LSHC Horizons Brochure 2024 - Flipbook - Page 39
Hogan Lovells | 2024 Life Sciences and Health Care Horizons | Privacy and Cybersecurity
39
Good hygiene: Navigating federal oversight of sensitive health data
Federal regulators, and in particular the Federal
Trade Commission (FTC) and U.S. Department
of Health and Human Services (HHS), are
working together and stepping up efforts –
through agency guidance and enforcement
actions – to ensure that organizations
processing sensitive health data provide robust
privacy and security protections.
The two agencies issued joint guidance in
2023 as well as a warning letter to 130 health
care providers about the risks involved with
using tracking technologies such as pixels and
cookies where sensitive health information is
involved. The guidance highlights requirements
under the Health Insurance Portability and
Accountability Act (HIPAA), the FTC Act,
and the FTC Health Breach Notification
Rule. HHS on its own issued guidance on
privacy and security risks when using remote
communications for telehealth and entered
settlements targeting unauthorized disclosures
of sensitive health information and violations
of patient privacy rights. The FTC issued
guidance setting out expectations for use
of consumer health data and clarifying –
under FTC authorities – what constitutes
deceptive practices with regard to sensitive
health information.
Marcy Wilder
Partner
Washington, D.C.
The FTC health sector actions have targeted
businesses dealing in many types of sensitive
data including biometric, geolocation,
reproductive health, diagnostic, mental health,
and genetic information and made clear that
their reach includes and extends far beyond
the clinical and prescription data that is often
under the purview of HHS and HIPAA. In
the FTC settlement agreements with GoodRx
(prescription information), Vitagene (genetic
data), and others, the agency cited the lack
of user transparency, misleading statements
about data privacy and security, and its
concerns about downstream uses of data and
the lack of express and affirmative consent.
As the consumer health experience is
transformed by the use of new technologies,
including generative AI, businesses in the U.S.
processing sensitive health information will need
to be prepared for federal scrutiny of their privacy
and data security practices. Looking at recent
HHS and FTC actions, several themes emerge
including: (1) the need to determine whether
sensitive health data is covered by HIPAA and/
or the FTC authorities; (2) the requirement for
express, affirmative consent (opt-in) in order to
disclose sensitive health information, especially
for tracking technologies (like pixels and cookies)
and marketing activities; and (3) the expectation
that privacy and security will be addressed
through a formal compliance program that
includes risk assessments, written policies,
and employee training.
Alyssa Golay
Senior Associate,
Washington, D.C.
Alicia J. Paller
Senior Associate
Washington, D.C.
Minneapolis
