On April 16, regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the creation of the Consortium of Privacy Regulators, a new collaborative effort focused on the...more
Late in February, the California Privacy Protection Agency (CPPA) ordered the shutdown of Background Alert under the state’s Data Broker Registration Law. Background Alert aggregated public records to create detailed profiles...more
4/3/2025
/ California ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Data Brokers ,
Data Collection ,
Data Privacy ,
Enforcement Actions ,
Personal Information ,
Privacy Laws ,
State Privacy Laws
On October 10, 2024, the Drug Enforcement Administration (the DEA) submitted a new rule to the White House Office of Management and Budget titled, “Third Temporary Extension of COVID-19 Telemedicine Flexibilities for...more
On April 26, the Federal Trade Commission (FTC) approved its Final Rule revising the Health Breach Notification Rule (HBNR) (“Final Rule”) by a 3-2 vote. The HBNR requires vendors of personal health records (PHR) and related...more
6/5/2024
/ Breach Notification Rule ,
Data Breach ,
Enforcement ,
Federal Trade Commission (FTC) ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Technology ,
Healthcare ,
Penalties ,
PHI ,
Popular ,
Reporting Requirements ,
Rulemaking Process ,
Vendors
Colorado has just become the first state to extend its comprehensive privacy law, the Colorado Privacy Act (“CPA”), to “neural data.” After passing unanimously in the Colorado Senate earlier this spring, bipartisan House Bill...more
Colorado became the first state to comprehensively address artificial intelligence (“AI”), passing Senate Bill 24-205, or the Colorado Artificial Intelligence Act, on May 17, 2024 (“Act”). The Act establishes the nation’s...more
6/3/2024
/ Artificial Intelligence ,
Automated Decision Systems (ADS) ,
Bias ,
Colorado ,
Compliance ,
Disclosure Requirements ,
Governance Standards ,
High Risk Sectors ,
New Legislation ,
Penalties ,
Popular ,
Risk Management
On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Bulletin revising its December 1, 2022 Guidance concerning the HIPAA obligations of covered entities and...more
On October 3, the Department of Defense, General Services Administration, and the National Aeronautics and Space Administration published two sets of proposed revisions to the Federal Acquisition Regulation (“FAR”) pertaining...more
On September 27, 2023, FDA finalized its guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the “2023 Final Guidance”). The Final Guidance replaces...more
10/11/2023
/ Artificial Intelligence ,
Cybersecurity ,
Federal Food Drug and Cosmetic Act (FFDCA) ,
Final Guidance ,
Food and Drug Administration (FDA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Machine Learning ,
Medical Devices ,
NTIA ,
Popular ,
Premarket Approval Applications ,
Risk Management ,
Software ,
Source Code
On February 1, the Federal Trade Commission (“FTC”) announced its first enforcement action under the Health Breach Notification Rule (“HBNR” or “Rule”) against GoodRx, a direct-to-consumer digital healthcare and prescription...more
2/22/2023
/ Application Programming Interface (APIs) ,
Breach Notification Rule ,
Data Privacy ,
Enforcement ,
Federal Trade Commission (FTC) ,
Final Rules ,
FTC Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Notification Requirements ,
Popular ,
Social Security Act
On February 1, 2023, the Federal Trade Commission (FTC) announced that it has taken enforcement action for the first time under its Health Breach Notification Rule (HBNR) against GoodRx Holdings Inc. (GoodRx), for allegedly...more
On December 1, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services provided guidance on the intersection of the Health Insurance Portability and Accountability Act (HIPAA) and the use of...more
On October 10, the Colorado Attorney General (“AG”) released its draft regulations outlining businesses’ obligations under the Colorado Privacy Act (“CPA”). The 38-page set of draft regulations flesh out several novel privacy...more
On August 24, the California Attorney General (“AG”) announced its first enforcement settlement under the California Consumer Privacy Act (“CCPA”). The $1.2M fine with an international retailer settled claims that the...more
On September 14, 2022, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (Notification) warning the industry regarding increasing cyber-attack activity against healthcare providers and payment...more
On April 28, 2022, in a joint letter written by the HHS Secretary, Xavier Becerra, and CMS Administrator, Chiquita Brooks-LaSure, to the Chairwoman of the Federal Communications Commission (FCC), HHS requested an opinion...more
On April 6, 2022, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Request for Information (RFI) to solicit public comments on the implementation of the “safe harbor” under the Health...more
On April 6, 2022, HHS Office for Civil Rights (OCR) issued a Request for Information (RFI) to solicit public comment on the implementation of the newly-enacted “safe harbor” under the Health Insurance Portability and...more
On September 15, 2021, the Federal Trade Commission (“FTC”) issued a Policy Statement instructing health app and connected device companies to comply with the Health Breach Notification Rule (“the Rule”). The Rule, codified...more
11/2/2021
/ Breach Notification Rule ,
Data Breach ,
Electronic Devices ,
Federal Trade Commission (FTC) ,
Final Rules ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
Mobile Apps ,
PHI ,
Popular ,
Security Breach
On July 7, 2021, Colorado enacted a new privacy law, titled the Colorado Privacy Act (CPA). The CPA is the third state-level omnibus data privacy law, similar in scope to the California Consumer Privacy Act (CCPA) and the...more
8/11/2021
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
CDPA ,
Colorado ,
Consumer Privacy Rights ,
Enforcement ,
General Data Protection Regulation (GDPR) ,
Gramm-Leach-Blilely Act ,
New Legislation ,
Personal Information ,
Privacy Laws
On April 1, in a highly anticipated decision that likely will have a significant effect on litigation under the Telephone Consumer Protection Act (TCPA), the Supreme Court ruled on what qualifies as an “automatic telephone...more
On November 4, 2020, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule (the Proposed Rule) outlining proposals for the coverage and payment for durable medical equipment, prosthetics, orthotics, and...more
On December 10, 2020, HRSA issued a final rule (the Final Rule) implementing the 340B Drug Pricing Program administrative dispute resolution (ADR) process–an overdue mandate from the Affordable Care Act. Under the Final...more
On October 30, 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued an interim final rule (IFR) with comment period delaying the compliance dates for certain regulatory requirements set...more
Manufacturers and providers participating in the 340B Drug Pricing Program have entered into a new phase of tensions this summer, as manufacturers push back on the use of contract pharmacies by providers. At least one major...more