Risks surrounding the collection, use, and disclosure of health data go beyond HIPAA, and this could not have been more evident at the 41st HIPAA Summit, where many speakers, including myself, spoke of concerns resulting from the Federal Trade Commission's authority under Section 5 and the Health Breach Notification Rule (HBNR), Washington's My Health My Data Act (MHMDA), and future enforcement of health data as sensitive personal data under the avalanche of comprehensive state privacy laws. You can find my prior analysis of how to identify how these regulations might apply to their use of health data here. However, during Director Melanie Fontes Rainer's OCR presentation, she specifically indicated that OCR would prioritize enforcement concerning hacking, ransomware, its right of access initiative and its new risk analysis initiative.    

More importantly, the regulation of health data is escalating, and it would be prudent for all businesses, including those that do not traditionally see themselves as digital health businesses, to assess the risks associated with these fast-moving regulations. Companies should keep in consideration the following:

• Tracking Technologies are still front and center—Whether using cookies, pixels, APIs or SDKs, all privacy regulators require notice, consent and processing restrictions when health products or services are involved. In addition, OCR is focused on violations of the HIPAA Security Rule based on its recent online tracking guidance.    
• Health inferences—Health data may not be what it seems. Regulators may enforce health privacy requirements on businesses that use data to make inferences about consumers' health status, not just health data. 
• HIPAA Security Rule violations in focus—OCR will focus on violations of the HIPAA Security Rule, specifically regulated businesses' failure to conduct a compliant HIPAA risk analysis.  
• Vendors, vendors, vendors—Businesses should have specific language in their agreements with appropriate restrictions, whether the vendor is a business associate under HIPAA or a service provider/processor under various state privacy laws.  
• Expanding Enforcement Vehicles—from the private right of action in Washington to state AG's enforcement authority under HIPAA and UDAP laws, to OCR and FTC enforcement at the federal level, businesses should be vigilant.

Next, Washington's My Health My Data Act becomes effective March 31. Please find our analysis here.