Over decades, observers have witnessed the emergence of a void within U.S. privacy law with respect to the protection of health information. Due to limitations in the scope of the Health Insurance Portability and Accountability Act, a broad array of health data, such as that collected by mobile devices, apps or wearable fitness trackers, has remained mostly outside the law’s reach. Indeed, privacy expert James Dempsey has even estimated "the majority of health-related data" may fall outside of HIPAA’s scope.
However, the new comprehensive U.S. state privacy laws that have already or will become effective throughout 2023 — the California Privacy Right Act and the Virginia Consumer Data Protection Act 1 Jan., the Colorado Privacy Act and Connecticut An Act Concerning Personal Data Privacy and Online Monitoring 1 July and Utah’s Consumer Privacy Act 1 Dec. — have the potential to fill these gaps. Given their entrance into force, the regulation of health information in the U.S. is worth reexamining. So, how much promise does this class of state privacy laws hold for filling the void in the regulation of consumer health data in the U.S.?
Consumer health data and U.S. privacy law
There are several structural reasons for the historical gaps in the regulation of health information in the U.S. Chief among these is, in contrast to most other countries, the U.S. lacks a comprehensive, or omnibus, consumer privacy law at the federal level that would apply a uniform set of rules to the collection and use of health-related (and other) data. Indeed, the U.S. is becoming a global outlier because its regulation of information privacy takes a sectoral approach, meaning its laws tend to target specific industries rather than apply broadly across the economy.
Breaking out of the sectoral mold, however, 2023’s state privacy laws are comprehensive, omnibus-style laws. In other words, they do not narrowly regulate consumer health data or any single industry but extend across the entire private sector. The next section more precisely examines the scope of these laws.
Entity-level and data-level exemptions
First, the 2023 state privacy laws generally apply only to for-profit businesses that meet certain thresholds. They tend to exempt state and local government agencies, nonprofits and institutions of higher education. Yet, there are some exceptions to this pattern. Colorado’s privacy law, for instance, applies to nonprofits. And, while nonprofit organizations are generally exempt from the business requirements of the California Privacy Rights Act, they may be subject to requirements placed on service providers, contractors or third parties, if they happen to fall into one of those categories.
Second, in addition to the entity-level exemptions described above, certain types of data can be exempt, no matter where or by whom they are collected or processed. For example, employee and human resources data are generally exempt from these state laws (except the CPRA). In general, deidentified data is also excluded from the definitions of personal information or personal data in these laws, as is publicly available information that can be accessed through government records or the media.
Third, all the state privacy laws have some kind of HIPAA-related exemption, which differ in many important ways, as explored in the following section.
HIPAA-related exemptions across the five states
Perhaps the broadest HIPAA exemption is in Virginia’s privacy law. Containing both entity-level and data-level exemptions, Virginia’s privacy law exempts not only the entirety of covered entities or business associates governed by HIPAA, but also:
- Protected health information under HIPAA.
- Health records, such as those held by local health departments and utilities.
- Patient identifying information already subject to confidentiality requirements under 42 U.S. Code § 290dd–2.
- Identifiable private information for the protection of human subjects under 45 CFR Part 46.
- Health care-related information that is deidentified (pursuant to the deidentification requirements of HIPAA).
Next, in terms of the broadness of its HIPAA-related exemption, may be the Colorado Privacy Act. Its data-level exemptions remove from the scope of the law protected health information collected by a HIPAA-covered entity or business associate, "information and documents created by a covered entity for purposes of complying with HIPAA," and patient records in the custody of health care facilities and individual health care providers.
Similarly, while Utah’s and Connecticut’s laws lack the entity-level HIPAA exemption in Virginia’s law, they mostly mimic its data-level exemptions.
Within the CPRA, HIPAA-related exemptions also tend to be at the data level, exempting certain types of data rather than entities altogether. Namely, the CPRA exempts protected health information collected by a covered entity or business associate governed by HIPAA, as well as medical information governed by California’s Confidentiality of Medical Information Act.
