HIPAA privacy and security
Financial and capital markets firms are sitting at an under-mapped intersection: HIPAA applies wherever they handle protected health information, including through employee benefit plans, fintech health-linked products, and certain data-sharing arrangements with covered entities. The U.S. Department of Health and Human Services Office for Civil Rights and the U.S. Federal Trade Commission have both taken enforcement positions that reach financial sector actors holding health data, and the 2024 HIPAA Security Rule proposed update from HHS would impose materially stricter technical safeguard requirements than the 2003 baseline most firms quietly inherited. Compliance teams are reviewing business associate agreements and third-party data vendor contracts now, not after a breach.
Watch
- HHS proposed HIPAA Security Rule update: new technical safeguard minimums pending finalization
- FTC health breach notification enforcement: penalties extending to non-HIPAA-covered data holders
- Business associate agreement gaps in fintech and embedded finance product structures
- State-level health data privacy laws (Washington My Health MY Data Act) layering onto federal baseline
Recent material activity in Financial & Capital Markets
-
SEC proposes amendments to Exchange Act Rule 3b-16 expanding ATS definition to include DeFi protocols
The SEC has proposed rule changes that would bring decentralized finance protocols under the regulatory umbrella of Alternative Trading Systems. The amendment targets platforms facilitating token swaps exceeding $50M dai…
Read a full sample brief → -
SEC enforcement action against crypto lending platform for unregistered securities offering
The Commission filed charges against a major crypto lending platform alleging the firm offered and sold crypto asset lending products that constituted unregistered securities. The complaint seeks disgorgement of $340M in…
Read a full sample brief → -
CFTC and SEC release joint statement on digital asset classification framework
The two primary federal financial regulators issued a joint interpretive statement providing guidance on when digital assets fall under securities law versus commodities law. The framework introduces a functional test ba…
Read a full sample brief → -
Federal Reserve announces enhanced supervisory expectations for banks with crypto asset exposure
The Board of Governors issued SR 26-4 establishing new supervisory expectations for state member banks engaging in crypto-related activities. Banks must now maintain dedicated risk management frameworks, capital reserves…
Read a full sample brief → -
SEC approves spot Ethereum ETF amendments allowing staking yield pass-through
The Commission approved amendments to existing spot Ethereum ETF registration statements permitting the pass-through of staking rewards to fund shareholders. The approval includes enhanced disclosure requirements and a 3…
Read a full sample brief → -
SEC Division of Examinations publishes 2026 priorities: crypto compliance tops the list
The SEC's examination division released its annual priorities letter placing crypto asset compliance, stablecoin reserves, and DeFi protocol governance as the top three examination focus areas for 2026. Registered invest…
Read a full sample brief → -
FINRA proposes new rules for broker-dealer crypto custody and customer protection
FINRA filed a proposed rule change establishing custody requirements for broker-dealers holding crypto assets on behalf of customers. The proposal requires segregated wallets, proof-of-reserves attestations, and $10M min…
Read a full sample brief → -
Federal Reserve Board publishes research paper on CBDC impact on commercial bank deposits
The Board published a staff research paper modeling the potential displacement of commercial bank deposits by a retail CBDC. The paper estimates 8-12% deposit migration in the first two years, with disproportionate impac…
Read a full sample brief →