Broader State Scrutiny of Consumer Health Data Tests Companies

Washington Gov. Jay Inslee made a significant move April 27 by signing a groundbreaking health privacy law. The My Health My Data Act introduces an all-encompassing privacy framework for organizations operating in the state that deal with consumer health data not protected by HIPAA.

Washington is the only state that has enacted a law specifically targeting privacy and security of medical and health-related information not covered by HIPAA. But lawmakers in other states have also noted the gap in protections for this kind of information, and have proposed or are considering similar laws.

Among other things, Washington’s law, effective March 31, 2024, requires the following of each regulated entity—those conducting business in Washington, or producing or providing products or services targeting consumers in Washington:

Maintain and publish a consumer health data privacy policy
Obtain a consumer’s affirmative opt-in consent to collect and share consumer health data, unless the collection or sharing is necessary to provide a product or service that the consumer has requested from that entity
Grant consumers with access, deletion, and other rights regarding their health data

The MHMDA also prohibits regulated entities from implementing a geofence around facilities that provide in-person health-care services, if the geofence is used to identify or track consumers seeking health care services, collect health data from consumers, or send unsolicited messages to persons at such health facilities. Significantly, the MHMDA also includes strict biometric privacy rules and provides a robust private right of action for consumers to sue companies for any violations of the MHMDA.

Other State Proposals

Here is the latest on those states that may follow Washington’s lead.

New York. On Jan. 4, the New York Health Information Privacy Act was introduced in the Senate. The bill broadly defines health information as any information relating to an individual, or a device that is reasonably linkable to an individual, in connection with physical or mental health, and includes location or payment information relating to an individual’s physical or mental health and any data derived from it.

If passed, the law would require regulated entities—defined broadly as any entity that controls the processing of health information of individuals in New York—to, among other things:

Obtain a “valid authorization” from consumers prior to the processing of their health information, unless the processing is “strictly necessary” for the purpose of providing a product or service requested by such individual, conducting the regulated entity’s internal business operations, protecting against malicious, fraudulent, or illegal activity or detecting, responding to, or preventing security incidents or threats, or complying with legal obligations
Provide consumers with a clear and conspicuous notice that describes the types of health information collected, the purposes of processing, all third parties with whom health information may be shared, and a mechanism by which the individual may request access to and deletion of data
Delete any health information collected from a consumer within thirty days of receiving a deletion request and notify all affiliates, service providers, and other third parties with whom the regulated entity has shared the data.

Unlike the MHMDA, there are no provision requiring businesses to delete data from archived or backup systems. Like the MHMDA, the bill includes data sale prohibitions and a private right of action. However, it lacks that law’s specific biometric consent requirements.

Maine. On May 9, Maine’s legislature introduced the Act to Protect Personal Health Data to the Maine House of Representatives, modeled on the MHMDA.

Massachusetts. Massachusetts lawmakers filed companion bills HD 3855 and SD 2118 for a Consumer Health Data Act, modeled on the MHMDA, but without that law’s geofencing prohibitions.

Nevada. SB 370 was introduced in the Senate on March 23, including provisions that largely mirror the MHMDA, but not providing for a private right of action.

Illinois. On Feb. 9, the Health Data Privacy Act was introduced in the Illinois Senate. The bill currently lacks text.

Existing Consumer Privacy Laws

While the MHMDA and these other state bills would focus specifically on health-related information, current state consumer privacy laws also include enhanced obligations for processing of sensitive personal information, including health information. For example, privacy laws in Virginia, Colorado, and Connecticut require companies obtain consumer opt-in consent and conduct data protection impact assessments prior to processing sensitive data, including health information.

In comparison, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, adopts a less stringent standard by giving consumers the right to limit the use of their sensitive personal information. Similarly, under the Utah Consumer Privacy Act, controllers may process sensitive data on an opt-out rather than opt-in basis.

Compliance Considerations

Businesses that collect consumer health information should closely monitor the trajectory of state health data privacy bills and prepare to strengthen protections for this data. Given the broad scope of the MHMDA and its stringent requirements, businesses subject to it could leverage efforts to ensure compliance with similar health data laws that may be passed in other states in the near future.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Jacqueline Klosek is partner at Goodwin’s technology/life sciences group, concentrating on data, privacy, and cybersecurity, intellectual property transactions, health care, hospitality, and tech M&A practices.

Federica De Santis is an associate at Goodwin’s technology group and data, privacy, and cybersecurity practice.