Healthcare Data Privacy

New Federal Data Privacy and Protection Legislation Introduced

A federal data privacy law is inching closer to reality, with House and Senate Committee leaders reportedly having reached an agreement on data privacy measures, and have proposed the American Privacy Rights Act of 2024.

In July 2022, the American Data Privacy and Protection Act (ADPPA) was proposed. ADPPA was a bipartisan effort to introduce much-needed protections for consumer data and, if enacted, would regulate how organizations could collect and use consumer data. The landmark federal data privacy bill was the first federal data privacy legislation to pass committee markup, succeeding where many attempts over the past two decades have failed.

In the absence of a federal data privacy law, many states have introduced their own laws, with California being the first state to introduce a comprehensive consumer data privacy law, followed by 14 others: Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire. Seven other states have introduced narrow privacy laws: Maine, Michigan, Minnesota, Nevada, New York, Vermont, and Washington, and legislation is pending in several other states. The problem with this patchwork of data privacy laws is it makes compliance complex for companies that operate in more than one state, and individuals living just a few miles apart over a state line could have vastly different rights and protections.

ADPPA underwent some revisions and advanced to the House floor, but Republicans and Democrats were unwilling to compromise on key parts of the bill. One of the key sticking points was the preemption of state laws, with ADPPA setting a ceiling rather than a floor for data privacy and protection, with individual states unable to improve the protections from the basic protections set by ADPPA. That would mean that states such as California would have to water down the protections that have been in place for state residents for several years.

Another sticking point was the private cause of action, with Democrats backing a private cause of action that allowed individuals to bring lawsuits for privacy violations, whereas Republicans largely opposed a private cause of action. Last Congress, leaders of the House Committee on Energy and Commerce and Senate Commerce Committee agreed to amendments to ADPPA that would see the federal privacy law pre-empt some state laws and include limited privacy cause of action; however, even with this proposal, there was insufficient support. Californian Democrats opposed the preemption of state laws and refused to give their support, and former House Speaker Nancy Pelosi and Sen. Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation, also refused to support ADPPA. As such, the proposal was rejected and ADPPA was not reintroduced to Congress.

According to a press release issued by Rep. Cathy McMorris Rodgers (R-WA), Chair of the House Energy and Commerce Committee, a deal has been agreed on new federal data privacy legislation – The American Privacy Rights Act of 2024, the successor of ADPPA. “This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Chairs Rodgers and Cantwell. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

“This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act,” said Chair Rodgers. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.”

A discussion draft of the American Privacy Rights Act of 2024 is available here,  and a section-by-section discussion draft can be downloaded here.

The post New Federal Data Privacy and Protection Legislation Introduced appeared first on HIPAA Journal.

Senators Demand Answers from the United Network for Organ Sharing About 1 Million+ Record Data Breach

U.S. Senators Chuck Grassley (R-IA) and Ron Wyden (D-OR) have written to the United Network for Organ Sharing (ONOS), which administers the Organ Procurement and Transplantation Network (OPTN), demanding answers about a recently identified data breach and criticized ONOS for its apparent inability to operate the OPTN.

The Senators previously wrote to ONOS in January 2022 to express their concerns about OPTN systems, which were in desperate need of modernization to protect them from cyberattacks. There is only a short window of opportunity for matching donors with patients in need of transplants, and any disruption to the system – a ransomware attack for example – could result in the loss of many lives.

The Senators also voiced their concerns with the White House Chief Information Officer in February 2022 about the technology in use and the cybersecurity measures to protect the OPTN from cyberattacks. In September of that year, the HHS Office of Inspector General (OIG) published a report that called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the OPTN. The OPTN had been criticized for the use of outdated IT systems and the lack of technical capabilities to upgrade the systems, secure them, and ensure they are fit for purpose.

On March 20, 2023, the Senators wrote to UNOS about an outage of the DonorNet system on February 15, 2023, which put patients’ lives at risk, and again criticized ONOS for the failure to operate the critical technology supporting the OPTN. A few days later, the Senators wrote to UNOS again about a recently discovered data breach.

