Comprehensive Federal Privacy Bill May Open Backdoor for HIPAA Private Right of Action

Elizabeth Litten
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The American Privacy Rights Act of 2024 (APRA), a bipartisan and “historic” comprehensive data privacy bill unveiled April 8, 2024, would preempt state data privacy laws and be enforced by the Federal Trade Commission, states, and affected individuals. As per the Press Release:

“This comprehensive draft legislation sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.”

Although it includes a carve-out for covered entities and business associates subject to HIPAA, the carve-out comes with a caveat — the covered entities and business associates must be “in compliance with” the data privacy and security requirements of HIPAA.

While state data privacy laws commonly include either entity-level carve-outs for covered entities and business associates subject to HIPAA or data-level carve outs for their PHI (or some combination of the two), APRA’s carve-out leaves open the possibility that non-compliant covered entities and business associates would be subject to APRA’s requirements and “robust” enforcement mechanisms, including the right for an individual to sue for an alleged HIPAA violation.

HIPAA covered entities and business associates may be acutely aware of the fact that “HIPAA compliance” is a temporal and elusive status, one that may be lost when a hacker gains system access or a rogue (or careless) employee causes a breach. In fact, a HIPAA-regulated entity could be deemed to have violated HIPAA simply by failing to abide by a HIPAA Privacy or Security Rule requirement, such as maintaining required documentation for a period of six years. Given the complexity of HIPAA and ever-evolving HIPAA compliance requirements (see for, example, recent regulatory amendments and guidance documents adopted and/or issued by the U.S. Department of Health and Human Services), it is easy to see how tenous APRA’s HIPAA carve-outs may actually be.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide