As States Pass a Patchwork of Privacy Laws, Navigating Privacy in the Health Care Sector Gets More Complicated by the Day
This Feature Article is brought to you by AHLA's Health Information and Technology Practice Group.
- July 01, 2024
- Adam Greene , Davis Wright Tremaine LLP
Long before the Health Insurance Portability and Accountability Act of 1996 (HIPAA),1 states have been regulating privacy in the health care sector. The HIPAA privacy regulations have always been a “floor” rather than a “ceiling,” with state privacy law layered on top.2 Navigating a patchwork of federal and state privacy laws is nothing new for the health care sector. But two recent developments have changed this landscape significantly, leading to greater complexity than ever before. First, California enacted the California Consumer Privacy Act (CCPA) in 2018,3 beginning a trend of state general privacy laws that continues to spread across the country. Second, the U.S. Supreme Court issued Dobbs v. Jackson Women’s Health Organization,4 reversing Roe v. Wade, and leading to new concerns about the privacy of reproductive health care information. As a result, health care organizations may have to navigate general state privacy laws (like CCPA), consumer health privacy laws (such as the Washington My Health My Data Act5), medical privacy laws (such as the Texas Medical Records Privacy Act6), state laws governing specific health conditions (such as Cal. A.B. 352, protecting reproductive health information), in addition to HIPAA and other federal privacy laws (such as the Confidentiality of Substance Use Disorder Patient Records Rule at 42 C.F.R. Part 2 and Section 5 of the Federal Trade Commission Act7).
This article discusses the new breeds of privacy laws and the complex ways in which they interact with health sector entities.
State General Privacy Laws
The current trend of state general privacy laws traces back to 2018. At that time, a California consumer group gained enough signatures to have a comprehensive privacy law appear on the upcoming November 2018 ballot. In response, the California legislature reached an agreement with the proponents of the ballot initiative, enacting the CCPA in exchange for the withdrawal of the ballot initiative.8 Since that time, the CCPA has been amended a number of times, including through a 2020 ballot initiative known as the California Consumer Privacy Rights Act.9 The CCPA includes numerous consumer rights, such as a deletion right; a correction right; a right to know what personal information is collected, sold, or shared, and to whom; a right to opt-out of the sale or sharing of personal information; a right to limit the use and disclosure of sensitive personal information; and certain additional notice rights.
As of April 1, 2024, 15 states have enacted general privacy laws: California, Colorado,10 Connecticut,11 Delaware,12 Florida,13 Indiana,14 Iowa,15 Montana,16 New Hampshire,17 New Jersey,18 Oregon,19 Tennessee,20 Texas,21 Utah,22 and Virginia.23 Florida is sometimes not included in the list because its law only applies to a limited scope of businesses (i.e., billion dollar companies that operate smart speakers or virtual assistants or that make at least half their revenue in online advertising).24
The general privacy laws include a number of exemptions relevant to the health care sector. All the general privacy laws include an exemption for protected health information (PHI) that is governed by HIPAA. Accordingly, covered entities and business associates will not need to comply with these general privacy laws with respect to PHI that is governed by HIPAA. Some of the laws, such as Connecticut, Florida, Indiana, Montana, New Hampshire, New Jersey, Tennessee, Texas, Utah, and Virginia, completely exempt HIPAA covered entities and business associates. Additionally, for health care entities that are nonprofits, all the state laws exempt nonprofit entities except California, Colorado, Delaware, and Oregon. California generally exempts nonprofit entities unless a nonprofit entity controls or is controlled by a for-profit entity that qualifies as a “business” under CCPA and the nonprofit entity shares common branding with the business. Except for California, all the state laws exempt personal information of employees. The state laws also include a number of other exemptions that may be applicable to health care entities, such as exemptions for information governed by the state’s medical privacy law (e.g., medical information subject to the California Confidentiality of Medical Information Act) and personal data that is collected, processed, or disclosed as part of research subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, at 45 C.F.R. Part 46 or the Food and Drug Administration’s Protection of Human Subjects regulations at 21 C.F.R. Parts 50 and 56.
