New State Health Privacy Laws—Moving Beyond HIPAA And Recasting Consumer Health Data Rights?

JD
Jones Day

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
Effective March 31, 2024, the laws impose requirements relating to a new category of consumer health data ("CHD"), create consumer rights/protections, and potentially...
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

Effective March 31, 2024, the laws impose requirements relating to a new category of consumer health data ("CHD"), create consumer rights/protections, and potentially introduce increased privacy enforcement and litigation.

Regulated Entities and Data

  • Both laws apply to entities, and data processors acting on their behalf, that conduct business or provide products/services to consumers in the state and, alone or jointly, determine the purpose and means of handling CHD. Washington's law also applies to "small businesses" that meet certain consumer and revenue thresholds, which have until June 30, 2024, to comply.
  • Protected consumers generally include state residents and individuals whose CHD is collected within the state.
  • Both laws exempt certain types of data, including under HIPAA and the Gramm-Leach-Bliley Act.

Key Obligations

  • Consent and Authorization for Collecting/Selling/Sharing. Entities must obtain affirmative—separate—consent before collecting or sharing CHD, unless providing a consumer-requested product/service. Entities must obtain separate consumer authorization before selling/offering to sell CHD, which is effective for one year.
  • Privacy Policies. Entities must develop privacy policies containing certain content, including categories of CHD collected; purpose for collection and use, and, for Nevada, sharing; sources from/to which CHD is collected and shared; and mechanisms for consumers to exercise rights/submit requests concerning CHD. Washington requires a "consumer health data privacy policy" that appears distinct from a general privacy policy.
  • Security Controls. Entities must implement security safeguards and restrict access to CHD.
  • Data Processing Agreements. Third-party CHD processing must be pursuant to a contract.
  • Rights. In essence, both laws provide consumer rights, including those to: know about an entity's collecting/sharing/selling of CHD and access/review; a list of third parties with whom the entity has shared/sold CHD; withdraw consent or cease collection/sharing of CHD; and delete CHD.
  • Geofencing Restrictions. Geofencing—technology designed to establish virtual boundaries around specific geographic locations—to identify consumers seeking health care services, collect CHD, or send related notifications/advertisements, is prohibited.

Enforcement

  • Perhaps most significantly, Washington is the first to provide consumers with a private right of action for CHD-related violations. Conversely, Nevada allows only for government enforcement.
  • Violations of Washington's law are per se violations of Washington's Consumer Protection Act, which may result in damages of up to $25,000, and costs and attorneys' fees. By permitting private action, this law marks a new era in privacy litigation, significantly increasing plaintiff/class action risks.

Recommendations

Given potential litigation and government enforcement, companies collecting CHD should review and potentially revise their policies, representations, and data sharing and collection practices, including by eliminating geofencing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

New State Health Privacy Laws—Moving Beyond HIPAA And Recasting Consumer Health Data Rights?

United States Privacy

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More