While not quite a blanket entity-level exemption, the CPRA exempts providers of health care governed by HIPAA and CMIA insofar as they maintain patient information "in the same manner" as they maintain medical information as required by CMIA or protected health information as required by HIPAA. The wording of this exemption seems to limit it to data about patients that is given the same level of protection as protected health information.
Put differently, health care providers and other companies that process health data are not generally exempt from the CPRA and the Colorado, Connecticut and Utah privacy laws at the entity level. Instead, these four laws provide exemptions concerning health-related data sets.
For example, because the CPRA exemptions mostly apply to HIPAA-defined personal health information, CMIA-defined medical information or CPRA-undefined patient information, other personal health related information about California residents, such as that collected through websites or mobile apps, would not be covered by these exemptions. In other words, a health care provider might still have CPRA obligations, but not with respect to the protected health information of patients. Moreover, if an organization collects data on individuals who are not patients of the organization, the CPRA’s HIPAA-related exemptions likely do not apply.
Definitions of and protections for sensitive data
After walking through the scope of their exemptions, the next important step is to look at how the state laws define sensitive health information. With a particular focus on the challenges around reproductive health apps, IAPP Westin Research Fellow Amy Olivero examined the types of health-relevant information subject to stricter requirements within each law.
In line with most other privacy and data protection laws, the 2023 state privacy laws recognize certain kinds of information as sensitive and deserving of heightened protection. Yet, each state law’s definition of sensitive data is different, so it is important to understand what types of health-related information fall within the scope of each.
Like European data protection law, the CPRA defines sensitive personal information to include race, religion and union membership, as well as genetics, biometrics, health and sexual orientation. Yet, as Google's global law enforcement and government access lead Katelyn Ringrose, CIPP/E, CIPP/US, CIPM, FIP, explained, other types of sensitive data "may yet be added through California’s rulemaking process, and the definitions of each, similarly, are subject to change."
While the Colorado, Connecticut, Virginia and Utah privacy laws may arguably contain more limited definitions of sensitive data compared to the CPRA, across all the 2023 state privacy laws genetic, biometric and mental health information, as well as information about an individual’s sexual orientation tend to be considered sensitive types of information. An important caveat, however, is the CPRA only subjects sensitive personal information to heightened requirements if it is collected or processed for "the purpose of inferring characteristics about a consumer."
In addition to variances in how sensitive data is defined within each law, the laws impose different requirements related to data collection and use.
In general, the CPRA and Utah’s privacy law require companies to provide consumers with the choice to opt out of the processing of most types of sensitive personal data. One exception is the information of children 13-15 years old, as its sharing and selling requires a two-step process to request and confirm opt-in consent. Meanwhile, Virginia, Connecticut and Colorado take a more hybrid approach, requiring opt-in consent for the processing of sensitive information, but opt-out for the sale of nonsensitive personal information and targeted advertising.
Practical considerations for privacy professionals
Given the uniqueness of each law’s HIPAA-related exemptions, definitions of and protections for health information, it remains a significant challenge for organizations to understand whether and how they fall within the scope of the 2023 state privacy laws. Nonexempt organizations must also determine which parts of their operations, or which of their data sets, the laws apply to. As mentioned above, for entities covered by and already compliant with HIPAA, Virginia’s entity-level exemption would likely remove them in part or entirely from the scope of compliance, depending on the nature of their business.
Parsing out the data-level exemptions contained in the four other state laws is more complicated. Even if some of an organization’s information collection or processing is exempt, organizations subject to HIPAA must still comply with the 2023 state privacy laws with respect to any data they collect and process that is not protected health information as defined by HIPAA. Examples could be employee information maintained by the HR department of a covered entity or health-related information collected from employees, such as information regarding maternity status or COVID-19 status, for the purpose of administering leave benefits or for workplace safety reasons, respectively.
