a consumer of changes to its privacy policy (e.g., changes to categories of personal data processed or processing purposes, controller’s identity, or methods to exercise consumer rights);
  • list considerations for identifying and incorporating reasonable and appropriate safeguards for personal data;
  • require that an interface used to request consumer consent include specific disclosures;
  • detail when the controller must refresh consent received from a consumer to process certain personal information;
  • prohibit consent interface designs that subvert or impair user autonomy or decision-making, manipulate or coerce the consumer to provide consent;
  • replace the phrase “similarly significant effects concerning a consumer resulting from profiling” with specific examples (e.g., denial of financial or lending services, housing); and
  • permit the use of a profiling-related data protection assessment performed for purposes of another jurisdiction’s law to satisfy CPA requirements when the assessment is reasonably similar in scope.

The CPA rulemaking process is ongoing and, similar to California’s draft regulations, it is anticipated that Colorado’s Proposed Draft Rules will undergo further revisions prior to July 1, 2023. Jackson Lewis will continue to track updates to the CPA and Proposed Draft Rules. For additional information on the CPA and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Last month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). The OCR Bulletin follows a significant uptick in litigation concerning these technologies in industries including but not limited to the healthcare. For healthcare entities, the allegations relate to the sharing of patient data obtained from patient portals and websites.

THE OCR BULLETIN

A Few Reminders

Before digging into the OCR Bulletin, let’s remember a few basic HIPAA rules:

  • In general, the HIPAA privacy and security regulations (the “HIPAA rules”) apply only to “covered entities” and “business associates” (we’ll call these “regulated entities”).
  • The HIPAA Rules apply to “protected health information” (PHI) which generally includes individually identifiable health information. That is, health information that relates to the individual’s past, present, or future health, health care, or payment for care, including demographic information. See 45 CFR 160.103.
  • Regulated entities can use or disclose PHI without an individual’s written authorization only as expressly permitted or required by the HIPAA Rules. See 45 CFR 164.502(a).

Definition of Tracking Technologies and Their Uses

As discussed in the OCR Bulletin, an online tracking technology is

a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app

Examples of these tracking technologies on websites include cookies, web beacons, or tracking pixels. Mobile apps may use tracking technologies such as tracking codes within the app, as well as captures of device-related information. As noted in the Bulletin,

For example, mobile apps may use a unique identifier from the app user’s mobile device, such as a device ID or advertising ID. These unique identifiers, along with any other information collected by the app, enable the mobile app owner or vendor or any other third party who receives such information to create individual profiles about each app user

Tracking technologies, whether developed internally or by third parties, are used by website or mobile app owners for various reasons, including to better understand the user experience on their site or app. Technologies developed by third parties may be able to track users and gather information after they navigate away from the original site. The OCR Bulletin focuses on third party tracking technologies.  

Why Do Tracking Technologies Trigger HIPAA?

When a regulated entity uses tracking technologies developed by a third party vendor on its mobile app or website, such use may result in the collection and/or disclosure of PHI to the third party.

The Bulletin states:

All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.

(emphasis added.) So, according to the OCR, individuals with or without an existing patient relationship with the regulated entity could be sharing PHI with the entity (or a third party) through its website tracking technologies. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, etc.

Notably, not all such technologies will be collecting identifiable information. The Bulletin recognizes a distinction between user-authenticated and unauthenticated webpages. User-authenticated pages require a user to log in before access to the regulated entity’s page. According to the Bulletin, information collected on a user-authenticated webpage will be presumed to be PHI and subject to HIPAA.

Many regulated entities maintain unauthenticated webpages – those that do not require a log in for access. Typically, these are sites that provide general information only – locations, description of services, policies and procedures etc., and generally do not have access to PHI. For unauthenticated web pages, the determination is more detailed as tracking technologies on such webpages typically would not have access to PHI. However, regulated entities should be aware that tracking on such pages could capture PHI. Sites that address specific symptoms or health conditions, or that permit a visitor to search for a doctor or schedule an appointment may qualify as PHI, where, for example, the visitor’s email address or IP address is also captured.