In November 2023, ONOS conducted two software tests and discovered a software configuration error had exposed the sensitive data of 1.5 million organ transplant patients and DonorNet system users. Users of the system can access individual records on a case-by-case basis; however, the error allowed access to all records on the OPTN and DonorNet system, including details such as names, dates of birth, Social Security numbers, and procedures. In the latest letter, the Senators have demanded answers about the data breach and expressed their “continued concerns with the security of UNOS’s critical technology and its apparent inability to efficiently and effectively operate the OPTN”

Specifically, the Senators want to know how the data breach was identified; the root cause of the breach and any relevant investigations and reviews; the number of patients affected; whether patient records were accessed by unauthorized individuals; how many individuals were able to access patient data they were not authorized to view. They have also requested information about breach response processes at ONOS, including the response to the latest breach, whether patients have been notified, and the steps taken to prevent further breaches and cyberattacks. ONOS has been given until April 10, 2024, to provide the answers.

Sens. Grassley and Wyden have been pushing for reforms to improve the administration of the OPTN. In April 2023, they proposed new legislation – The Securing the U.S. Organ Procurement and Transplantation Network Act – to improve the management of the OPTN, which for the past 40 years has been solely administered by ONOS. The legislation was signed into law by President Biden in September 2023 and breaks up the contract for the management of the OPTN and encourages participation from competent and transparent contractors. The aim of the legislation is to improve transparency and address the many failures that have plagued the OPTN over the past 40 years and it is hoped that the breakup of the monopoly will increase competition and help to save many lives.

The post Senators Demand Answers from the United Network for Organ Sharing About 1 Million+ Record Data Breach appeared first on HIPAA Journal.

Kentucky Senate Advances Children’s Medical Record Access Bill

HIPAA gives parents the right to access the medical records of their minor children but Kentucky lawmakers want to make sure that parents can access their children’s entire medical records and prevent healthcare providers from withholding information about treatment that does not, under state law, require parental consent.

House Bill 174 was sponsored by Representatives Rebecca Raymer (R), Danny Bentley (R), Chris Fugate (R), John Hodgson (R), and Michael Lockett (R).  The bill adds a new section to current state law (KRS, Chapter 422) that establishes standards and procedures for access to copies of the medical records of patients under 18 years by the minor’s personal representatives – individuals who under state law have the authority to make health care decisions for a patient or a parent of the patient – provided the disclosure of those records is not prohibited by the Health Insurance Portability and Accountability Act (HIPAA).

The bill was presented to the House by Sen. Donald Douglas (R), who explained that while HIPAA gives personal representatives/parents the right to access or obtain a copy of the medical records of their minor children, that may not always be the case. “I’ve heard the argument of HIPAA gives us all the access, but ultimately, if one reads all the HIPAA forms, they find that often these decisions are left up to the states or even sometimes these decisions are left up to the treating physician,” said Sen. Douglas. He also explained that state laws have put up barriers for parents. For instance, under state law, minors who present with certain medical conditions can be treated without the consent of a parent or legal guardian and individuals of 16 years of age can receive mental health treatment without the consent of a parent or legal guardian. Sen Douglas believes that is wrong.

In Kentucky, there are certain medical conditions that minors can consent to and not have to get parental consent, for instance, reproductive healthcare, when child abuse is suspected, and mental health care (if over 16). While the amendments to state law have received strong support from Kentucky lawmakers, there has been criticism of the changes, especially from pediatricians. Sen. Karen Berg (D) voted against the amendment. She said she has spoken with pediatricians and the view was that they would not abide by the changes if they are enacted. “They felt that this was a huge break in physician-patient confidentiality around certain singular issues that growing teenagers sometimes desire and sometimes need confidentiality from their parents,” said Sen. Berg.

Sen. Cassie Chambers Armstrong (D) also voted against the bill and said parents already have access to most of their children’s records, aside from a few areas where additional protections have been put in place, such as injuries sustained due to child abuse. A counterargument from Sen. Douglas was that in such cases, healthcare providers are obligated to notify the police, and the role of a healthcare provider is to provide an opinion and treatment, not to get involved in rearing other people’s children.

The bill was passed by the House of Representatives with a vote of 81-15 and by the Senate with a vote of 28-7. The bill now heads back to the House.

The post Kentucky Senate Advances Children’s Medical Record Access Bill appeared first on HIPAA Journal.

