Both the federal and state governments have promulgated new laws designed to ensure that companies are taking serious steps to protect the privacy of personal data. In particular, the U.S. Department of Health and Human Services published the final omnibus rule amending the Health Insurance Portability and Accountability Act (HIPAA) on January 25, 2013, introducing significant revisions to healthcare privacy law. These changes were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

As a consequence of the new rule, HIPAA's privacy regulations will be extended to cover not only healthcare providers, plans, and clearinghouses but also a host of vendors that provide services to the healthcare industry (known as "business associates"), including technology companies that provide data analysis, claims processing or administration, and other support services. Such business associates will be required to come into compliance with HIPAA security regulations by September 23, 2013.

While there is no private right of action under HIPAA, these newly covered entities may face regulatory investigations and proceedings requiring the support of skilled counsel.

California has also taken a leading role in promoting data privacy. In 2012, California's attorney general issued warning letters pursuant to the California Online Privacy Protection Act (CalOPPA) to companies believed to have inadequately addressed mobile application privacy policy issues. Further enforcement of CalOPPA is expected, and the attorney general has made it clear that California intends to strictly apply CalOPPA to how consumer information is collected and stored by mobile and social applications. The mobile app warning letters were the first enforcement initiative of the new Privacy Enforcement and Protection Unit created under the California Department of Justice last year.

Finally, the Federal Trade Commission (FTC) continues to push enforcement of section 5 of the FTC Act in cases where the FTC believes a company is not adequately fulfilling its stated privacy policies. In particular, recent, hefty FTC settlements have related to situations where the FTC has alleged that a company's statements with respect to first- and third-person cookies have been inaccurate. The FTC has also pursued issues with companies as a result of public statements by the companies about their privacy policies and not just statements contained in the policies themselves.

Copyright 2013. Morgan, Lewis & Bockius LLP. All Rights Reserved.

This article is provided as a general informational service and it should not be construed as imparting legal advice on any specific matter.