Importantly, the Bulletin clarifies the HIPAA Rules do not apply to websites or mobile apps that are developed or offered by entities that are not regulated entities. For instance, a mobile app provider may offer individuals an online repository or tracking feature for their sensitive health information. If that provider if not a regulated entity, the HIPAA Rules do not apply, although other federal and/or state laws may, such as Federal Trade Commission (FTC) Act or state comprehensive privacy laws, such as the California Consumer Privacy Act. Notably, in September 2021, the FTC issued a policy statement confirming that covered companies (e.g., certain health apps) that hold fertility, heart health, glucose levels and other health data must notify consumers in the event of a breach.  

HIPAA Obligations When Using Tracking Technologies

When a regulated entity uses tracking technologies on its website(s) or mobile app(s), it may have obligations under the HIPAA Rules. While we cannot cover all of those requirements here, we summarize some key obligations:

  • Investigate whether the site or app has access to PHI. As noted above, do not assume that because the site is unauthenticated or only collects email addresses, it is not collecting PHI.  
  • Ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
    • Remember that if a disclosure of PHI requires an authorization under HIPAA, website privacy policies and website banners that ask users to accept or reject the use of tracking activities, standing alone, will be unlikely to constitute a valid authorization.
    • If a tracking technology vendor is creating, receiving, maintaining, or transmitting PHI on behalf of a regulated entity for a covered function, it will likely be considered a business associate. In that case, a business associate agreement may need to be in place between the regulated entity and the vendor.
  • Address the use of tracking technologies in a risk analysis and risk management processes, and implement safeguards in accordance with the HIPAA security regulations.
  • Provide breach notifications to affected individuals and the OCR if impermissible disclosures of PHI occur via tracking technology.

LITIGATION.

During 2022, litigation concerning the use of website tracking technologies increased significantly. In one report, a health system settled claims for $18 million, while in another case, the plaintiffs alleged over 650 hospital system or medical provider websites use the Meta Pixel tracking tool and have sent data from those sites.

The trend does not just involve HIPAA regulated entities or HIPAA. According to a Bloomberg Law analysis, between February and October 2022, at least 47 proposed class actions were filed alleging transfers of “personal video consumption data from online platforms to Facebook without their consent,” in violation of the federal Video Privacy Protection Act.

For regulated entities under HIPAA, it is not much comfort that HIPAA does not have a private right of action for individuals. Plaintiffs are using other paths under similar federal and state laws to advance their claims. The trend is growing, but there are steps regulated entities can take to address these risks.

NEXT STEPS

Covered entities and business associates should conduct an audit of any tracking technologies used on their websites, web applications, or mobile apps and determine if they are being used in a manner that complies with HIPAA. Such tracking technologies should be included in a HIPAA risk analysis and risk management process.

Covered entities should review tracking technology vendor agreements and ensure a business associate agreement is in place to avoid potential impermissible disclosure of private health information.

If through an audit it is found that tracking technologies are being used in a manner not compliant with HIPAA, notification may be required under HIPAA and applicable state law.

If you have questions about HIPAA compliance or related issues contact a Jackson Lewis attorney to discuss.

On December 16, 2022, the California Privacy Protection Agency (CPPA) had its final meeting before the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act takes effect on January 1, 2023. Despite the CPRA taking effect at the start of the year, the CPPA, the agency charged with implementing the law, has not finalized its rulemaking process. It was discussed at the Friday meeting that the final proposed rules are anticipated to be released at the end of January and after going through the various administrative requirements will take effect in April. In the meantime, regulations previously promulgated by the California Attorney General’s Office will remain in effect.

Though it has not finalized its CPRA rulemaking, the CPPA is setting its sights on other rulemaking duties, including the use of artificial intelligence in data collection and businesses’ cybersecurity assessments. The CPPA released sample questions covering these areas which will be finalized and approved in the new year and then released for a comment period in order to collect insights on the framework needed for risk assessments and automated decision-making.