Senator Calls for FTC, SEC to Hold Data Broker Accountable for Misuse of Geolocation Data

U.S. Senator Ron Wyden (D-OR) has written to the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) calling for action to be taken to protect consumers and investors from “the outrageous conduct” of the publicly owned data broker, Near Intelligence Inc. Sen. Wyden launched an investigation in May 2023 of Near Intelligence after a report in The Wall Street Journal revealed the Wisconsin-based non-profit anti-abortion group, The Veritas Society, used geolocation data obtained from Near Intelligence to conduct a misinformation campaign on women suspected of seeking abortion.

Geolocation data is collected through code that is incorporated into mobile phone apps. The code receives location data and transfers it along with other information from the user’s device. The data collected reveals a person’s movements, including visits to sensitive locations such as reproductive health clinics, places of worship, healthcare providers, and other sensitive locations. The geolocation data can be tied to an individual and reveals how long they were present at a particular location, with the data accurate to a few meters.

The Veritas Society’s advertising agency, Recrue Media, used Near Intelligence to obtain the geolocation data of individuals who visited Planned Parenthood clinics and used that data for the advertising campaign. Recrue Media conducted the campaign for The Veritas Society From November 2019 through the summer of 2022, when Roe vs. Wade was overturned following the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization.

Sen. Wyden spoke with Steven Bogue, Co-Founder and Managing Principal of Recrue Media, on May 19, 2023, who revealed that to conduct the targeted campaign, his employees used the Near Intelligence website to geofence Planned Parenthood clinics and parking lots. Individuals who visited any of the 600 Planned Parenthood clinics in 48 states were then targeted. The Veritas Society said that in 2020 alone, it conducted a campaign that served 14.3 million ads to women who had visited abortion clinics, with the ads pushed out to their social media pages on Facebook, Instagram, and Snapchat.

A second investigation by The Wall Street Journal into Near Intelligence revealed in October 2023 that the company had also sold geolocation data to the U.S. government. Near Intelligence had provided the data to a defense contractor, which sold the data to the Defense Department and U.S. intelligence agencies. Sen. Wyden spoke with Near Intelligence’s Chief Privacy Officer, Jay Angelo, who explained that the company did not have the technical capabilities to prevent customers from targeting individuals who visited sensitive locations. He also confirmed that Near Intelligence had been providing location data to the defense contractor, AELIUS Exploitation Technologies, for three years and that the geolocation data had been collected without user consent. The Near Intelligence website stated that the data collected would not be provided to governments. Angelo joined Near Intelligence in June 2022 and conducted a review of the company’s practices, which revealed the company was facilitating the sale of geolocation data to the U.S. government. When the review was concluded, those statements were removed from the website.

Near Intelligence had a particularly bad financial year and has filed for bankruptcy. A statement provided in its December 11, 2023 bankruptcy hearing confirmed that former executives are under criminal investigation and that the SEC has initiated an investigation of the company related to a data breach in France, which involved transferring the data of E.U citizens to the U.S. government.

The Federal Trade Commission is cracking down on the collection and sale of geolocation data that has been obtained without consent and has recently settled a complaint with the data broker X-Mode Social/Outlogic. Sen. Wyden requested FTC Chair, the Honorable Lina Khan, prevent Near Intelligence from selling off the data it has collected to another company or data broker during the company’s bankruptcy proceedings and to ensure that the geolocation and device data it holds is permanently deleted. Sen. Wyden explained that in this instance, The Veritas Society conducted a misinformation campaign, but the same geolocation data could be used by right-wing prosecutors in states with bans on abortions to prosecute women who visit abortion clinics in states where abortions are legal.

Sen. Wyden also requested the SEC Chair, the Honorable Gary Gensler, expand the SEC’s investigation of Near Intelligence and investigate whether the misleading statements Near Intelligence provided to Congress about whether geolocation data was obtained with users’ consent violated securities laws. “Federal watchdogs should hold [Near Intelligence] accountable for abusing Americans’ private information,” said Sen. Wyden. “And Congress needs to step up as soon as possible to ensure extremist politicians can’t buy this kind of sensitive data without a warrant.”

The post Senator Calls for FTC, SEC to Hold Data Broker Accountable for Misuse of Geolocation Data appeared first on HIPAA Journal.

