As organizations begin renewing and entering into new contractual relationships for 2024, an oft-forgotten aspect of the contracting process is determining whether a Business Associate Agreement (a “BAA”) is required. Under HIPAA, health care providers, health plans and health care clearinghouses (“Covered Entities”) are required to enter into BAAs with any vendor (“Business Associate”) that may have access to Protected Health Information (“PHI”). Many organizations operate under a misconception that they are not subject to HIPAA if they are not in the health care industry but, in fact, HIPAA’s reach is much broader than that. For example, organizations that sponsor health plans, including employers that sponsor self-funded plans, are responsible for their health plans’ compliance with HIPAA, including the requirement to enter into BAAs with plan vendors. As another example, information technology organizations providing services to employers that offer health plans may be asked to sign a BAA as a Business Associate if they have access to data on the employer’s systems that may constitute PHI.
Continue Reading Top 5 Reasons to Remember Your Business Associate Agreements This FallHow to Comply with and Unpack the Wide Reach of Washington’s My Health My Data Act (Webinar Recording)

On October 5, 2023, Seyfarth offered a Masterclass, hosted by Lexology, which was designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.
We explored its obligations and its wide reach, specifically addressing how to identify: (1) who must comply; (2) who gets new rights and protections; and (3) what data is covered, since all of these are more wide-reaching than it may appear to the casual observer of state privacy legislation.
This session also uncovered significant “sleeper” compliance obligations and provided practical insight and actionable steps to use when guiding business teams.
You can access the video recording here, or click here to download the presentation slides.
Upcoming Webinar! How to Comply with and Unpack the Wide Reach of Washington’s My Health My Data Act
Thursday, October 5, 2023
1:00 p.m. – 2:00 p.m. ET
12:00 p.m. – 1:00 p.m. CT
11:00 a.m. – 12:00 p.m. MT
10:00 a.m. – 11:00 a.m. PT
About the Program
Seyfarth is pleased to offer this Masterclass, hosted by Lexology, which is designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.
Join us as we explore its obligations and its wide reach, specifically addressing how to identify:
- who must comply
- who gets new rights and protections, and
- what data is covered
since all of these are more wide-reaching than it may appear to the casual observer of state privacy legislation.
The session will also:
- uncover significant “sleeper” compliance obligations and
- provide practical insight and actionable steps to use when guiding business teams.
We invite you to join us. You can register for free on Lexology’s site through the registration link above.
Speakers
Yana Komsitsky, Senior Counsel, Seyfarth Shaw
Neeka Hodaie, Associate, Seyfarth Shaw
If you have any questions, please contact Sophia Gomez at sgomez@seyfarth.com and reference this event.
Oregon Enacts Consumer Privacy Act
On July 18, 2023, Oregon’s Governor Tina Kotek signed SB 619, which created the Oregon Consumer Privacy Act (“OCPA”). Oregon joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, and Texas, as the 12th state to enact a comprehensive consumer data privacy law.
Most provisions of the OCPA will take effect on July 1, 2024, with delayed compliance deadlines for honoring universal mechanisms consumers will use to exercise their right to “opt out” of a platform processing their personal information for certain purposes and for activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code. Notably, unlike most other state privacy laws, the OCPA exempts only certain nonprofit organizations. For activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code, the OCPA has a delayed effective date of July 1, 2025.
Continue Reading Oregon Enacts Consumer Privacy ActUpcoming Webinar! BIPA (and GIPA!) Litigation and Compliance Updates
Tuesday, September 12, 2023
2:00 p.m. to 2:30 p.m. Eastern
1:00 p.m. to 1:30 p.m. Central
12:00 p.m. to 12:30 p.m. Mountain
11:00 a.m. to 11:30 a.m. Pacific
In the wake of recent, controversial Illinois Supreme Court decisions regarding BIPA claims, this webinar explores the implications of these decisions and what’s next on the horizon in BIPA litigation and compliance.
This webinar provides an update on BIPA litigation in both the lower and higher courts, including decisions recognizing BIPA exemptions and defenses.
The panelists also will discuss trends in privacy litigation, spurred by BIPA, including class actions asserting claims under GIPA, the Illinois Genetic Information Privacy Act.
Join us on September 12th.
Speakers
Danielle M. Kays, Senior Counsel, Seyfarth Shaw LLP
Ada W. Dolph, Partner, Seyfarth Shaw LLP
If you have any questions, please contact Donna Miskiewicz at dmiskiewicz@seyfarth.com and reference this event.
Learn more about our Workplace Privacy & Biometrics practice.This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC and VA. The following jurisdictions may accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application. Please note that attendance must be submitted within 10 business days of the program taking place. If you have questions about jurisdictions, please email CLE@seyfarth.com.
SEC Publishes Public Company Cybersecurity Disclosure Final Rule

