With increasing attention to healthcare privacy and enforcement actions proposed with the HIPPA Privacy Rules Changes planned for 2025, healthcare leaders must understand how to grow and maintain privacy programs effectively and have insights into their privacy methods. Indeed, the healthcare industry faces numerous new challenges, including the rapid adoption of virtual health and other digital innovations, consumers’ increasing involvement in care decision-making, and the push for interoperable data and data analytics. How can the industry adapt? Join our panel on this webinar as we explore the privacy risks and challenges the healthcare industry will likely encounter in 2025 and how healthcare organizations can use privacy as a differentiating factor. This webinar will review: - Current benchmarks of privacy management maturity in healthcare organizations - Upcoming data privacy vulnerabilities and opportunities resulting from healthcare’s digital transformation efforts - How healthcare companies can differentiate themselves with their privacy program

1. © 2025 TrustArc Inc. Proprietary and Confidential Information.
Strategies for
Future-Proofing Privacy
for Healthcare

2. 2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.

3. 3
Speakers
Obehi Okonofua
Privacy Knowledge Lead,
Controls Library
TrustArc
Janalyn Schreiber
Senior Privacy Consultant
TrustArc
Marco Casati
Senior Privacy Program Manager
GE Healthcare
Paul Iagnocco
Customer Enablement Lead &
Principal, Data Privacy
TrustArc

4. Agenda
1. Industry Update
2. European Health Data Space (EHDS)
3. EU AI Act
4. Executive Order 14117
5. HIPAA 2025
6. Questions & Answers

5. 5
What’s driving the flood of health regs?
Rev. Dec. 2024

6. 6
TL;DR - US State Healthcare Privacy Trends
1. Growth of State “consumer health” data
privacy bills
NEW (pending):
● NY Health Information Privacy Act (NYHIPA) -
like WA MHMDA
2. Growth of State “reproductive health” data
privacy bills
NEW:
● California Confidentiality of Medical Information
Act (CMIA) mental and reproductive health
expansions AB 254 & AB 352
IN COMMITTEE:
● CA AB 45 focus on geo-fencing and health
services
● MI SB 1082 first to pose “only” a specific health
data privacy bill
● Hawaii SB 2696 proposes standards for
collecting, selling, and destroying consumer
health data
● VA SB 754 focuses on reproductive health and
gender-affirming care data
3. Rise of bills or addendums addressing AI
impersonating licensed professionals or
giving any medical/ psych advice.
IN COMMITTEE:
● NY A 6545 – chatbots acting as medical
professionals
● NV AB 406 – AI programmed to act as
medical professionals
● SC S 443 - requires health care
professionals to supervise any coverage
decisions made by AI or ADTs.
● UT HB 452 - chatbots acting as medical
professionals
● TX HB 1265 - licensed mental health
professional is available at all times to
each individual receiving services through
artificial intelligence.

7. 7

8. 8
TL;DR - US Federal & Global Healthcare Privacy Trends
US Federal Healthcare Privacy Trends
1. Renewed focus on health apps – privacy and
security related to data sharing
2. Increased focus by FTC and OCR on
geolocation data (geofencing) – precision
cannot be closer than ⅓ mile
3. New focus on online trackers – (esp. Google
Analytics) – IP address + health data = PHI
4. Continued implementation of Executive Order
14117 + CyberSecurity & Infrastructure
Agency’s (CISA) – new security requirements
5. Cautious implementation of changes to
HIPAA 2025 Privacy & Security Rules –
Medical Group Management Assoc (MGMA)
has petitioned Trump Admin to rescind these
Biden-specific regulations stating “costs and
regulatory burden …. would be "staggering."
Global Healthcare Privacy Trends
Opposing Trends:
Interoperability & Collaboration vs Data localization
Interoperability & Collaboration
• EU - Common European Data Spaces
• European Health Data Space (EHDS)
• Data Act
• NIS-2
• AI Act
• APEC Global CBPR and Global PRP Systems
Data Localization
• Personal Data Protection Law (PDPL) Kingdom of
Saudi Arabia
• Personal Data Protection Law (PDPL) of the UAE
• China’s Personal Information Protection Law (PIPL)
• Indonesia Government Regulation No. 28 of 2024

