If your organization does business across the U.S. and collects consumer health data (broadly defined, health inferences generated from non-health data count), compliance with U.S. state consumer health privacy laws is just around the corner. Consumer health privacy laws in Nevada (Senate Bill 370) and Washington (the My Health My Data Act) become fully operative for regulated entities on March 31, 2024. Requirements specific to consumer health data are already operative in Connecticut.
Here are the top 6 things to do now:
1. (Re)consider online tracking technologies and don’t sell consumer health data. Organizations in the health or wellness related industries should weigh the advantages of any online tracking technologies against the risks that such tracking, which typically involves disclosing personal information to other parties, is considered “selling” of consumer health data. Selling is any disclosure of consumer health data for valuable consideration. Under each of the Nevada and Washington laws, any “selling” of consumer health data requires signed authorization (a form of signed opt-in) that is practically cumbersome to obtain.
Guidance from the department of Health and Human Services provides that when an entity regulated by the U.S. federal Health Insurance and Portability Act (HIPAA) collects an individual’s IP address, such information connects the individual to the regulated entity (even if there is no existing relationship with the entity) and constitutes individually identifiable health information. Given the broad definitions of consumer health data in the Nevada and Washington laws, IP addresses may be found to be consumer health data under such laws and subject to the requirements related to “selling”. Selling may be any disclosure of consumer health data, such as IP addresses, where the recipient is not contractually bound to restrictions on using the data.
2. Document necessity or obtain consent. Under each of the Nevada and Washington laws, regulated entities are required to obtain consent before collecting and sharing consumer health data beyond what is necessary to provide a product or service that the consumer has requested. Consent to sharing must be separate and distinct from the consent to colleting consumer health data beyond what is necessary.
Numerous recent general U.S. state consumer privacy laws, including the California Consumer Privacy Act, have similar requirements to obtain consent when personal information is processed beyond what is necessary. Regulated entities (and organizations doing business in the U.S. in general) should analyze and document the necessity of its personal data handling practices and obtain consent as required when necessity is not met.
The consent requirements are different from, and are in addition to, the signed authorization requirements that apply to selling.
3. Determine what data is in scope. Organizations clearly operating in the health care industry and already subject to prescriptive health privacy laws, such as HIPAA, or the rules adopted by Washington’s Office of the Insurance Commissioner (Insurance Commissioner Rules), benefit from certain exemptions under the new state consumer health privacy laws (the Washington law only has data level exemptions, but the Nevada law has data and entity level exemptions). Other organizations, such as certain wellness companies, may have to comply with the new state laws for more of the personal information it processes because no exemptions apply. Determining what data is in scope, and exactly with which parties consumer health data is shared, is necessary to draft new required privacy policies and update data subject request programs.
4. Update privacy policies. The Washington law has disclosure requirements that are unique. Regulated entities are required to list by name every (non-data processor) affiliate to which they disclose consumer health data. Preparing new dedicated policies or creating state-specific sections in existing online privacy disclosures may be easiest to manage and most transparent for consumers, but each organization will need to assess its privacy disclosures overall to determine its approach.
5. Update data subject request programs. Adding to existing data subject rights that apply to some organizations (e.g. consumers have extensive existing rights under the Insurance Commissioner Rules in Washington), regulated entities should prepare for data subject requests under the new state laws. Notably, there are limited exemptions available to regulated entities upon which to deny requests.
6. Don’t geofence around health care facilities. It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages or advertisements related to a consumer’s health data to, a consumer within certain distance from in person medical/health facilities. This prohibition should not be relevant for most organizations (because they don’t and would not consider such geofencing), but is outright prohibited under each of the Nevada and Washington laws and therefore makes this top 6 list.
Outlook
As the Washington My Health My Data Act has a private right of action, requirements (which are very similar in the Washington and Nevada laws) will become clearer as they are interpreted in court. Taking the 6 actions above now should position your organization well in the meantime.