Some of the considerations pertaining to risk assessments that are detailed in the sample questions include laws and other requirements that businesses already have to comply with regarding processing consumers’ personal information that require risk assessments and how those assessments can be aligned with the requirements under the CPRA. Further, the CPPA is considering whether assessments from other privacy statutes and regulations such as the European General Data Protection Regulation and Colorado’s Privacy Act can be used for CPRA purposes.

Similarly, in considering rulemaking regarding automated decision-making, the CPPA is considering questions of other laws requiring access and/or opt-out rights in the context of automated decision-making. The sample questions also seek information about how prevalent algorithmic discrimination based on classification/classes under California and federal law is and if it is more pronounced in some sectors.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

We have been quite busy this October, which happens to be National Cybersecurity Awareness Month. But, we did not want to let the month go by without some recognition; and we are grateful to the HHS Office for Civil Rights (OCR) for this always timely reminder for HIPAA covered entities and business associates – have a written incident response plan

Why do we need another policy?

First, because it is required under the HIPAA Security Rule. See 45 CFR 164.308(a)(6). Also, because cybersecurity risks continue to rise. The OCR notes that cybersecurity incidents and data breaches continue to increase in the healthcare sector, citing a 69% increase in cyber-attacks for the first half of 2022 compared to 2021. Breaches of unsecured protected health information (PHI), including electronic PHI, reported to OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

Fine, so what does an incident response plan need to include?

The OCR describes some basic elements that should be included in an incident response plan (IRP):

  • identifying security incidents;
  • responding to security incidents;
  • mitigating harmful effects of security incidents; and
  • documenting security incidents and their outcomes.

As we get more specific below, note that each covered entity and business associate is different in several respects, such as size, number of locations, information systems, prior experience, cyber insurance policies, type of PHI, and state laws, just to name a few. So, your specific IRP may vary in significant ways, but these are four critical elements to address for your particular business and practice.

Can you be more specific?

Sure. The organization will want to think about who will be doing the responding – who is on the “security incident response team.” This is a team that is organized and trained to effectively respond to security incidents. OCR offers several areas to consider when forming a team, such as:

  • Have a strong balance of skill sets among team members (IT, legal, communications, etc.)
  • Ensure lines of communication will be available among team members during a crisis
  • Consider external parties that can provide specific expertise concerning incident response
  • Commit to regularly practicing incident response procedures for different types of attacks.

With a team established, the plan should provide for identifying security incidents. Of course, this requires knowing that a security incident is “the attempted or successful unauthorized access, use, disclosure modification, or destruction of information or interference with system operations in an information system .” One way to identify security incidents includes having audit logs in place and regularly reviewing them.

In the event of a security incident, the plan needs cover the steps for responding. This includes containing the security incident and any threat it may pose to ePHI, such as by identifying and removing any malicious code and mitigating any vulnerabilities that may have permitted the security incident to occur. However, to be better prepared to respond to security incidents, the plan should also include procedures such as:

  • Processes to identify and determine the scope of security incidents
  • Instructions for managing the security incident
  • Creating and maintaining a list of assets (computer systems and data) to prioritize when responding to a security incident
  • Conducting a forensic analysis to identify the extent and magnitude of the security incident
  • Reporting the security incident to appropriate internal and external entities
  • Processes for collecting and maintaining evidence of the security incident (e.g., log files, registry keys, and other artifacts) to determine what was accessed during the security incident

After the security incident has been neutralized, the next steps should include mitigation, including recovery and restoration of systems and data to return to normal operations. Mitigation efforts are facilitated through contingency planning, robust data backup, and recovery processes. These are areas that should not be thought about when a security incident occurs. For example, knowing that you have a backup is not enough, regularly making sure you are able to restore from backups while maintaining integrity is key. 