This blog post is co-authored by Seyfarth Shaw and The Chertoff Group and has been cross-posted with permission.
What Happened
On July 26, the U.S. Securities & Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule on a 3-2 vote. The final rule is a modified version of the SEC’s earlier Notice of Proposed Rulemaking (NPRM) released in March 2022. The final rule formalizes and expands on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents.
Continue Reading SEC Publishes Public Company Cybersecurity Disclosure Final RuleAdequacy for the US (kind of) – But What Are the Side Effects?

On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by activists who have vowed to scrutinize the next framework arrangement (thereby maintaining their relevance). Regardless of the legal resiliency of the decision, it poses an interesting set of considerations for US businesses, not the least of which is whether or not to participate in the Framework.
For those who followed the development and demise of the Privacy Shield program and the Schrems II case, it has been apparent for some time that the fundamental objection of the activists and the Court of Justice of the EU (“CJEU”) to the original Privacy Shield was the perception that the US intelligence community had an ability to engage in disproportional data collection without any possibility of recourse by EU residents whose personal information may be swept into an investigation. The actual functioning of the program for the certifying businesses were much less controversial.
Since the structure of the program wasn’t the primary reason for Privacy Shield’s revocation, from a business perspective, the current DPF looks a lot like the old Privacy Shield. For businesses who made the decision to participate in the Privacy Shield program in the past, the operational burden shouldn’t be much different under the new DPF, if they have already taken steps to operationalize the requirements.
What is interesting about the new DPF is how it may impact a company’s decision to choose between the Standard Contractual Clauses (“SCCs”) and the alternative adequacy mechanism for transfers. There is also some interest vis-à-vis the DPF and its interactions with state privacy laws.
Continue Reading Adequacy for the US (kind of) – But What Are the Side Effects?Multiple Cyber Incidents Impact Employee Benefit Plans and Participants

By this point, most people in the employee benefits space have heard about the MOVEit and Retirement Clearing House (RCH) cyber incidents, which could directly impact employers’ benefit plans. The MOVEit file transfer application is used by a number of vendors, including those that locate missing plan participants or find information regarding deceased plan participants (e.g., PBI Research Services). RCH is often used by retirement plans to facilitate benefit transfers, including for IRA rollovers. Other plan vendors/subcontractors may also use the MOVEit software application or subcontract with RCH for their plan services. Actual and potential victims have included state and federal government agencies as well as companies across a variety of industries (and their benefit plans) who were using MOVEit or RCH, or who engaged with service providers who used these tools.
Continue Reading Multiple Cyber Incidents Impact Employee Benefit Plans and ParticipantsCalifornia Courts Give an Independence Day Present – CCPA Regulation Enforcement Delayed

The California Superior Court in Sacramento decided to give businesses in California an early present for the 4th of July. The regulations promulgated by the California Privacy Protection Agency (“CPPA”) back in March will not be enforceable on July 1, 2023. The new enforcement date will be March 29, 2024.
This is a result of the Court finding (account to access required) that it was the intent of the voters to require a 12-month “grace period” for businesses to build out their CCPA compliance programs. As a bit of background, and as we mentioned in our article back in April that you can find here, the California Chamber of Commerce (“the Chamber”) filed suit against the CPPA in March of this year seeking a delay in enforcement. The suit argued that the CCPA regulations passed by the CPPA should only be enforceable only after 12 months from the final promulgation of all the required regulations set out in Proposition 24 and sought injunctive relief to delay CPPA’s enforcement. The Chamber lawsuit was filed the day after the CPPA finalized their regulations across 12 of the 15 areas of the CCPA which rulemaking is required under Proposition 24.
Continue Reading California Courts Give an Independence Day Present – CCPA Regulation Enforcement DelayedTexas Joins the Privacy Party
2023 has brought several states into the privacy limelight. On June 18, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making the Lone Star state the eleventh in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.
The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.
Continue Reading Texas Joins the Privacy Party