Given these nuances, here are three actionable takeaways for privacy pros:
- Know what health data an organization holds by conducting a data inventory or data mapping.
Among other things, this helps organizations identify what collected data qualifies as personal health information under HIPAA, and what does not. At this stage, businesses should also consider the evolving definition of sensitive information, such as the definition put forth in the U.S. Federal Trade Commission’s complaint against GoodRx, which includes data that could be linked to or allow inferences about an individual’s chronic physical or mental health conditions, medical treatments, treatment choices, life expectancy, disability status, parental status, substance addiction, sexual and reproductive health, or sexual orientation.
- Update the organization’s privacy policies in line with the 2023 state privacy laws.
Separate from the HIPAA-required Notice of Privacy Practices, the CPRA requires health care entities to provide a privacy notice, or notice at collection, to data subjects such as employees or consumers. The policy must inform them of the categories of sensitive personal information collected, such as health data, and disclose whether this information is sold or shared, as well as the length of their retention periods. If the business does sell or share sensitive personal information, the policy must provide an opt-out link. Third parties the business allows to control the collection of personal information, such as benefits providers, must also be named in the policy.
- Develop and implement mechanisms for receiving and responding to privacy rights requests from individuals and HR data subjects.
These are in addition to HIPAA requirements for receiving and responding to patient rights requests. Health care entities should have at least three workflows for privacy requests: one for general consumer privacy rights requests, one for HR data subject privacy rights requests and one for HIPAA patient rights requests.
Laboratories of state privacy law
In his 1932 report "Laboratories of Democracy," Justice Louis D. Brandeis wrote: "It is one of the happy incidents of the federal system, that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country." As the exemplar of Justice Brandeis’ sentiment, California passed the first comprehensive state consumer privacy law in the U.S. in 2018 with the CCPA, a law that prompted several additional states to take similar action. Joining California, consumer privacy laws in Virginia, Colorado, Connecticut and Utah will all go into effect at various times throughout 2023.
But laboratories can get messy, and complexity is generated by the matrix of state and federal regulation within the U.S.’s approach to privacy regulation. In the words of privacy scholar Daniel Solove, the web of laws that pertain to health information is "tangled and complex," and it has been made even further so by the introduction of these new comprehensive state privacy laws. While the legislative intent of HIPAA-related and other exemptions within these state laws is likely to prevent the emergence of overlapping and potentially conflicting legal obligations, they have added complexity to the scope of these laws.
Enforcement of these laws in most states will be the responsibility of the state attorneys general, with California being the only one with an agency — the California Privacy Protection Agency — solely dedicated to privacy regulation. For its part, the FTC has also sought to fill the legal void in the regulation of consumer health data, in part through its recent enforcement action against GoodRx for sharing consumer data with other companies, such as Google and Facebook, in violation of the Health Breach Notification Rule. Similarly, in a recent joint statement on Amazon’s acquisition of One Medical, FTC Chair Linda Khan and Commissioners Rebecca Slaughter, Christine Wilson and Alvaro Bedoya warned companies may be in violation of the law if they do not have "adequate safeguards or controls in place" to protect sensitive data and "obtain consumers’ express affirmative consent for marketing based on sensitive data such as health data."
Lastly, at least one state has drafted a legislative proposal that would specifically target the processing of health data. In Washington state, the My Health, My Data Act was passed by the House of Representatives in early March. The bill draws inspiration from the My Body, My Data Act of 2022, introduced in Congress following the Supreme Court’s decision to overturn of Roe v. Wade in 2022, and may serve as a model for future legislation in other states.
Both federal and state lawmakers have been trying to address these gaps in the law while keeping up with new technologies, types of data, uses for data and methods of collection. With Congress in a stalemate on how to resolve these problems, however, states have taken the lead. While many figurative beakers are bound to break within these laboratories of state privacy law, they are all but certain to produce interesting results.
If you want to comment on this post, you need to login.