The Supreme Court's ruling in the Dobbs Decision, which overturned Roe v. Wade and Casey v. Planned Parenthood and eliminated the constitutional right to an abortion, permitted states to regulate access to abortion services. Since the Supreme Court issued its opinion on June 24, 2022, privacy, consumer and reproductive health care advocates have raised concerns about the impact the decision has already had, and will continue to have, on the use of consumer health data from apps and websites, including the potential for collection and sharing of such data without consumers' permission or knowledge, or for use of such data for targeted advertising purposes. For more background on these concerns, see Tech Companies Need to Prepare for the Data Privacy Implications of Dobbs v. Jackson Women's Health Organization.
Despite widespread belief to the contrary, a significant amount of consumer health-related information is largely unprotected under existing federal privacy laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) applies only to health information that is transmitted, maintained, stored, or disclosed by "covered entities" and their "business associates" as defined by the act. Most businesses collecting consumer health information through wearable technology, websites and applications do not fall under these categories and are, therefore, not within the scope of HIPAA protection. It is important to note that the lack of protection for health information that falls outside of HIPAA's reach existed prior to the Dobbs decision and was not, as was rumored immediately after Dobbs, to have been a result of the decision. Thus, in response to concerns about perceived gaps in privacy protections for what is arguably among the most sensitive information, some states have proposed legislation which would create new or additional privacy protections for consumer health information. These states include:
- New York: In January 2023, SB 158 was introduced in the New York Senate. If passed, the new law would require businesses offering electronic health products or services (broadly defined to include software, hardware, mobile applications, websites and related products or services) to obtain affirmative and express consent from users prior to the processing of their personal health information. Additionally, businesses would be required to provide consumers with an effective mechanism to revoke their consent at any time after it has been given. The proposed law also contains a private right of action.
Other states, such as Illinois (SB1601), Maryland (HB 995 and SB 790), and Massachusetts (companion bills HD 3855 and SD 2118), are also considering similar laws to add further legal protection to sensitive health information and require that consumers have greater control over their information. We expect other states will also propose new laws in the near future. As such, businesses that handle consumer health information should closely monitor the trajectory of state health data privacy bills.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.