Quiet, But Mighty: Consumer Health Data Privacy Acts

It can feel like there is a constant barrage of new regulations in the world of data privacy, security, and AI these days. In the U.S., individual states continue to roll out their own data privacy laws, Congress is currently debating a federal privacy regulation, and AI acts are starting to emerge. While each one has its distinct rationalization and intended value-add, it can be hard to keep track of the variety and volume of regulations.

There are two recent laws covering consumer health data that may have a significant impact on businesses, but these laws have largely been overshadowed by the industry’s current focus on AI. These two laws are Washington State’s “My Health, My Data Act” (MHMDA) and Nevada’s Senate Bill “SB 370”. These two consumer healthy data privacy acts are intended to close the gap between the Health Insurance Portability and Accountability Act (HIPAA) and other jurisdictional privacy laws.

The HIPAA Gap

Recent research conducted by the American Health Association found that more than 92% of people believe privacy is a right and their health data should not be available for purchase by corporations or other individuals. Another survey conducted by The Harris Poll noted that “some 81% of consumers surveyed said that assumed their data was protected by the Health Insurance Portability and Accountability Act (HIPAA).” Given the added consideration that individuals, whether in cases of emergency or simply based on circumstance, lack the ability to pick and choose when and where they procure healthcare services, it might feel like individuals have little choice but to hope that this information is handled properly.

You might ask at this point: Do existing regulations for handling health information in the United States meet these public expectations? Do we have proper protections today that help secure our health information?

As it stands, and for quite some time, HIPAA is scoped in a way that carves out a specific portion of health information handled in the healthcare and broader technology/service ecosystem. HIPAA protects information that meet the criteria for what the United States Department of Health and Human Services has defined as “Protected Health Information” (PHI). While one might expect this definition to broadly apply to all information relating to one’s past, present, or future health state, the reality is that HIPAA pertains to a much smaller portion of what a typical patient might deem as health-related.

The nuance in determining what is and is not protected today involves not only the type of information being collected, but also the individual or entity collecting the data and the purpose(s) for which they are collecting the information.

As an example, consider two different circumstances involving consumer health data. If a doctor asks for a woman's menstrual cycle data during her annual checkup and records the information in her electronic health records, that information would be protected under laws like HIPAA. However, if the woman enters the same information into a tracking app herself designed to help her identify trends in her data for fertility or other purposes, any information that app’s data controller may store is likely not protected in the same manner.

For another example, consider the matter of wearable technology like smart watches (e.g., Fitbit, Apple Watch, etc.). If my healthcare provider collects this information and uses it to diagnose my heart health and overall wellness, with intention to make recommendations or diagnoses for me in the future, then that information would likely be protected under HIPAA. On the flipside, if I wear a Fitbit for my own personal information and Google collects the information fed through the watch, then Google’s collection and usage of that information may not be protected under the same laws.

Drawing Inferences

This gap between coverage is highly contextual and, even for many practitioners in the privacy space, can be confusing. For the average consumer, people often are either unaware of this context or are left feeling helpless to protect themselves and their information. Until now, consumers’ only recourse has been through consumer-based privacy regulation, which often does not have the same level of protection over a key area in this space: inferences.

As an example, a consumer may use a search engine to look for resources around mental health struggles and pursuing mental wellness. From there, the company monitoring their activity on the platform may deduce that the user profile has specific interest in additional materials involving or related to mental health and wellness. Whether for future recommendations, results filtering, or for sharing with partners that might offer products or services, determining from that activity that a consumer is a person interested in this topic and aligning that conclusion to a profile would be considered an inference (or inferential data). This includes using non-health information (purchases, web activity) to draw inferences about consumer health information.

Inferences drawn from personal information continue to be an unclear area for privacy regulation, due in large part to questions around whether an individual owns information generated about them by others, how the usage of such data can be meaningfully monitored, and what rights can be reasonably granted to individuals in controlling the use of such information by third parties. However, these two new consumer health data privacy acts tackle the murky area of inferences as part of their overarching definition of consumer health information in scope.

Enter: Consumer Health Data Privacy Acts – Washington and Nevada

One of the driving motivations for the new legislation is to address the gaping hole left between what is governed by HIPAA and what is governed by limited consumer privacy laws. That is, these acts apply to a broader term, known as “consumer health data”, which is defined as:

“Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status."