When these steps have been completed, particularly after operations have returned to normal, regulated entities must document their response to the security incident. This is required under HIPAA. The IRP can be helpful in outlining what information to include in the documentation (e.g., discovery of the security incident; systems and data affected; response and mitigation activities; recovery outcomes; root cause analysis; forensic data collected).

What about notification, shouldn’t that be part of the IRP?

Of course. The IRP should address the entity’s reporting obligations, whether to the affected individuals, the OCR, the media, state agencies, or a covered entity (for business associates). A critical aspect of notification is timing. For breaches affecting 500 or more individuals, notice is required without unreasonable delay and no later than 60 calendar days from the discovery of the breach. The OCR reminds regulated entities:

the time period [for reporting] begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. 

Further, 60 days is the outer limit for notification but,

in some cases, it may be an ‘unreasonable delay’ to wait until the 60th day to provide notification.

There is a lot more that can be said about IRPs, and it is not a good idea to wait until the next National Cybersecurity Awareness Month to craft one. Also, while directed to healthcare providers and their business associates, the same kind of planning is prudent for just about all organizations. 

Over the past several years, there has been a significant increase in the use of dashcam technology. The technology available in the market is quite advanced. As we observed here, these devices can be equipped with geolocation, AI, facial recognition, and other technologies.  Designed primarily to enhance driver safety and fleet management, privacy concerns are tapping the brakes on implementation in California.

On September 29, 2022, Governor Gavin Newsom signed into law AB-984, and becoming effective January 1, 2023. The law builds on other privacy protections in California, such as the California Consumer Privacy Act and Penal Code Sec. 637.7. Section 637.7 prohibits using an electronic tracking device to determine the location or movement of a person, however, it does not apply when the vehicle owner (e.g., the employer) has consented to the use of the device.

Among other exciting provisions, including the latest in vehicle tech – digital license plates, AB-984 places significant restrictions on the use of an alternative device to monitor employees. Specifically, the law provides:

An employer, or a person acting on behalf of the employer, shall not use an alternative device to monitor employees except during work hours, and only if strictly necessary for the performance of the employee’s duties.

The statute defines monitoring to include, without limitation, “locating, tracking, watching, listening to, or otherwise surveilling the employee.” However, there is no definition of “strictly necessary,” making the statute more difficult to navigate.

Employers that choose to install such a device must provide notice to employees prior to monitoring with the device. That notice must, at a minimum, include the following:

(A) A description of the specific activities that will be monitored.

(B) A description of the worker data that will be collected as a part of the monitoring.

(C) A notification of whether the data gathered through monitoring will be used to make or inform any employment-related decisions, including, but not limited to, disciplinary and termination decisions, and, if so, how, including any associated benchmarks.

(D) A description of the vendors or other third parties, if any, to which information collected through monitoring will be disclosed or transferred. The description shall include the name of the vendor or third party and the purpose for the data transfer.

(E) A description of the organizational positions that are authorized to access the data gathered through the alternative device.

(F) A description of the dates, times, and frequency that the monitoring will occur.

(G) A description of where the data will be stored and the length of time it will be retained.

(H) A notification of the employee’s right to disable monitoring, including vehicle location technology, outside of work hours.

Employers that fail to comply can be subject to significant penalties. A civil penalty of $250 can be imposed for an initial violation, while a $1,000 per employee can be imposed for each subsequent violation. The statute expressly provides that penalties “shall be assessed per employee, per violation, and per day that monitoring without proper notice is conducted.”

In addition to penalties, employer have additional exposure if found to have retaliated against an employee for removing or disabling an alternative device’s monitoring capabilities outside of work hours. In this case, the employee “shall be entitled to all available penalties, remedies, and compensation, including, but not limited to, reinstatement and reimbursement of lost wages, work benefits, or other compensation caused by the retaliation.”

For employers considering using an alternative device to monitor employees in vehicles, there are at least two steps to take:

  • Assess whether doing so is “strictly necessary” for the performance of the employee’s duties
  • Provide advance notice of the monitoring

There are several other issues to consider as well, just looking at the items required to be included in the notice.