With all these exemptions, do health care entities need to concern themselves with the states’ general privacy laws? Sometimes, the answer is yes. There tend to be two areas where these new laws may apply.
The first is personal information collected through the health care entity’s website that does not constitute PHI under HIPAA because it does not relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.25 For example, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights has issued guidance on the use of online tracking technologies by HIPAA covered entities and business associates stating that: “Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules.”26 An IP address indicating that someone visited a health system’s home page may not be PHI that is subject to HIPAA, but may be subject to a state’s general privacy law. Whether the entity must comply with the state law will depend on: (1) whether the entity meets the state law’s applicability thresholds (which are often based on the number of state residents for which the entity controls or processes information and/or the entity’s annual revenues); (2) whether the state law includes a general exemption for HIPAA covered entities and business associates (rather than an exemption that is limited to PHI); and (3) whether the entity is for-profit or, if a nonprofit entity, whether the state law exempts nonprofit entities.
The second area where a state privacy law may apply is in California with respect to personal information of employees or business-to-business (B2B) personal information (such as information about referral sources). If a health care entity is a for-profit entity that meets applicable CCPA thresholds (e.g., annual gross revenues in excess of $25 million or handles the personal information of 100,000 or more California residents), or a nonprofit entity that is controlled by or controls a for-profit entity with which it shares common branding, then it may need to comply with CCPA regarding personal information of California employees and B2B contacts.
HIPAA business associates also will need to evaluate whether they are potentially subject to the new general privacy laws, either as a data controller or as a data processor. Many of the laws categorically exempt HIPAA business associates—even if the entity is only a business associate with respect to a small percentage of its data. Business associates will need to decide whether they are willing to rely on such a broad exemption, or if they will take a conservative view and only treat PHI that is subject to HIPAA as exempt from the state privacy laws and apply the state privacy laws to all other personal information. Certain business associates, such as cloud services providers, may not even have visibility into what data they host and, therefore, may not know what data is PHI subject to HIPAA and what data is personal information subject to state general privacy laws. They may have to make a risk-based decision as to whether to apply both statutory frameworks to all data that may include PHI, personal information under state law, or both.
If a health care entity is subject to one or more state general privacy laws under either of the above scenarios, then it likely will need to build out compliance programs to provide appropriate policy notices and handle requests from data subjects.
State Consumer Health Laws
While California has led the charge with respect to general privacy laws, Washington state has recently changed the privacy landscape by enacting the My Health My Data Act (MHMDA).27 In the wake of the Dobbs decision, Washington enacted MHMDA given the heightened sensitivity around health information that falls outside of HIPAA. The statute regulates “consumer health data” and requires a consumer health data privacy policy, limits collecting or sharing consumer health data, includes a number of consumer rights with respect to consumer health data (e.g., a right to confirm whether a regulated entity has consumer health data of the consumer and a deletion right), requires appropriate data security practices, and restricts the use of a geofence around an entity that provides in-person health care services for purposes of: (1) identifying or tracking consumers seeking health care services;
(2) collecting consumer health data from consumers; or (3) sending notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
MHMDA is particularly far reaching for two reasons. First, the definition of “consumer health data” includes information related to health that is derived or extrapolated from non-health information.28 For example, the Washington Attorney General provided guidance that, “while information about the purchase of toilet paper or deodorant is not consumer health data, an app that tracks someone’s digestion or perspiration is collecting consumer health data.”29 The line can get blurry as to what information collected about a consumer is sufficiently related to health such that it qualifies as consumer health data, and it may be difficult to segregate such consumer health data from other personal information for purposes of applying more stringent privacy requirements. Second, MHMDA defines “consumer” as: “(a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington.”30 This means that a New York resident may be a consumer whose consumer health data is subject to MHMDA if the New Yorker’s information is collected in Washington state (even by a subcontractor). “Collect” is in turn defined as “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” Accordingly, a customer service agent in Washington state accessing a New Yorker’s consumer health data potentially brings such data under MHMDA.