The laws are not isolated to HIPAA’s “covered entities” and “business associates” only, nor are they isolated to information processed for purposes of the diagnoses and/or treatment of one’s health. Furthermore, they include a variety of data types including (but not limited to) information regarding interventions, gender-affirming care, reproductive and sexual health information, biometric data, genetic data, and precise geolocation data that corresponds to any of the above.

It is important to note that these laws do not override HIPAA in their application. Instead, they encompass a vast amount of what traditional health protections like HIPAA and tangential consumer privacy laws in the United States have left on the table. For individuals, this is beneficial because it can be incredibly difficult to identify when your information ceases to be governed by one law and starts coverage by another (if covered, at all). Suffice it to say, most businesses won’t tell you if or when this happens (assuming they know themselves) unless there is a legal or ethical imperative to do so.

For businesses, these consumer health data privacy acts are beneficial in addressing a longstanding question about whether said data can and should be handled in a standard fashion. And, consequently, such acts encourage what we have long recommended to our clients: that treating data protection of personal information in a comprehensive, holistic way is more manageable than shifting from law-to-law, patchworking together a “compliant” privacy program.

Regulations, Laws, and Acts - Oh My!

Many organizations have gotten comfortable with longer-standing privacy regulations such as HIPAA and GDPR. However, we are entering an era where both the pace and volume of regulation is rapidly increasing:

• Artificial Intelligence (AI) and other acts (DSA) continue to emerge in the European Union

• Evolution of online data practices has expanded the relevance of Federal laws developed years ago like the Video Privacy Protection Act and anti-wiretapping laws

• Countries across the globe continue to roll out their own standalone privacy laws (PIPEDA, DPDA)

• General, omnibus privacy regulations and topic-specific laws (e.g., BIPA) have been signed or adapted in multiple U.S. States each year

As a result, organizations must be nimble in identifying and assessing each of these laws, determining their respective relevance to existing operations, and implementing necessary changes in an iterative, documented fashion.

The introduction of Washington and Nevada’s consumer health data privacy laws create a new standard requiring organizations to assess how their consent management, data collection, and processing practices are impacted. Both laws went into effect for large organizations on March 31, 2024, and will for smaller businesses as of June 30, 2024. It is noteworthy that these laws apply to nonprofit organizations, as well.

Also note that Washington’s MHMDA includes the right of private action. This allows individuals to bring suits against organizations directly for damages resulting from alleged infractions of the law, rather than relying solely upon one’s State Attorney General to bring matters to the courts. For companies, this could increase the potential for concerns of the public to be brought into the court system, where other privacy laws in the United States tend to limit litigation to be initiated from within governmental representatives on behalf of their constituents.

What should companies do next?

So, with all the above in mind, what can you do as an organization to align your policies and practices with the new consumer health data privacy laws?

1. Determine the laws' relevance and impact to your organization. Companies may hear "consumer health" and automatically think it doesn't apply to them; however, an important point to keep in mind is the various ways you might be collecting such information. For example, if your users have a mechanism for publishing free-form text information in a profile or chatting with other users, there is a possibility they will share this information (and your company will collect it). Additionally, the definition of consumer health is broad and encompasses past, present, and future physical and mental health, along with inferences about consumer health that can be drawn from non-health information.

2. If you collect, process, store, infer, share or sell consumer health information (as outlined in regulation definitions), draft and publish a Consumer Health Data Policy. It must be separate and distinct from any other privacy policies that already exist. This must be accessible via link from the homepage and any other page included in the user data collection process.

2. Assess your current data inventory and tagging procedures to include new tags that indicate relation to consumer health information.

3. Update your data subject request procedures and workflows to accommodate requests regarding consumer health data, as the approach and corresponding logic for fulfillment will likely be unique for each organization and additional requirements may be necessary (such as providing contact information for third parties).

4. Pay special attention to any data selling and geofencing practices that your organization may utilize today or in the future, as both have specific obligations that are likely to alter your approach and implementation for such practices.

5. Review your consent management workflows to determine current practices and align those with requirements in the new legislation (e.g., ensure that you are capturing user consent for consumer health data sharing that is separate and distinct from consent gathered for data collection).

If any of the above seem overwhelming or you’re just not sure where to start, never fear! Privacy practitioners at Cadence Privacy Consulting are here to help and have experience in building and strengthening new and existing privacy programs to handle your current challenges and whatever may come around the corner. Contact us today!