On July 24, 2025, the California Privacy Protection Agency (CPPA) Board approved a new set of regulations aimed at governing the use of automated decision-making technology (ADMT), risk assessments, and cybersecurity audits...more
A new Texas law governing electronic health records (“EHR"), Senate Bill 1188 (“S.B. 1188”), is going into effect September 1, 2025. The bill sets out a number of new requirements and additions to the Texas Health and Safety...more
On July 8, Connecticut Attorney General William Tong (“CT AG ”) announced an $85,000 settlement with TicketNetwork, Inc., following an investigation into alleged violations of the Connecticut Data Privacy Act (CTDPA). In this...more
On May 1, 2025, the California Privacy Protection Agency (CPPA) released a revised draft of its regulations. These modifications, issued in response to public comments on earlier drafts, aim to clarify and simplify key...more
On April 16, regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the creation of the Consortium of Privacy Regulators, a new collaborative effort focused on the...more
Late in February, the California Privacy Protection Agency (CPPA) ordered the shutdown of Background Alert under the state’s Data Broker Registration Law. Background Alert aggregated public records to create detailed profiles...more
4/3/2025
/ California ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Data Brokers ,
Data Collection ,
Data Privacy ,
Enforcement Actions ,
Personal Information ,
Privacy Laws ,
State Privacy Laws
On October 10, 2024, the Drug Enforcement Administration (the DEA) submitted a new rule to the White House Office of Management and Budget titled, “Third Temporary Extension of COVID-19 Telemedicine Flexibilities for...more
On April 26, the Federal Trade Commission (FTC) approved its Final Rule revising the Health Breach Notification Rule (HBNR) (“Final Rule”) by a 3-2 vote. The HBNR requires vendors of personal health records (PHR) and related...more
6/5/2024
/ Breach Notification Rule ,
Data Breach ,
Enforcement ,
Federal Trade Commission (FTC) ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Technology ,
Healthcare ,
Penalties ,
PHI ,
Popular ,
Reporting Requirements ,
Rulemaking Process ,
Vendors
Colorado has just become the first state to extend its comprehensive privacy law, the Colorado Privacy Act (“CPA”), to “neural data.” After passing unanimously in the Colorado Senate earlier this spring, bipartisan House Bill...more
Colorado became the first state to comprehensively address artificial intelligence (“AI”), passing Senate Bill 24-205, or the Colorado Artificial Intelligence Act, on May 17, 2024 (“Act”). The Act establishes the nation’s...more
6/3/2024
/ Artificial Intelligence ,
Automated Decision Systems (ADS) ,
Bias ,
Colorado ,
Compliance ,
Disclosure Requirements ,
Governance Standards ,
High Risk Sectors ,
New Legislation ,
Penalties ,
Popular ,
Risk Management
On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Bulletin revising its December 1, 2022 Guidance concerning the HIPAA obligations of covered entities and...more
On October 3, the Department of Defense, General Services Administration, and the National Aeronautics and Space Administration published two sets of proposed revisions to the Federal Acquisition Regulation (“FAR”) pertaining...more
On September 27, 2023, FDA finalized its guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the “2023 Final Guidance”). The Final Guidance replaces...more
10/11/2023
/ Artificial Intelligence ,
Cybersecurity ,
Federal Food Drug and Cosmetic Act (FFDCA) ,
Final Guidance ,
Food and Drug Administration (FDA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Machine Learning ,
Medical Devices ,
NTIA ,
Popular ,
Premarket Approval Applications ,
Risk Management ,
Software ,
Source Code
On February 1, the Federal Trade Commission (“FTC”) announced its first enforcement action under the Health Breach Notification Rule (“HBNR” or “Rule”) against GoodRx, a direct-to-consumer digital healthcare and prescription...more
2/22/2023
/ Application Programming Interface (APIs) ,
Breach Notification Rule ,
Data Privacy ,
Enforcement ,
Federal Trade Commission (FTC) ,
Final Rules ,
FTC Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Notification Requirements ,
Popular ,
Social Security Act
On February 1, 2023, the Federal Trade Commission (FTC) announced that it has taken enforcement action for the first time under its Health Breach Notification Rule (HBNR) against GoodRx Holdings Inc. (GoodRx), for allegedly...more
On December 1, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services provided guidance on the intersection of the Health Insurance Portability and Accountability Act (HIPAA) and the use of...more
On October 10, the Colorado Attorney General (“AG”) released its draft regulations outlining businesses’ obligations under the Colorado Privacy Act (“CPA”). The 38-page set of draft regulations flesh out several novel privacy...more
On August 24, the California Attorney General (“AG”) announced its first enforcement settlement under the California Consumer Privacy Act (“CCPA”). The $1.2M fine with an international retailer settled claims that the...more
On September 14, 2022, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (Notification) warning the industry regarding increasing cyber-attack activity against healthcare providers and payment...more
On April 28, 2022, in a joint letter written by the HHS Secretary, Xavier Becerra, and CMS Administrator, Chiquita Brooks-LaSure, to the Chairwoman of the Federal Communications Commission (FCC), HHS requested an opinion...more
On April 6, 2022, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Request for Information (RFI) to solicit public comments on the implementation of the “safe harbor” under the Health...more
On April 6, 2022, HHS Office for Civil Rights (OCR) issued a Request for Information (RFI) to solicit public comment on the implementation of the newly-enacted “safe harbor” under the Health Insurance Portability and...more
On September 15, 2021, the Federal Trade Commission (“FTC”) issued a Policy Statement instructing health app and connected device companies to comply with the Health Breach Notification Rule (“the Rule”). The Rule, codified...more
11/2/2021
/ Breach Notification Rule ,
Data Breach ,
Electronic Devices ,
Federal Trade Commission (FTC) ,
Final Rules ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
Mobile Apps ,
PHI ,
Popular ,
Security Breach
On July 7, 2021, Colorado enacted a new privacy law, titled the Colorado Privacy Act (CPA). The CPA is the third state-level omnibus data privacy law, similar in scope to the California Consumer Privacy Act (CCPA) and the...more
8/11/2021
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
CDPA ,
Colorado ,
Consumer Privacy Rights ,
Enforcement ,
General Data Protection Regulation (GDPR) ,
Gramm-Leach-Blilely Act ,
New Legislation ,
Personal Information ,
Privacy Laws
On April 1, in a highly anticipated decision that likely will have a significant effect on litigation under the Telephone Consumer Protection Act (TCPA), the Supreme Court ruled on what qualifies as an “automatic telephone...more