2024 was an incredibly busy year for health privacy.  As the year draws to a close and we look ahead to 2025, we share several areas that we are watching in the coming year, which we expect to be similarly busy with federal- and state-level activity:

  • Proposed Updates to the HIPAA Security Rule.  The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) is expected to issue a proposed rule to update the HIPAA Security Rule before the end of 2024.  The original Security Rule was finalized approximately 20 years ago, and while HHS OCR has not released substantive details related to the updates to be proposed, it is possible that HHS OCR will propose to substantially change the security obligations of HIPAA-regulated entities.
  • State Laws Regulating Consumers’ Health-Related Information.  In 2024, Maryland became the fourth state to pass a law regulating consumer health data, following the enactment of laws regulating consumer health data in Washington, Nevada, and Connecticut in 2023.  In 2025, additional states are likely to consider bills to regulate consumers’ health-related data.  For example, Washington, DC recently introduced and held hearings on the Consumer Health Information Privacy Protection Act of 2024 (CHIPPA), and Michigan also recently introduced a bill to protect the privacy of reproductive health data. 
  • Court Challenge to HIPAA Privacy Rule Related to Reproductive Care Information.  In May 2024, HHS OCR modified the Privacy Rule to provide additional protections for protected health information concerning reproductive health.  The state of Texas sued HHS OCR in September 2024 alleging the rule is unlawful and should be vacated.  Substantive filings are not due in the case until early 2025, and it is not clear whether the incoming Trump Administration will defend the rule in court or take another action regarding the rule, such as deciding to repeal it.
  • State Genetic Privacy Developments.  In the past 5 years, more than 10 states have enacted laws to regulate consumer-facing genetic testing companies, with Montana having also enacted a broadly applicable genetic privacy bill in 2023.  Several other states have considered bills in recent years that were ultimately not enacted.  In 2025, we expect to see additional states propose bills to regulate certain uses of consumers’ genetic information.  In addition, in early 2024 we saw a wave of litigation under Illinois Genetic Information Privacy Act, which may continue in 2025.
  • Continued FTC Scrutiny Around the Use of Health Information.  President-elect Trump recently announced that he will appoint current Federal Trade Commission (FTC) Commissioner Andrew Ferguson to chair the FTC.  In recent years, FTC enforcement has focused on the use and disclosure of health information by digital health companies and other companies that collect health-related information from consumers, particularly for advertising purposes.  We will be monitoring whether the FTC will similarly prioritize health-related enforcement in the coming year, including under the FTC’s recently expanded Health Breach Notification Rule.
  • Continued Scrutiny Around the Use of Online Tracking Technologies.  In recent years, there has been litigation and regulatory scrutiny surrounding the use of tracking technologies on websites, including claims that the use of these technologies on health-related entities’ websites results in the impermissible collection and/or disclosure of health information.  In addition to litigation under state wiretap and consumer protection laws, as well as the California Confidentiality of Medical Information Act, in 2024, HHS OCR issued updated guidance addressing how HIPAA regulated entities may use tracking technologies on their websites and mobile applications.  (A portion of this guidance was later vacated by a federal court in Texas).  This follows joint letters sent by the FTC and HHS OCR in 2023 to a number of health-related companies warning of “serious privacy and security risks” related to the use of these technologies on their websites. 
  • DOJ Rulemaking Around Transfers of Bulk Sensitive and Government Data to Countries of Concern.  In 2025, the National Security Division of the Department of Justice (DOJ) is expected to finalize a proposed rule to regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data.  While this rule would have impacts outside of the health and life sciences sectors, “sensitive personal data” is proposed to include several categories of health-related data, including human genomic data, biometric identifiers, and personal health data.  Further, any data transaction undertaken by a U.S. person with a country of concern or covered person that involves access to bulk U.S. human genomic data, or to human biospecimens from which bulk human genomic data could be derived, would be prohibited under the proposed rule. 
  • Privacy- and AI-Related Legislative Proposals.  We expect to see numerous states propose comprehensive privacy and/or AI-related bills in 2025, following a similar trend over the past several years.  On the AI front, a Texas state representative has already pre-filed a comprehensive AI bill to be considered in 2025.  While there was less state legislative focus on health-specific AI bills in 2024, California enacted a bill to regulate health care facilities use of generative AI for certain care-related purposes, and we will be watching as to whether other states enact legislation that is specific to the use of AI in the health care context.  It is also likely that federal privacy and AI legislation will be introduced in 2025, given legislators focus on these issues in recent sessions.

We will continue to monitor these developments and keep you apprised here on Inside Privacy.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.