HIPAA privacy and security
Healthcare and life sciences organizations face a dual enforcement posture on HIPAA privacy and security right now: the U.S. Department of Health and Human Services Office for Civil Rights continues processing a backlog of breach investigations under the HIPAA Security Rule's technical safeguard requirements, while the U.S. Federal Trade Commission has extended its own authority over health data through the Health Breach Notification Rule, creating overlapping obligations for digital health companies and covered entities alike. The proposed HIPAA Security Rule overhaul published in late 2024 would mandate specific cybersecurity controls, including network segmentation and annual audits, and compliance teams are mapping existing vendor agreements against those draft requirements before a final rule lands.
Watch
- Proposed HIPAA Security Rule amendments: new mandatory technical controls under review
- FTC Health Breach Notification Rule: enforcement actions against non-HIPAA health apps expanding
- OCR right-of-access enforcement: civil monetary penalties issued to smaller covered entities
- State attorneys general HIPAA-parallel actions in California, New York, and Texas
- Business associate agreement gaps flagged in recent OCR resolution agreements
Recent material activity in Healthcare & Life Sciences
-
FDA issues Complete Response Letter for novel GLP-1 receptor agonist oral formulation
The FDA issued a CRL for a once-daily oral GLP-1 receptor agonist citing manufacturing consistency concerns at the primary production facility. The agency requested additional CMC data and a pre-approval inspection befor…
Read a full sample brief →