Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses.  From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.

Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws.  As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person.  As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field.  Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.

The United States does not have a single, comprehensive federal law governing biometric data.  Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data.  In Part I, we summarize some of the legislative activity on biometric laws from 2020.  We will describe other noteworthy legislation to monitor for 2021 in Part II.

On November 4, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule with Comment Period (IFC) that delays compliance dates necessary to meet certain requirements related to information blocking initially finalized in the ONC Cures Act Final Rule (Final Rule) in March of 2020. The Final Rule implemented health IT provisions enacted under the 21st Century Cures Act (the Cures Act) to achieve ubiquitous interoperability among health IT systems and to improve patient’s ability to access their electronic health information (EHI). Among these provisions is a prohibition of information blocking. This article will define information blocking, provide and explain exceptions to such practice, detail the IFC’s deadline extensions, and highlight key compliance concerns and solutions regarding these reforms.

Information Blocking

The term “Information Blocking” is broadly defined by the Cures Act as any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the entity knows (or should know) that it is likely to do so. The Cures Act specifies four types of “actors” that must comply with the information blocking rule:

  • Healthcare Providers
  • Health information technology companies that have a certified health IT system
  • Health information networks (HINs)
  • Health information exchanges (HIEs)

    • Shore Capital Partners has announced it has invested in the Tandem Family of Companies.

    Tandem provides human resources services to small, mid-sized and enterprise businesses throughout the United States. The company is comprised of four brands: Tandem HR, a professional employer organization that provides human resources outsourcing solutions; Benefit Solutions Group and Alliance Workplace Solutions,

    Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

    On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

    • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
    • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”

    Since Brexit, the relationship between the European Union (EU) and the UK concerning law enforcement cooperation is now governed by the UK-EU Trade and Cooperation Agreement (the Agreement).

    The UK Government state that the safety and security of British citizens is a top priority.  It argues that the Agreement provides a comprehensive package of operational capabilities that will help protect the public and bring criminals to justice.

    Meanwhile critics say the new arrangements fall far below that which the UK enjoyed as a member of the EU.  In particular access to ‘real time’ information sharing systems which is a major blow to UK law enforcement agencies.  They say that detection of crime will be slower and more cumbersome.

    Healthcare providers and other covered entities are not required by HIPAA regulations to have “bulletproof” protections for safeguarding patient information stored in electronic form, according to a January 14, 2021 decision of the 5th U.S. Circuit Court of Appeals. In University of Texas M.D. Anderson v. U.S. Department of Health and Human Services, the 5th Circuit vacated a $4.3 million civil monetary penalty imposed by the U.S. Department of Health and Human Services (HHS) against the University of Texas’ M.D. Anderson Cancer Center.

    The case arises from three separate incidents where M.D. Anderson employees lost laptops and USB thumb drives that contained unencrypted protected health information (PHI) for more than 34,000 patients. M.D. Anderson reported the breach incidents to HHS’ Office for Civil Rights (OCR), the office tasked with enforcing HIPAA. As a result of the reported breaches, OCR ordered M.D. Anderson to pay $4.3 million in civil monetary penalties (CMPs). M.D. Anderson appealed the decision to an HHS administrative law judge and to the HHS Departmental Appeals Board (DAB), both of which upheld OCR’s penalties. M.D. Anderson argued that the HIPAA regulations do not require encryption, that it complied with the regulations and employed other effective measures to safeguard electronic protected health information (ePHI), that the three incidents were the fault of staff who violated M.D. Anderson’s policies, and that the proposed CMPs were excessive.

    Enhanced Healthcare Partners (EHP) has sold SCA Pharmaceuticals to The Vistria Group and Excellere Capital Management, according to a news release.

    SCA Pharma, based in Little Rock, Ark., is FDA 503B outsourcing facility that provides sterile admixture services to hospital pharmacies throughout the United States.

    EHP, with offices in New York and

    The end of the Brexit transition period on 31 December 2020 means the UK now has full autonomy over its data protection policies. As of 1 January 2021 the UK is recognised as a ‘third country’ under EU General Data Protection Regulation (GDPR) rules. The EU-UK Trade and Cooperation Agreement, which is an agreement in principle between the EU and UK, does not yet include a provision for the vast flow of personal data being transferred between the two jurisdictions. The transfer of personal data will be subject to a separate adequacy decision from the EU due in early 2021. This separate adequacy decision will determine whether the EU will allow the ongoing free flow of data from EU/EEA countries to the UK. If an adequacy decision is not granted, then organizations who transfer personal data from the EU/EEA to the UK will have to take additional steps to ensure data being transferred is provided equivalent protections to those under the EEA. The UK has already determined that it considers all EEA/ EU states to be adequate which means that personal data flows from the UK to the EU/EEA will remain unaffected.

    As discussed in a previous McGuireWoods alert, the Department of Health and Human Services (HHS) published final rules, effective Jan. 19, 2021, that significantly amend the Physician Self-Referral Law (Stark Law), the federal Anti-Kickback Statute (AKS) and the Civil Monetary Penalties (CMP) Law. This client alert, the latest in McGuireWoods’ summary series on these