9. 9
EU: European Health Data Space (EHDS)
Next Actions
The EHDS builds on key existing horizontal EU
frameworks, including:
• General Data Protection Regulation (GDPR)
• Data Governance Act
• Data Act
• Network and Information Systems Directive
(NIS/NIS-2).
The EHDS complements these rules and
provides additional tailor-made rules for the
health sector.
Effective Date
Entered into force on 26 March 2025, marking
the beginning of the transition phase towards
application.
Enforcement Date
The regulation will not immediately apply.
Instead, it is the beginning of a process that will
unfold over time (till March 2034).
Summary
The European Health Data Space
(EHDS) is a cornerstone of the European
Health Union and the first common EU
data space dedicated to a specific
sector as part of the European strategy
for data.
The EHDS will:
1. Empower individuals to access, control and
share their electronic health data across
borders for the healthcare delivery (primary
use of data);
2. Enable the secure and trustworthy reuse
health data for research, innovation,
policy-making, and regulatory activities
(secondary use of data);
3. Foster a single market for electronic health
record (EHR) systems, supporting both
primary and secondary use.

10. 10
EU: AI Act
Next Actions
The AI Act entered into force on 1 August 2024,
and will be fully applicable 2 years later on 2
August 2026, with some exceptions:
• prohibitions and AI literacy obligations
entered into application from 2 February
2025
• the governance rules and the obligations
for general-purpose AI models become
applicable on 2 August 2025
• the rules for high-risk AI systems -
embedded into regulated products - have
an extended transition period until 2
August 2027
Summary
The aim of the AI Act is to establish a
comprehensive regulatory framework
that ensures the safe and ethical
development, deployment, and use of
artificial intelligence systems by
classifying them based on their potential
risk to individuals and society and
imposing corresponding regulations to
enhance safety and compliance.
Common assessment:
Medical Devices under EU MDR (2017/745/) are classified
as High-risk AI which means they are subject to additional
requirements governing quality management systems and
technical documentation.

11. 11
US Federal: Executive Order 14117
DOJ Actions: Led rulemaking efforts and defined the
following specifics:
● Focus on covered persons associated with CoC
directly or indirectly:
○ foreign person with 50%+ interest
○ foreign person employee or contractor
○ foreign person is a resident
○ any person deemed by DOJ
● Two types of covered data:
○ US sensitive personal data
○ US government-related data
● Six categories of data & thresholds:
○ Human‘omic (genetics) = 1,000+ persons
○ Biometric = 1,000+ persons
○ Precise geolocation = 1,000+ devices
○ Personal health = 10,000+ persons
○ Financial = 100,000+ persons
○ Personal Identifiers = 100,000+ persons
Enforcement Dates:
● data transactions: April 8, 2025
● addl provisions: October 6, 2025
Title: "Preventing Access
to Personal Data and United
States Government-Related
Data by Countries of Concern"
EO Date: February 28, 2024 by President Biden
Summary: The focus of the EO is national security
and therefore prohibits and restricts certain bulk
sensitive personal data transactions with select
“countries of concern.”
At issue, is the use of these data to develop and
enhance AI capabilities by using large datasets in ways
and means detrimental to US National Security (e.g.,
espionage, blackmail, etc.)
Countries of Concern (CoC): China (including Hong
Kong and Macau), Cuba, Iran, North Korea, Russia and
Venezuela, as well as individuals and entities under their
control.
Executive Oversight: Department of Justice (DOJ)

12. 12
US Federal: Executive Order 14117 (cont.)
Exemptions:
1. Personal communications
2. Information(al) materials
3. Travel
4. Official U.S. Government business
5. Financial services
6. Corporate group transactions
7. Transactions required or authorized by U.S.
federal law or international agreements, or
necessary for compliance with federal law
8. Telecommunications services
9. Drug, biological product and medical
authorizations
10. Other clinical investigations and
post-marketing surveillance data
11. Investment agreements subject to CFIUS
(Dept Treasury - Committee on Foreign
Investment) actions
Next Actions Before October 6, 2025:
Minimally, establish a data compliance program that includes:
1. A data inventory and mapping that includes:
- verifying data: identity & ownership, flows,
types, volume
- verifying identity of vendors
2. Data compliance & security policies and
implemented security requirements - both certified
annually by an officer, executive or compliance officer
3. Annual independent audit, producing a written
report that (min. ten years retention). The audit must
include:
- audit methodology
- effectiveness of the compliance program
- any vulnerabilities that may have affected or
could have affected a CoC gaining access to
personal data
- any instances where security requirements
failed or were not effective
- improvements to policies and practices to
improve compliance with security requirements
(est. by CISA)

13. 13
Dec 2024 - Jan 2025 - HHS’ Office for Civil Rights
(OCR) Issues Notice of Proposed Rulemaking:
● Current administration to decide whether to release a
final rule that implements these HIPAA changes in 2025.
● First significant update since the HIPAA Security Rule's
original publication in 2003 and its last revision in 2013.
Core Framework (Still in Effect):
● Privacy Rule
● Security Rule
● Breach Notification Rule
Key Proposed Privacy Rule Changes:
● Changing the maximum time to provide access to
PHI from 30 days to 15 days.
● Removing the written confirmation of receipt of an
organization’s notice of privacy practices
● Easing of restrictions on disclosures of PHI without
authorization
● Changes to HITECH Act requirements for the
accounting of disclosures of PHI for treatment,
payment, and healthcare operations
● Changing the Privacy Rule to make sharing PHI with
other providers mandatory rather than permissible.
● Confirming individuals are permitted to direct a covered
entity to send their ePHI to a personal health
application.
US Federal: HIPAA 2025
Proposed Security Rule Requirements:
● Eliminating "Addressable" vs. "Required" Distinction for
security controls.
● Annual Inventory & Data Mapping: Conduct and maintain
written inventories of Assets capable of creating, receiving,
maintaining, or transmitting ePHI, and to create a map showing
the movement of ePHI throughout the organization.
● Risk Analysis Requirements: Enterprise-wide, ongoing risk
assessments measuring likelihood and potential impact of
identified threats and vulnerabilities - not point-in-time,
checklist-style reviews; and annual Security Rule compliance
audits.
● Encryption & MFA: Mandatory encryption for all ePHI at rest
and in transit; and required-MFA for all technology assets.
● Incident Response & Disaster Recovery: Formalized written
security incident response plans and procedures; document and
test disaster recovery plans more rigorously.
● Network Testing, Segmentation, & Configuration: Conduct
vulnerability scanning at least every six months. Penetration
testing must also be performed at least once every 12 months.
● Access Controls & Logging: Increased scrutiny on user
access reviews, audit logs, and role-based access.
● Business Associate Oversight: CE must assess the risks of
entering a downstream BAA based on the written verifications
from the BA, validated by a cybersecurity SME and certified by a
person of authority at the business associate - not just sign
BAAs.

14. 14
TrustArc Resources to Plan & Prepare
Know the inflows and
outflows of data in your
organization, data types,
risks, location, ownership,
sharing, etc.
Know which laws and
standards are applicable to
your organization, level of
compliance and program
effectiveness.
Instant data privacy and
security knowledge “pulled”
from our industry leading
database curated and vetted
inhouse.

15. 15
TrustArc eBooks
See https://trustarc.com/solutions/ to explore all TrustArc solutions!

16. 16
Thank You!