California AG Agrees $5 Million Settlement with Quest Diagnostics Over Improper Disposal of Waste; Patient Data

California Attorney General Rob Bonta has announced that a $5 million settlement has been agreed with Quest Diagnostics to resolve allegations it illegally dumped hazardous and medical waste and disposed of the unredacted personal health information of patients in regular trash dumpsters. An investigation was conducted into the business practices of Quest Diagnostics that involved 30 inspections at four Quest Diagnostic Laboratories and several of its patient service centers in the state to determine if Quest Diagnostics was complying with California’s Hazardous Waste Control Law, Medical Waste Management Act, Unfair Competition Law, and civil laws that prohibit the disclosure of the personal health information of Californians.

The inspections included reviews of the contents of compactors and dumpsters at Quest facilities which found hundreds of containers of chemicals including reagents and bleach, and electronic waste and batteries. The dumpsters also contained medical waste such as specimen containers that included blood and urine, hazardous waste such as flammable liquids, solvents, and batteries, and unredacted medical information.

Quest Diagnostics was notified about the findings of the inspections and hired an independent environmental auditor to review its waste disposal policies and procedures, which have now been modified. Staff training on the updated policies and procedures has been provided across its four laboratories and more than 600 patient service centers in the state to ensure full compliance with California laws.

“Quest takes patient privacy and the protection of the environment very seriously and has made significant investments to implement industry best practices to ensure hazardous waste, medical waste, and confidential patient information are disposed of properly,” said a spokesperson for Quest Diagnostics. “These include investing in technologies for treatment of biological waste, secured destruction of patient information, programs to maximize recycling efforts and minimize waste-to-landfill disposal, waste-to-energy recovery of non-recyclable wastes, and enhanced waste audit and inspection measures to ensure continued compliance with applicable laws.”

The settlement includes $3,999,500 in civil monetary penalties, $700,000 in costs, and $300,000 for a Supplemental Environmental Project to support environmental training and enforcement in California, and injunctive relief requiring Quest Diagnostics to maintain an environmental compliance program and hire a third-party waste auditor to conduct annual audits and report on its status. The civil monetary penalties will be divided between 10 California counties. The investigation was a collaboration between the office of Attorney General Bonta and the District Attorney’s offices in Alameda, Los Angeles, Monterey, Orange, Sacramento, San Bernardino, San Joaquin, San Mateo, Ventura, and Yolo counties.

“Quest Diagnostics’ illegal disposal of hazardous and medical waste and patient information put families and communities at risk and endangered our environment,” said Attorney General Rob Bonta. “Let today’s settlement send a clear message that my office will hold corporations, including medical services providers, accountable for violations of state environmental and privacy laws. I appreciate the partnership of the district attorneys’ offices across our state that led to this critical settlement.”

Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals were also investigated over their waste disposal practices and were similarly found to have improperly disposed of hazardous waste, medical waste, and patient information, in violation of state laws. The case was settled for $49 million last September.

The post California AG Agrees $5 Million Settlement with Quest Diagnostics Over Improper Disposal of Waste; Patient Data appeared first on HIPAA Journal.

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules.  Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.

1.3 Million-Record Database of Netherlands COVID-19 Testing Lab Exposed Online

A medical laboratory in the Netherlands that served as a COVID-19 testing facility has left a database exposed on the Internet that contained the sensitive data of almost 1.3 million individuals including names, dates of birth, appointment details, email addresses, COVID-19 testing information, and passport numbers.

The exposed database was found by Jeremiah Fowler, co-founder of Security Discovery and security researcher at vpnMentor. The database did not require any authentication to access and the entire database could be accessed by anyone who knew the path name. The database included an estimated 1,285,277 records, including 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The database also contained thousands of QR codes that linked to web pages that included appointment details and email addresses.

The documents had the name and logo of a now inaccessible website, Coronalab.eu, which belongs to Coronalab. Coronalab is owned by the Amsterdam-based ISO-certified laboratory, Microbe & Lab, one of the top two commercial medical test providers in the Netherlands. Fowler tried to contact Coronalab on several occasions to inform the company about the exposed database but received no response. The database remained exposed online for three weeks until Fowler contacted the cloud hosting company, Google, which secured the database to prevent further unauthorized access. It is unclear how long the database was exposed online and how many people found it.

