On May 29, 2022, Maryland amended the Maryland Personal Information Protection Act (PIPA). Effective October 1, 2022, the amendment (located here https://mgaleg.maryland.gov/2022RS/chapters_noln/Ch_502_hb0962E.pdf ) revises provisions regarding genetic information. These revisions include an undefined term “genetic information” for purposes of notices requires under PIPA. But the revisions also add a revised definition of genetic information as it applies to all other provisions of the law, including provisions requiring investigation into a data breach and the requirement that businesses implement and maintain reasonable security procedures and practices. Specifically, the revised definition includes data that results from the analysis of a biological sample of the individual or from another source that concerns genetic material and enables equivalent information to be obtained, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from such data, unless the information is encrypted, redacted or otherwise protected by a method that renders the information unreadable or unusable.
On November 10th, the Eleventh Circuit Court of Appeals handed an embarrassing defeat to the Federal Trade Commission and an early Christmas present to LabMD, Inc. in the ongoing David and Goliath battle between the government agency and the new-defunct clinical lab.
What Happened?
It’s not easy to explain in a blog entry the complex backstory leading up to LabMD’s recent win, but here goes:
Over a thirteen year period (until it ceased business in 2014), LabMD operated a clinical laboratory that performed tests on patient specimen samples. As part of its operations, LabMD had ...
The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) is the federal agency tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, as most folks reading this know, requires health care providers and other covered entities to protect the privacy and security of an individual’s protected health information (PHI). OCR has broad enforcement authority and wide latitude in deciding how to handle complaints alleging violations of HIPAA’s privacy, security, and breach notification rules. OCR can resolve a ...
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.
Data Points: Privacy & Data Security Blog Updates
- The Consumer Financial Protection Bureau Stakes Out Its Enforcement Authority Over Unfair Information Security Practices
- Maryland Amendments to Data Security and Breach Notification Law
- The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
- Will the U.S. Finally Pass Comprehensive Data Privacy Legislation?