Besides being quite broad, MHMDA is arguably the most stringent privacy law in the country. For example, a regulated entity (generally an entity that conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington) may not collect consumer health data unless necessary to provide a product or service that the consumer has requested or with the consumer’s consent for such collection for a specified purpose.31 This restriction can have far-reaching consequences, such as effectively precluding the use of artificial intelligence to draw health inferences from non-health information absent each consumer’s specific consent. Another example of MHMDA being more stringent than other privacy laws is that it includes a right of deletion without any exceptions.32 A consumer can request deletion of their consumer health data, and the regulated entity must delete all such information, even from archived or backup systems, regardless of any business purposes that otherwise may require retention of the information.
With respect to the health care sector, though, MHMDA includes an exemption for “[p]rotected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations.”33 At a minimum, this exempts personal information that is PHI that is subject to HIPAA. If “for purposes of” means “as defined by,” then MHMDA arguably exempts all data that meets the definition of PHI under HIPAA, even if the information is not in the hands of a covered entity or business associate and, therefore, is no longer subject to HIPAA.34 Information created by a health care provider that is individually identifiable and related to health or health care is PHI under the HIPAA definition, regardless of whether it is in the hands of a covered entity or business associate and, therefore, regardless of whether it is actually protected by HIPAA.35 For example, if a patient uses a health system’s electronic health record’s application programming interface (API) to transfer PHI from the health system to a consumer application, MHMDA arguably continues to exempt the consumer health data on the consumer application since the data still technically meets the definition of PHI, even though it is no longer protected by HIPAA. Entities who have PHI but are not covered entities or business associates will need to make a risk-based decision as to whether they will apply MHMDA to such information or treat such information as exempt from MHMDA based on the plain text of the statute.
For health care providers, MHMDA should not have significant impact. If a health care provider has consumer health data about an individual, this information generally will qualify as PHI under HIPAA and, therefore, will be exempt from MHMDA. The HIPAA definition of PHI includes individually identifiable health information with four exceptions: (1) education records covered by the Family Educational Rights and Privacy Act (FERPA); (2) records excluded from FERPA at 20 U.S.C. § 1232g(a)(4)(B)(iv) (student treatment records that are not available to anyone other than the treating health care professional or a health care professional of the student’s choice); (3) employment records held by a covered entity in its capacity as an employer; and (4) records of persons deceased for more than 50 years. Education records that are subject to FERPA and employment records are exempt from MHMDA.36 Accordingly, the only consumer health data that does not meet the definition of PHI under HIPAA and is not otherwise exempt from MHMDA are student treatment records that are excluded from FERPA because they are not available to anyone other than the treating health care professional or a health care professional of the student’s choice and records of persons deceased for more than 50 years. Neither category of consumer health data should arise very often, if ever, and therefore should not create MHMDA compliance issues for health care providers. The biggest risk to health care providers arguably is if a court or regulator interprets that some of the examples specifically listed in MHMDA’s definition of consumer health data—such as biometric data or health data that is derived or extrapolated from non-health information—do not meet the definition of “PHI” under HIPAA and therefore are not exempt from MHMDA. Considering how broadly HHS interprets PHI, however, it is unlikely that HHS would interpret that these types of consumer health data fall outside the definition of “PHI.”37
After Washington enacted MHMDA, Nevada followed suit with a very similar consumer health data law.38 Connecticut then revised its general privacy law to add new consumer health data protections, although Connecticut did not follow MHMDA quite as closely as Nevada.39 It seems likely that other states will follow suit and add their own consumer health data laws.
State Medical Privacy Laws
In addition to general privacy laws and consumer health data laws, many states continue to have medical privacy laws, such as the California Confidentiality of Medical Information Act or the Texas Medical Records Privacy Act.40 Unlike consumer health data laws, these medical privacy laws generally are focused on health care providers (although they may capture other entities) and may layer restrictions on top of HIPAA.