Since names, dates of birth, testing information and email addresses were present in the database, the information could be used by cybercriminals in phishing attacks impersonating Coronalab employees. As Fowler explained, phishing emails could be crafted with information only known to the individuals concerned and Coronalab, increasing the chance of a response.“In my professional opinion, now that the pandemic is mostly behind us, it is time for organizations to review the massive amounts of data they have stored and determine if these records are still needed,” said Fowler. “If they are, organizations must ensure the data is secured from unauthorized access. The records should be encrypted or anonymized to prevent unwanted data exposures or threats from malicious actors.”

The post 1.3 Million-Record Database of Netherlands COVID-19 Testing Lab Exposed Online appeared first on HIPAA Journal.

White House Announces New Actions in Response to Roe v. Wade

To mark what would have been the 51st anniversary of Roe v. Wade, the White House Task Force on Reproductive Healthcare issued a fact sheet announcing new actions to strengthen access to contraception and medication abortions, and ensure that patients receive the emergency medical care they need.

The Task Force explained that the overturning of Roe v. Wade resulted in extreme state abortion bans. “These dangerous state laws have caused chaos and confusion, as women are being turned away from emergency rooms, forced to travel hundreds of miles, or required to go to court to seek permission for the health care they need,” wrote the Task Force.

The fact sheet explains some of the actions that have been taken by federal agencies in response to President Biden’s three Executive Orders and a Presidential Memorandum on access to reproductive health care, strengthening access to contraception and affordability for women with health insurance, reinforcing obligations to cover affordable contraception, educating patients and care providers about rights and obligations for emergency medical care, and protecting access to safe and legal medication abortion.

The Task Force has confirmed that while the overturning of Roe V. Wade removed the Federal right to abortion, it did not prohibit women from traveling to another state to seek the care they need. The Alabama Attorney General had threatened to prosecute people who provided assistance to women seeking lawful out-of-state abortions, and in November 2023, the Department of Justice filed a statement of interest in two lawsuits challenging the Alabama Attorney General’s threats stating that “prosecutions infringed the constitutional right to travel and made clear that states may not punish third parties for assisting women in exercising that right.”

The HHS has written to U.S. governors to invite them to apply for Section 1115 waivers to expand access to care under the Medicaid program to women who are prohibited from receiving abortion care in the states where they live and may be denied care under the Medicaid program. The HHS continues to encourage state leaders to consider and develop new waiver proposals to support access to reproductive health care services.

In April 2023, the HHS issued a notice of proposed rulemaking that strengthened reproductive health privacy under HIPAA. The proposed rule prevents an individual’s information from being disclosed to investigate, sue, or prosecute an individual, a health care provider, or a loved one simply because that person sought, obtained, provided, or facilitated legal reproductive health care, including abortion. The new rule will strengthen patient-provider confidentiality and help healthcare providers give complete and accurate information to patients.

The Federal Trade Commission (FTC) is taking steps to prevent the illegal use and sharing of sensitive health information, such as reproductive health information, and has already taken action against companies that are alleged to have disclosed sensitive data without consumers’ consent, including precise geolocation information that could indicate a visit to a reproductive health center. In 2022, the FTC sued Kochava over the collection and sale of precise location data and settlements have recently been proposed that prohibit the data companies X-Mode Social/Outlogic and InMarket Media from selling precise location data.

The The Federal Communications Commission (FCC) has recently published a new guide for consumers on best practices that can be adopted to protect personal data, including geolocation data on mobile phones and the HHS has also guidance for consumers on how to protect data on personal cell phones or tablets when using mobile health apps such as period trackers, which are generally not protected by HIPAA.

Guidance has also been issued by the HHS that affirms that doctors and other medical providers can take steps to protect patients’ electronic health information, including reproductive health care information, and confirms that patients have the right to ask that their electronic health information generally not be disclosed by a physician, hospital, or other health care provider. The HHS has also launched a website –  ReproductiveRights.gov – that provides individuals with timely and accurate information about their rights concerning reproductive healthcare.

The Department of Education has issued guidance to school officials reminding them of their obligations to protect student privacy under the Family Educational Rights and Privacy Act (FERPA) and that they must obtain written consent from eligible students or parents before disclosing personally identifiable information from students’ educational records, including student health information. The department has also created a new resource for students to explain their rights with respect to health information privacy.

