takeaways
companies should consider implementing the following operational best practices:
5. Align incident response
plans with HIPAA, FTC,
and state requirements,
conduct table-top exercises,
and promptly meet all breach
notification obligations, as
regulators monitor both tech-
nical breaches and improper
disclosures.
6. Coordinate closely
across teams to ensure
all health-related marketing
claims are substantiated and
pre-cleared with FDA guid-
ance in mind.
7. Disable tracking for users
who opt out and maintain
evidence that privacy signals
are honored, as failure to do
so can result in reputational
and legal risks.
8. Provide ongoing, special-
ized training and conduct
annual audits to identify
and remediate compliance
gaps, fostering a culture of
accountability throughout the
organization.
Adding to the complexity, state laws,
such as the CCPA, CPA and MHMDA, add
further intricacy by imposing additional,
and sometimes conflicting, obligations
on data collection, sharing, and security
practices, with special attention to sensi-
tive health data. Recent enforcement
actions underscore the risks of non-com-
pliance with these state laws. For example,
the California Attorney General’s lawsuit
against Healthline Media highlights the
risks of failing to honor privacy princi-
ples like purpose limitation and effective
opt-out mechanisms. Healthline was
found to have transmitted information
regarding sensitive article titles viewed
by users to advertising vendors even
after users opted out and failed to ensure
contractual protections or test opt-out
mechanisms.12 This case demonstrates
how privacy risks, such as over-collec-
tion, inadequate disclosures, or ineffective
opt-outs, can quickly become regulatory
risks, even for companies outside HIPAA’s
direct scope.
5 American Hospital Association et al v. Becerra et al,
No. 4:2023cv01110 - Document 67 (N.D. Tex. 2024)
(available at law.justia.com/cases/federal/district-courts/
texas/txndce/ 4:2023cv01110/382855/67/).
6 ftc.gov/business-guidance/resources/comply-
ing-ftcs-health-breach-notification-rul e-0
7 ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20
Notices%20Received%20b y%20the%20FTC.pdf
8 ftc.gov/legal-library/browse/cases-proceed-
ings/2023090-goodrx-holdings-inc
9 ftc.gov/business-guidance/blog/2024/04/updat-
ed-ftc-health-breach-notification-rul e-puts-new-provi-
sions-place-protect-users-health-apps
10 fda.gov/media/90652/download
11 fda.gov/inspections-compliance-enforcement-and-crim-
inal-investigations/warning -letters/whoop-
inc-709755-07142025
12 oag.ca.gov/news/press-releases/attorney-gener-
al-bonta-announces-largest-ccpa-settleme nt-date-se-
cures-155
Don’t Hire Just Any Mediator.
Hire an Experienced Litigator.
Vorys’ mediation team includes a number of former judges
whose sole goal is to guide parties to a fair and equitable
resolution, defraying the costs of a potential trial.
Eric Cook is Secretary of the CBA Board of Trustees
and serves as Of Counsel and plays an integral role on
KMK’s Data Privacy & Cybersecurity Team, where
he provides strategic guidance at the intersection of
health, emerging technologies, and data privacy. His
practice focuses on mitigating regulatory and litigation
risks associated with tracking technologies, AI-driven
tools, and digital health innovations.
1 fda.gov/inspections-compliance-enforcement-and-crim-
inal-investigations/warning-letters/whoop-
inc-709755-07142025
2 hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
index.html
3 Id.
4 hhs.gov/hipaa/for-professionals/privacy/guidance/mar-
keting/index.html
Elizabeth “Libby” Callan,
former Common Pleas Judge
and Of Counsel at Vorys
vorys.com
THE REPORT | September/October 2025 | CincyBar.org 13