In response to Dobbs, a number of states are revising these laws to include new protections for reproductive health care information. For example, California amended the Confidentiality of Medical Information Act to limit disclosing medical information related to an individual seeking or obtaining an abortion to entities outside of California (e.g., to law enforcement or in response to a subpoena) where it may be used to interfere with a person’s abortion rights under California law.41 California also added limits on sharing abortion information outside of the state through a health information exchange.42 Maryland similarly prohibits a Maryland judge from ordering a person within Maryland to provide evidence to an out-of-state court with respect to prosecution of health care services that are legally protected in Maryland (e.g., an abortion) and generally prohibits health information exchanges from disclosing information related to abortion care outside of the state without receiving the patient’s consent.43
As states increasingly limit disclosure of reproductive health care information (and HHS has amended HIPAA to further restrict disclosure of such information), health care entities will increasingly struggle with segregating that data to ensure that it is sufficiently protected.
Conclusion
With new general privacy laws, consumer health laws, and restrictions on disclosures of sensitive health information, entities in the health care sector must continue to navigate a complex patchwork of federal and state laws. While some of these new laws include broad exemptions for information that is regulated by HIPAA, the devil is often in the details and entities will need to carefully analyze whether they have any non-exempt data that is subject to these new laws.
Adam H. Greene, JD, MPH is a partner in the Washington, DC office of Davis Wright Tremaine LLP and specializes in health information privacy and security laws, assisting health care providers, technology companies, health plans, and financial institutions to navigate HIPAA and the patchwork of other federal and state health information laws. Before joining DWT, Adam worked on HIPAA and the HITECH Act at the U.S. Department of Health and Human Services in its Office of General Counsel and Office for Civil Rights, drafting and negotiating the first HIPAA financial settlement agreements and assisting with implementing the HITECH Act.
This Feature Article is brought to you by the Health Information and Technology Practice Group: Elizabeth Hodge, Akerman LLP (Chair); Jody Erdfarb, Wiggin and Dana LLP (Vice Chair); Jennifer Kreick, Haynes and Boone LLP (Vice Chair); Heather Deixler, Latham & Watkins LLP (Vice Chair); Adam Greene, Davis Wright Tremaine LLP (Vice Chair); and Leeann Habte, Best Best & Krieger LLP (Vice Chair).
1 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).
2 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82471 (Dec. 28, 2000) (“The protections are a mandatory floor, which other governments and any covered entity may exceed.”).
3
4 Dobbs v. Jackson Women’s Health Org., 597 U.S. 215 (2022).
5
6
7 15 U.S.C. § 45 (2024).
8 California Consumer Personal Information Disclosure and Sale Initiative (2018), https://ballotpedia.org/California_Consumer_Personal_Information_Disclosure_and_Sale_Initiative_(2018).
9
10 Colorado Privacy Act,
11 Connecticut Data Privacy Act,
12 Delaware Personal Data Privacy Act,
13 Florida Digital Bill of Rights,
14 Indiana Consumer Data Protection Act,
15 Iowa Consumer Data Protection Act,
16 Montana Consumer Data Privacy Act,
17
18 N.J. S332 (2023).
19 Oregon Consumer Privacy Act,
20 Tennessee Information Protection Act,
21 Texas Data Privacy and Security Act,
22 Utah Consumer Privacy Act,
23 Virginia Consumer Data Protection Act,
24
25 45 C.F.R. § 160.103 (2024) (definitions of “individually identifiable health information” and “protected health information”).
26 U.S. Dep’t of Health and Hum. Servs. Office for Civil Rights, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (last reviewed Mar. 18, 2024).
27
28
29 Washington State Office of the Attorney General, Protecting Washingtonians’ Personal Health Data and Privacy, https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy (last visited Mar. 26, 2024).
30
31
32
33
34 45 C.F.R. § 160.102 (2024) (limiting the applicability of the HIPAA administrative simplification regulations to covered entities and business associates).
35 45 C.F.R. § 160.103 (2024) (definitions of “individually identifiable health information” and “protected health information”).
36
37 See, e.g., Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566, 5598 (“If the information is tied to a covered entity, then it is protected health information by definition since it is indicative that the individual received health care services or benefits from the covered entity, . . . .”).
38 Nev. S.B. 370 (2023).
39 Conn. Pub. Act No. 23-56 (2023).
40
41
42
43 Md. S.B. 859 (2023) and Md. S.B. 786 (2023).