The post White House Announces New Actions in Response to Roe v. Wade appeared first on HIPAA Journal.

FTC Proposes Settlement Prohibiting InMarket from Selling Consumers’ Precise Location Data

The Federal Trade Commission (FTC) has proposed a settlement with the digital marketing platform provider and data aggregator InMarket Media LLC that resolves allegations the company’s business practices violated the Federal Trade Commission (FTC) Act.

According to the FTC complaint, InMarket Media obtains vast amounts of consumer data including information from mobile devices about consumers’ movements, purchasing habits, demographic data, and information on their socioeconomic background. InMarket Media retains consumer data for 5 years and uses that data to facilitate targeted advertising on consumers’ mobile devices through its InMarket Software Development Kit (SDK). InMarket Media categorizes consumers into advertising audiences and allows its clients to target consumers on third-party advertising platforms. The FTC alleges that InMarket Media failed to notify consumers that their personal data will be used to serve targeted advertisements and did not verify that mobile applications that incorporate the InMarket SDK have notified consumers about such uses of their personal data.

Apps that incorporate the InMarket SDK request access to location data from the mobile device’s operating system. If the user gives the app those permissions, their precise latitude and longitude will be collected and transmitted back to InMarket Media along with a timestamp and a unique mobile device identifier. When a user is moving, the location data is sent every few seconds. According to the FTC, between 2016 and the present, around 100 million unique devices have transmitted location data to InMarket Media each year.

The location data reveals where the user lives and works, where their children go to school or obtain child care, and where medical treatment is provided, which can reveal the existence of medical conditions. The location data can also reveal other sensitive information such as where they go to rallies, demonstrations, or protests, which can reveal political affiliations. The location data can also be used to determine how long an individual is present in a particular location.

The FTC alleges InMarket Media misled consumers by providing “misleading half-truths” about its data uses. For instance, the consent screens for the CheckPoints and ListEase apps state that consumers’ data will be used for the app’s functionality such as earning points and keeping lists, but the consent screens do not state that users’ precise location will be collected and transmitted along with data collected from multiple other sources and that the data will be used to build extensive profiles on users to precisely target them with advertising.

While InMarket Media states in its privacy policy that consumer data will be used for targeted advertising, the consent screen does not link to the privacy policy language, and misleading prompts do not inform consumers of the apps’ data collection and use practices. InMarket is alleged to do very little to verify that third-party apps incorporating its SDK obtain informed consumer consent before granting InMarket access to their sensitive location data and does not require apps that incorporate the SDK to obtain informed consumer consent.

Consequently, InMarket does not know whether users of hundreds of third-party apps that incorporate the InMarket SDK have been informed that their data is being collected and used for targeted advertising. The FTC alleges InMarket Media violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) which prohibits unfair or deceptive acts or practices affecting commerce, given that misrepresentations or deceptive failures to disclose a material fact constitute deceptive or unfair practices under Section 5(a) of the FTC Act and the acts are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves.

The complaint alleges four counts of FTC Act violations: unfair collection and use of consumer location data; unfair collection and use of consumer location data from third-party apps; unfair retention of consumer location data; and deceptive failure to disclose InMarket’s use of consumer location data. A settlement has been proposed that prohibits InMarket Media from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data. “All too often, Americans are tracked by serial data hoarders that endlessly vacuum up and use personal information. Today’s FTC action makes clear that firms do not have free license to monetize data tracking people’s precise location,” said FTC Chair Lina M. Khan. “We’ll continue to use all our tools to protect Americans from unchecked corporate surveillance.”

A spokesperson for InMarket Media said the company disagrees with the FTC’s allegations and is expanding its existing sensitive location protections. Also, in December 2023, the company engaged a nonprofit to identify location information close to reproductive healthcare clinics to remove that information from its databases. InMarket Media also confirmed that it is working with its partners to ensure that their notice and consent processes are clear.

The FTC has recently proposed a similar settlement with the data broker X-Mode Social (Outlogic) that also prohibits the sale of precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics. The FTC also sued the data broker Kochava for selling geolocation data that could identify visits to sensitive locations.

The post FTC Proposes Settlement Prohibiting InMarket from Selling Consumers’ Precise Location Data appeared first on HIPAA Journal.