New State Health Privacy Laws—Moving Beyond HIPAA and Recasting Consumer Health Data Rights?
New, first-of-their-kind consumer health data privacy laws in Washington and Nevada are designed to provide state-level protections for personal health data not covered by the Health Insurance Portability and Accountability Act ("HIPAA") and set the stage for potential increased litigation and enforcement.
Effective March 31, 2024, the laws impose requirements relating to a new category of consumer health data ("CHD"), create consumer rights/protections, and potentially introduce increased privacy enforcement and litigation.
Regulated Entities and Data
- Both laws apply to entities, and data processors acting on their behalf, that conduct business or provide products/services to consumers in the state and, alone or jointly, determine the purpose and means of handling CHD. Washington's law also applies to "small businesses" that meet certain consumer and revenue thresholds, which have until June 30, 2024, to comply.
- Protected consumers generally include state residents and individuals whose CHD is collected within the state.
- Both laws exempt certain types of data, including under HIPAA and the Gramm-Leach-Bliley Act.
Key Obligations
- Consent and Authorization for Collecting/Selling/Sharing. Entities must obtain affirmative—separate—consent before collecting or sharing CHD, unless providing a consumer-requested product/service. Entities must obtain separate consumer authorization before selling/offering to sell CHD, which is effective for one year.
- Privacy Policies. Entities must develop privacy policies containing certain content, including categories of CHD collected; purpose for collection and use, and, for Nevada, sharing; sources from/to which CHD is collected and shared; and mechanisms for consumers to exercise rights/submit requests concerning CHD. Washington requires a "consumer health data privacy policy" that appears distinct from a general privacy policy.
- Security Controls. Entities must implement security safeguards and restrict access to CHD.
- Data Processing Agreements. Third-party CHD processing must be pursuant to a contract.
- Rights. In essence, both laws provide consumer rights, including those to: know about an entity's collecting/sharing/selling of CHD and access/review; a list of third parties with whom the entity has shared/sold CHD; withdraw consent or cease collection/sharing of CHD; and delete CHD.
- Geofencing Restrictions. Geofencing—technology designed to establish virtual boundaries around specific geographic locations—to identify consumers seeking health care services, collect CHD, or send related notifications/advertisements, is prohibited.
Enforcement
- Perhaps most significantly, Washington is the first to provide consumers with a private right of action for CHD-related violations. Conversely, Nevada allows only for government enforcement.
- Violations of Washington's law are per se violations of Washington's Consumer Protection Act, which may result in damages of up to $25,000, and costs and attorneys' fees. By permitting private action, this law marks a new era in privacy litigation, significantly increasing plaintiff/class action risks.
Recommendations
Given potential litigation and government enforcement, companies collecting CHD should review and potentially revise their policies, representations, and data sharing and collection practices, including by eliminating geofencing.
