In the aftermath of the Dobbs v. Jackson Women’s Health Supreme Court decision, three states have enacted health data privacy laws or amended existing privacy laws, and other states have proposed bills, to protect consumer health data that may not be regulated by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA). One additional state has enacted restrictions on geofencing that relate to consumer health data. These new laws, with various effective dates, present novel considerations and compliance challenges for businesses that collect, use, and disclose “consumer health data” – a term that encompasses more than businesses and individuals might expect. In addition to the potentially expansive definition of “consumer health data,” the laws broadly apply to many types of businesses that would not normally be expected to have obligations under health-related laws.
Washington and Nevada do not have comprehensive consumer privacy laws like those recently enacted by several other states. So the new health data privacy laws in Washington (My Health My Data Act) and Nevada (Senate Bill No. 370) are the first significant state privacy laws in those states. They include many of the same privacy-related rights and obligations created by the comprehensive consumer privacy laws in other states narrowed to apply only to consumer health data. Washington’s new law applies to most businesses beginning March 31, 2024 (certain small businesses do not need to comply until June 30, 2024), with a prohibition related to geofencing that went into effect on July 23, 2023. Nevada’s new law also goes into effect March 31, 2024.
Connecticut previously enacted a comprehensive consumer privacy law, and, interestingly, that law was amended by the state to include the additional health privacy elements just before it went into effect. Connecticut’s privacy law, (Substitute Senate Bill No. 6, An Act Concerning Personal Data Privacy and Online Monitoring), including the provisions related to consumer health data, went into effect on July 1, 2023.
New York has not enacted a full health data privacy law, but instead established geofencing restrictions (Senate Bill No. 4007–C) related to consumer health data that became effective in that state on July 2, 2023.
Existing state consumer privacy laws also apply to personal data related to health and generally treat that data as sensitive personal data with enhanced protections. These state laws are generally applicable to all consumer personal data. The focus of this alert is to discuss some of the interesting and different features of recent privacy laws specifically targeted to protect personal consumer health data that have recently or will soon take effect.
Scope and applicability
With some exceptions, each of the three new more comprehensive health data privacy laws generally applies to businesses operating within the state or businesses that provide products or services targeted to the state’s residents. The laws contain full or partial exemptions for businesses and data regulated by HIPAA or certain other federal laws that protect the confidentiality of personal data (e.g., the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA)). The intent of these new laws is to fill perceived gaps in existing privacy regulation rather than to replace them. The New York geofencing law (discussed further below) does not have similar exceptions, however, and appears to apply to any businesses other than health care facilities establishing a virtual geofence boundary around themselves.
The new health data privacy laws in Nevada, New York, and Washington apply to consumer health data. “Consumer health data” is generally defined as personal information that is reasonably capable of being linked to a person acting in a consumer capacity and that identifies the person’s past, present, or future physical or mental health status. The Nevada and Washington laws grant rights to and protect the consumer health data of both residents of the state and individuals whose health data is collected in the state (e.g., health care tourists). However, the fourth state highlighted in this alert, Connecticut, has a law that grants rights to and protects the consumer health data of only Connecticut residents. The laws are focused on consumers and have exemptions for data collected in the employment context or at a regulated business’s own facility.
Commonalities with state comprehensive consumer privacy laws
State comprehensive consumer privacy laws have many commonalities with respect to granting consumer rights and imposing business obligations. The rights and obligations under the Connecticut, Nevada, and Washington laws and amendments related to consumer health data are generally similar to the general privacy laws but have several striking differences, as described later. The common elements include:
- Privacy policy: Regulated businesses are required to maintain an online privacy policy that explains how the business collects, uses, and discloses consumer health data.
- Consent for collection and sharing: Regulated businesses are generally required to obtain consent before collecting or sharing consumer health data, except when collection or sharing is essential to providing a consumer-requested product or service or another exception applies. In some instances, the new health privacy laws require separate and distinct consents or authorizations for collecting, sharing, and selling consumer health data, and combining any such consent or authorization with an agreement to other terms may be prohibited. Further, if a regulated business intends to use consumer health data in new ways not previously disclosed at the time of collection, it must obtain consent from the consumer for the new use.
- Consumer privacy requests: Regulated businesses are obligated to receive and respond to consumer requests to:
- Know whether the business has the consumer’s health data
- Revoke previously provided consent
- Delete the consumer’s consumer health data
- Non-discrimination: Regulated businesses are prohibited from discriminating against individuals who exercise their privacy rights under these laws.
- Data security: Consumer health data must be safeguarded by regulated businesses through reasonable administrative, technical, and physical data security practices.
- Processor contract requirements: Regulated businesses must have contracts with service providers that limit the use of consumer health data. A breach of this agreement by a service provider may violate these new laws.
- Prohibition of sale of consumer health data: The sale of consumer health data by regulated businesses for monetary or other consideration is prohibited without the consumer’s consent or authorization (which generally must be obtained separately from consents for the collection and sharing of consumer health data).
Novel considerations
Below are some characteristics of these new state health privacy laws that raise interesting questions and could create difficult compliance obligations.
Right to delete
One significant way in which the laws in Connecticut, Nevada, and Washington differ from HIPAA and other health care privacy laws is that they provide consumers with a right to delete covered health information maintained by regulated businesses. HIPAA and other existing health care privacy laws allow patients to dispute the accuracy of health information, and such disputes may be added to the patients’ records, but businesses regulated by those laws are not permitted to delete patient information upon request.
Further, the new health privacy laws in Nevada and Washington require the business receiving the deletion request to notify all recipients with which it previously shared the consumer’s health data, and those direct recipients may also be required to delete the consumer’s health data. This requirement could actually decrease the control individuals have over their health data and could result in the deletion of health data against individuals’ wishes. Additionally, these new state health privacy laws could be interpreted as requiring the downstream deletion only one level deep (i.e., only the direct recipients of health data from the regulated business might have this deletion obligation). This partial downstream deletion is sure to confuse consumers, as they will likely see what appears to be random health data deletion among the products and services they use and have connected together.
Consent or authorization to sell consumer health data
Under the new state consumer health privacy laws in Connecticut, Nevada, and Washington, a data sale is the exchange of consumer health data for monetary or other valuable consideration. Under all three laws, data sales are prohibited without the consumer’s consent or authorization. The request for such consent or authorization must include certain content, such as a description of the specific consumer health data being sold and a statement recognizing the consumer’s right to revoke the consent or authorization at any time. The health privacy laws may also prohibit conditioning the provision of a good or service on consent to sell consumer health data. An additional requirement under the Washington and Nevada laws that may be new to businesses is that a consumer’s consent or authorization for a sale of consumer health data automatically expires after one year.
Geofencing prohibition
A novel aspect of the three new consumer health data privacy laws in Connecticut, Nevada, and Washington, along with the New York law, is the inclusion of a “geofencing” prohibition. The impact of this type of prohibition is murky. Under the laws in general, individuals and businesses may be prohibited from using precise geolocation data-collection technology for the purpose of locating a consumer near physical locations that provide health care services and, in certain situations, for:
- Identifying or tracking people seeking in-person health care services or products
- Collecting consumer health data
- Inferring health status, condition, or treatment of an individual
- Sending messages, notifications, or advertisements to consumers relating to their health data or health care services
Generally, the prohibition applies within 2,000 feet in Washington, 1,850 feet in New York, and 1,750 feet in Nevada and Connecticut around a medical facility or in-person health care service facility.
Businesses should evaluate closely whether the laws apply and determine what they prohibit. One likely purpose for these prohibitions is to stop organizations from collecting data about or targeting visitors of providers of health care services with messages opposing the health care services made available by the providers. However, there are several considerations that may make the scope of applicability or compliance obligations unclear.
“Health care services” are not consistently defined under these laws, so compliance programs may need to be customized by state. Further, presumably under each of these laws, the collection of consumer health data and targeted messaging can occur from a distance of over 2,000 feet. Therefore, the practical impact of the prohibition may be negligible. Additionally, geolocation technology may provide inaccurate data, which could result in unintended noncompliance or prevent messaging that is not prohibited by the laws. Finally, consumers may use services and devices that collect health data at all times (e.g., a wearable device), including at facilities that provide health care services. These laws may create an unintended risk for providers of medical devices or other devices or services that consumers intentionally want to collect health data or provide messages in connection with that health data.
Data inferred from non-health-related data
Another aspect of these health privacy laws that may run counter to businesses’ intuition is that consumer health data can include health-related data that is inferred from other, non-health-related information. Under the Nevada and Washington laws, consumer health data includes health-related information that is derived or extrapolated from information that is not consumer health data. The office of the Washington state attorney general has published an FAQ on Washington’s law (the Washington FAQ), and it confirms that “consumer health data includes information that is derived or extrapolated from non health data when that information is used by a regulated entity or their respective processor to associate or identify a consumer with consumer health data.”
There are some exceptions, but applying them accurately may be difficult. The Nevada law specifies that personal health data does not include data that is used to “identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present or future health status of the consumer.” This implies that information pertaining to shopping habits that could identify the specific past, present, or future health status of a consumer is regulated by the Nevada law. The Washington law does not contain the language about shopping habits, but the Washington FAQ addresses this concept in the context of questions about purchases of toiletries. The Washington FAQ states that in general, information about purchases of toiletries would not be regulated by the Act; but “potential [health-related] inferences drawn from purchases of toiletries” would be considered consumer health data.
Private enforcement
Privacy laws commonly include a lot of gray areas that can result in difficult compliance challenges. These consumer health privacy laws are no different. The laws have reduced risk from noncompliance somewhat by permitting cure periods following a notice of noncompliance and allowing regulators to use prosecutorial discretion when bringing cases. However, the Washington consumer health privacy law permits a private right of action with no opportunity for regulated businesses to cure. Therefore, regulated businesses face significant risk from a law with an unclear scope of applicability and compliance obligations. It is important to note that the Washington law does not provide for statutory damages, which is the cause of so much litigation under laws like the Illinois Biometric Information Privacy Act, federal and state eavesdropping and telemarketing laws, and the federal Video Privacy Protection Act. A foot fault could result in expensive litigation, but plaintiffs will need to allege and prove actual damages to recover damages under the Washington law.
The Connecticut, Nevada, and New York laws do not grant a private right of action for violations of those laws.
The takeaway? Legislatures’ focus on privacy continues, and these piecemeal laws add to the existing patchwork of federal and state laws that regulate the collection, use, and sharing of consumer health data. As additional state privacy laws continue to be enacted or revised, businesses will need to monitor the changes and continue updating their privacy compliance programs to incorporate the new obligations.
In-depth 2024-060