BACKGROUND U.S.-based life sciences companies can be subject to the European Union (‘EU’) General Data Protection Regulation (‘GDPR’), even if they do not have any subsidiary, affiliate or other physical presence in the EU. This can be the case if, for example, a pharmaceutical or medical device company in the U.S. acts as a sponsor […]
Health Privacy
HHS and FTC Fire a Warning Shot at Healthcare Companies Using Online Tracking Technologies
On July 20, 2023, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), and the Federal Trade Commission (“FTC”) published a joint letter sent to approximately 130 hospital systems and telehealth providers. The FTC/OCR letter warns that certain online tracking technologies that “may be present” on the recipients’ […]
HHS and FTC Expanding Technology, Privacy, and Cybersecurity Divisions
In recent weeks, FTC and HHS have announced expansion of the operational areas of their organizations that are dedicated to enforcement of laws and regulations related to technology, privacy, and cybersecurity. On February 17, 2023, the FTC announced the creation of a new Office of Technology in order to “strengthen the FTC’s ability to keep […]
Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
As the Biden administration begins detailing its regulatory and enforcement priorities, it faces a new challenge on the health data privacy and security front. In University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-60226 (5th Cir. 2021), the Fifth Circuit vacated a $4.3 million penalty against […]
New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties
On January 5, 2021, the president signed into law H.R. 7898, an Act that amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of Health and Human Services (HHS) to consider specific recognized security practices of covered entities and business associates when making certain determinations regarding fines, penalties, […]