Staying Fit in the Data Game: A Business Rx for State Consumer Health Data Laws

BakerHostetler
Contact

BakerHostetler

In the wake of the landmark Dobbs v. Jackson Women’s Health Organization decision, state consumer health data laws have emerged as a critical focal point in the rapidly evolving landscape of how consumer health data will be regulated in the United States. Among the laws at the forefront of this movement are Washington’s landmark My Health My Data Act, a companion law in Nevada (SB 370) and consumer health data amendments to the existing comprehensive state privacy law in Connecticut (SB 3). While these laws were all passed with the goal of closing the gap between data protected under the federal Health Information Portability and Accountability Act (HIPAA) and non-HIPAA covered data, there are significant differences in their applicability and legal impact on covered businesses. This article does not attempt to address each of these nuances, but it can serve as a helpful resource in beginning to identify similarities and differences between the laws to aid businesses in their compliance approach. For a more in-depth analysis of Washington’s My Health My Data Act, please see our article here.

How do these laws compare?

HIPAA Exemptions. Most notably, the Washington law, unlike the laws of Nevada and Connecticut, does not provide a HIPAA-covered entity-level exemption, but rather provides a data-level exemption. Specifically, Washington exempts protected health information, as well as information that originated from a HIPAA-covered entity or business associate and has been intermingled with other information such as protected health information. Therefore, the scope of Washington’s law is wider and may apply to traditional healthcare entities in addition to broader industries.

Covered Data. Generally speaking, “consumer health data” is defined broadly in these laws to cover not only traditional notions of “health data,” such as physical or mental health status, but also data that is “reasonably” capable of linking a consumer to a past, present or future health status of that consumer. The laws in Connecticut and Nevada also notably include the qualification that such data must be used by the regulated entity/controller to identify the consumer’s health conditions in order to constitute “consumer health data.” There is no such “use” requirement under the Washington definition, meaning that the entity’s purpose is not taken into account into the definition of “consumer health data”. This results in a broader definition of “consumer health data” under Washington’s law. Taken to the extreme, this definition could apply to fitness centers that provide dietary and fitness services for overall wellness improvement or the local strip mall boutique that promotes the healing power of amethyst for anxiety.

Consent Requirements. All three laws require consent for the sale of consumer health data, where “sale” is broadly defined as the “exchange of consumer health data for money or other valuable consideration” (emphasis added). Specifically, Washington and Nevada require heightened, written authorization from the consumer for the sale of consumer health data, including disclosure of the recipients of such data in the provided authorization. Additionally, covered entities must obtain consent for any collection of consumer health data or disclosure of consumer health data (unless necessary to provide the products or services to the consumer).

Geofencing. All three laws prohibit geofencing (e.g., establishing a virtual boundary within a radius of 2,000 feet or less) around a specifical physical location to identify or track consumers receiving healthcare, collect health data from consumers, or send health data or healthcare-related “notifications, messages, or advertisements” to consumers. Notably, the scope of Connecticut’s geofencing prohibition is specifically limited to mental health facilities or reproductive or sexual health facilities, and therefore will not apply to many businesses under the Connecticut law. More information about the specific differences between these laws’ geofencing provisions can be found here.

Enforcement. The attorney general of each state has enforcement rights against violations of the law. In addition, Washington’s My Health My Data Act provides consumers with a private right of action.

What can businesses do?

Businesses should consider the following in their data compliance regimen:

  • Conduct a data audit. Identify the sources of consumer health data, purposes of collection and use, data storage and management practices, and the data flows of consumer health data.
  • Prepare a consumer health data privacy policy. This policy should meet the disclosure requirements of each applicable law. Businesses should consider the implementation approach in light of existing published privacy notices.
  • Evaluate consent collection. Generally, under the three laws, consent is required to collect, use or share consumer health data. Under the Washington and Nevada laws, consent to share consumer health data must be separate and distinct from the consent obtained to collect consumer health data in the first place. Businesses should evaluate existing consent mechanisms in place and determine whether updates are necessary. If there is no consent mechanism in place, determine whether one is necessary based on the data audit.
  • Review consumer rights request management. Businesses should evaluate the requirements of intaking and responding to all applicable consumer health data requests in light of any existing procedures that may be in place for responding to privacy requests under other laws. Businesses should review the unique requirements under the consumer health data laws and develop a plan to comply with more stringent requirements, such as Washington’s and Nevada’s strict deletion requirements.
  • Assess approach to consumer health data sales or sharing. Although the laws do not prohibit the selling or sharing of consumer health data, assess whether the authorization or consent requirements in Washington and Nevada apply in order to develop and implement an authorization approach; also consider whether the requirements relating to consumer health data sales may practically limit the ability to engage in sales of consumer health data.
  • Update vendor and data recipient contracts. Ensure that all contracts with vendors that process consumer health data on behalf of businesses are compliant with the consumer health data laws.

As we move forward in this data-driven age, staying fit in the data game and maintaining a strong consumer health data compliance program and strategy will be paramount. Through careful preparation, businesses can ensure they are well prepared to pulse-check state consumer health data laws and thrive in the digital era.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© BakerHostetler

Written by:

BakerHostetler
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide