As data privacy regulation spreads across the US, state legislators are looking at increasingly specialized areas of data privacy. The two biggest are children's privacy online, and the privacy of “consumer health data” (CHD). Driven in part by concerns about politicized use of healthcare data, state law is increasingly granting specific protection to such information.
WHY IT MATTERS
The way these laws are drafted, they could have dramatically broad effects, and may cover companies that do not consider themselves to be part of the healthcare sector. These laws can apply to data used to assess consumer physical or mental health status, or consumer efforts to access care, for example. The way they are drafted, the CHD laws may either directly or indirectly regulate not only “health” information but also wellness data, biometric information, geolocation data, and more.
CURRENT STATE CHD PRIVACY LAWS
Connecticut — in effect
Nevada — effective 3/31/2024
Washington — partially in effect now and fully in effect by 6/30/2024
In addition, California and other states are including health-related information in their general privacy laws as “sensitive” personal information that may increase compliance burdens on covered companies.
COMMON FEATURES OF CHD PRIVACY LAWS
- Defines and protects CHD
- May be defined by type of data and/or by how data is used
- Typically more broadly defined than “personal health information” (PHI) under HIPAA
- May be broad enough to wrap in health, wellness, location, and other personal information
- Separate privacy notice required
- Opt-in required to collect/process CHD
- Authorization required to sell/share CHD
- Special provisions covering geographic/location data tied to healthcare
- Access, deletion, and other rights for covered consumers
- Requirement for impact assessments, downstream/vendor contracts, and security measures associated with CHD
- Exemptions for HIPAA-covered entities or PHI
- Nonprofits not always exempt
The trend in privacy is toward more regulation, and the use of data that directly or indirectly conveys health information is no exception. Traditional healthcare companies may be covered by these laws, although the existence of a HIPAA exemption may shield them from certain aspects of compliance. Companies that are not traditionally considered “healthcare” but that collect or use data tied to consumer health or health indicators should seek counsel about the extent to which they may be swept into this new regulatory net.
Subscribe to Taylor English Insights by topic here.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-02-06-16-16-46-327-65c25b6e9e14f56dc129e31c.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-29-14-08-51-052-662fa9f37a56bfff0cd94f5b.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-25-13-20-13-103-662a588d0a007d32978e51c8.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-22-14-46-40-757-662678501f76e96e68653bb3.jpg)