Health Privacy Developments to Watch in 2025

2024 was an incredibly busy year for health privacy. As the year draws to a close and we look ahead to 2025, we share several areas that we are watching in the coming year, which we expect to be similarly busy with federal- and state-level activity:

• Proposed Updates to the HIPAA Security Rule. The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) is expected to issue a proposed rule to update the HIPAA Security Rule before the end of 2024. The original Security Rule was finalized approximately 20 years ago, and while HHS OCR has not released substantive details related to the updates to be proposed, it is possible that HHS OCR will propose to substantially change the security obligations of HIPAA-regulated entities.

• State Laws Regulating Consumers' Health-Related Information. In 2024, Maryland became the fourth state to pass a law regulating consumer health data, following the enactment of laws regulating consumer health data in Washington, Nevada, and Connecticut in 2023. In 2025, additional states are likely to consider bills to regulate consumers' health-related data. For example, Washington, DC recently introduced and held hearings on the Consumer Health Information Privacy Protection Act of 2024 (CHIPPA), and Michigan also recently introduced a bill to protect the privacy of reproductive health data.

• Court Challenge to HIPAA Privacy Rule Related to Reproductive Care Information. In May 2024, HHS OCR modified the Privacy Rule to provide additional protections for protected health information concerning reproductive health. The state of Texas sued HHS OCR in September 2024 alleging the rule is unlawful and should be vacated. Substantive filings are not due in the case until early 2025, and it is not clear whether the incoming Trump Administration will defend the rule in court or take another action regarding the rule, such as deciding to repeal it.

• State Genetic Privacy Developments. In the past 5 years, more than 10 states have enacted laws to regulate consumer-facing genetic testing companies, with Montana having also enacted a broadly applicable genetic privacy bill in 2023. Several other states have considered bills in recent years that were ultimately not enacted. In 2025, we expect to see additional states propose bills to regulate certain uses of consumers' genetic information. In addition, in early 2024 we saw a wave of litigation under Illinois Genetic Information Privacy Act, which may continue in 2025.

• Continued FTC Scrutiny Around the Use of Health Information. President-elect Trump recently announced that he will appoint current Federal Trade Commission (FTC) Commissioner Andrew Ferguson to chair the FTC. In recent years, FTC enforcement has focused on the use and disclosure of health information by digital health companies and other companies that collect health-related information from consumers, particularly for advertising purposes. We will be monitoring whether the FTC will similarly prioritize health-related enforcement in the coming year, including under the FTC's recently expanded Health Breach Notification Rule.

• Continued Scrutiny Around the Use of Online Tracking Technologies. In recent years, there has been litigation and regulatory scrutiny surrounding the use of tracking technologies on websites, including claims that the use of these technologies on health-related entities' websites results in the impermissible collection and/or disclosure of health information. In addition to litigation under state wiretap and consumer protection laws, as well as the California Confidentiality of Medical Information Act, in 2024, HHS OCR issued updated guidance addressing how HIPAA regulated entities may use tracking technologies on their websites and mobile applications. (A portion of this guidance was later vacated by a federal court in Texas). This follows joint letters sent by the FTC and HHS OCR in 2023 to a number of health-related companies warning of "serious privacy and security risks" related to the use of these technologies on their websites.

• DOJ Rulemaking Around Transfers of Bulk Sensitive and Government Data to Countries of Concern. In 2025, the National Security Division of the Department of Justice (DOJ) is expected to finalize a proposed rule to regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data. While this rule would have impacts outside of the health and life sciences sectors, "sensitive personal data" is proposed to include several categories of health-related data, including human genomic data, biometric identifiers, and personal health data. Further, any data transaction undertaken by a U.S. person with a country of concern or covered person that involves access to bulk U.S. human genomic data, or to human biospecimens from which bulk human genomic data could be derived, would be prohibited under the proposed rule.

• Privacy- and AI-Related Legislative Proposals. We expect to see numerous states propose comprehensive privacy and/or AI-related bills in 2025, following a similar trend over the past several years. On the AI front, a Texas state representative has already pre-filed a comprehensive AI bill to be considered in 2025. While there was less state legislative focus on health-specific AI bills in 2024, California enacted a bill to regulate health care facilities use of generative AI for certain care-related purposes, and we will be watching as to whether other states enact legislation that is specific to the use of AI in the health care context. It is also likely that federal privacy and AI legislation will be introduced in 2025, given legislators focus on these issues in recent sessions.

We will continue to monitor these developments and keep you apprised here on Inside Privacy.