Photo of Richard H. Tilghman IV

On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.Continue Reading FTC Finalizes Broader Changes to the Health Breach Notification Rule

On November 30, 2023, the Illinois Supreme Court issued a much-anticipated decision in Mosby v. The Ingalls Memorial Hospital, answering a certified question about whether biometric information collected from health care workers is protected by the Illinois Biometric Information Privacy Act (BIPA) if that information is used for purposes related to health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Court ruled that when health care worker data is collected for purposes of health care treatment, payment, or operations under HIPAA, the information is excluded from protection under BIPA.

Mosby involved a putative class action claim brought by nurses whose biometric information allegedly was collected to identify them before dispensing medication to patients.  The trial court and Illinois Appellate Court had ruled that these collections were covered by BIPA because BIPA’s exclusions for “health care treatment, payment, or operations under HIPAA” were directed at protecting patient data, not health care worker data.Continue Reading Illinois Supreme Court: Collection of Biometric Data for Health Care Treatment, Payment, or Operations Is Exempt from BIPA