New York State appears poised to become the fourth state to explicitly regulate consumer health data not covered by the federal Health Insurance Portability and Accountability Act (HIPAA).
In May of 2023, Washington State enacted the My Health My Data Act; in June of 2023, Connecticut amended its Data Privacy Act; and in March of 2024, Nevada passed Senate Bill 370. In many respects, NY HIPA is broader in scope and effect than its three predecessors.
New York’s S929 (Health Information Privacy Act or NY HIPA), sponsored by state Senator Liz Krueger (D), establishes requirements for communications to individuals regarding the disposition of their health information; and requires written consent or a designated necessary purpose for the processing of such health information. NY HIPA addresses vulnerabilities unaddressed by HIPAA because it applies to a broader range of private companies and protects health information at risk of disclosure through the commercialization of health data.
HIPAA’s Limitations and the Protection of Health Data
HIPAA applies only to “covered entities” and their “business associates.” “Covered entities” include health care providers (such as doctors, clinics, nursing homes, and pharmacies), health plans, and health care clearinghouses.
HIPAA does not apply, for example, to a personal fitness device that tracks an individual’s heart rate data and attendant metrics (e.g., blood pressure ratings, respiration activity). Thus, such personally sensitive data could be sold to the developer of a stress management tool, to a personalized fitness coaching organization, or to virtually any buyer. The gaps left by HIPAA are particularly salient in women’s health in the wake of the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization. For example, the developer of an application that tracks menstrual cycles could sell such data to any number of organizations for virtually any purpose.
HIPAA also does not apply to geofencing, a type of marketing valued in the billions of dollars, whereby a mobile device is triggered by a virtual boundary. For example, a geofenced skilled nursing facility may target a visitor with ads for adult diapers, a geofenced dialysis center may target a visitor with ads for streaming services, and a law firm may target a visitor to a geofenced hospital with ads for its medical malpractice services. The marketing applications of this tool are near limitless.
Finally, and more generally, concerns over cybersecurity, the infamy of data breaches,[1] and the expansion of the role of artificial intelligence in health care have moved states to address HIPAA’s gaps.
Washington State’s My Health, My Data
The first privacy-focused U.S. law to protect personal health data not protected by HIPAA was passed in Washington State in April 2023. The My Health My Data Act (MHMD Act) protects a consumer’s sensitive health data from being collected and shared by any entity that conducts business in the state. This law is notable in that it contains a private right of action and includes carveouts for public data and research data.
The MHMD Act applies to regulated entities and small businesses; requires additional disclosures and consumer consent for the collection, sharing, and use of health information; gives consumers the right to have their health data deleted; prohibits the selling of consumer health data without valid authorization; and renders unlawful the geofencing of health care facilities. The portion prohibiting geofencing became effective on July 23, 2023; the portion applying to regulated entities became effective on March 31, 2024; and the portion applicable to small businesses became effective on June 30, 2024.
The MHMD Act defines “small businesses” as regulated entities that either: (a) collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year; and/or (b) derive less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and control, process, sell, or share consumer health data of fewer than 25,000 consumers.
Connecticut’s Data Privacy Act
Following quickly on the heels of Washington’s Act, Connecticut’s Data Privacy Act, signed in 2022 and effective in July 1, 2023, grants rights to consumers regarding the processing of personal data, which the Act defines as “any information that is linked or reasonably linkable to an” individual. Connecticut’s Act lacks a private right of action and exempts all nonprofits. Residents of Connecticut have the right to access their consumer data, force companies to correct inaccurate data, request deletion of their data, opt out of the sale of their data, and opt out of targeted advertising. Businesses must obtain consent prior to the sale of data and conduct data protection assessments. The Act specifically exempts protected health information under HIPAA.
Nevada’s SB 370
Nevada’s SB 370, effective March 31, 2024, is the third state consumer data privacy law. SB 370 imposes broad restrictions on the collection, use, and sale of consumer health data. Nevada’s law does not have a private right of action and requires regulated entities to publish consumer health data privacy policies. Similar to requirements under the HIPAA Security Rule, entities regulated under SB 370 must also implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data. (See EBG’s July 2023 blog on this law).
Before collecting consumer health data, regulated entities in Nevada must either: (1) obtain affirmative, voluntary consent from consumers, or (2) collection must be necessary to provide a product or service the consumer has requested. No person may sell or offer to sell a consumer’s health data without the consumer’s written authorization.
New York’s Health Information Privacy Act (NY HIPA)
Like the Connecticut and Nevada consumer data protection laws, NY HIPA has no private right of action. Unlike Washington’s law, NY HIPA does not contain numerical thresholds for what constitutes a small business. If enacted, New York’s law would be broader than the Washington law in that it would apply to all entities that process health information. The law would regulate for profit and non-for-profit, small businesses, and non-New York-based companies that collect health data pertaining to a New York-based resident.
Unsurprisingly, NY HIPA has been criticized as overbroad. A chief argument against it is the potentially high compliance costs facing digital health companies. Another criticism has been that NY HIPA would, if enacted, be inflexible with regard to customer authentication. By contrast, Connecticut’s law establishes safeguards for the authentication of consumer requests and provides a longer time frame for responding to these requests, with the possibility of an extension.
Like Washington’s law, NY HIPA would exempt protected health information collected by HIPAA-covered entities and business associates, as well as any covered entity governed by HIPAA’s privacy, security, and breach notification rules. The bill also exempts certain information collected as part of a clinical trial.
“Most residents of the State are under the impression that HIPAA protects them and their health data from being accessed by third parties and sold by and to other organizations,” Senator Krueger wrote in a sponsor memo, noting that New Yorkers are generally unaware of how health data, including geolocation data, is collected, stored, and sold for the benefit of third parties.
Thus, “[e]lectronic apps or websites that provide a diagnosis or retain health information will be required to receive affirmative consent by the user to retain such information and would provide users the ability to rescind such consent,” Krueger stated.
If enacted, those who violate the law could expect civil penalties of not more than $15,000 per violation, or 20 percent of revenue obtained from New York consumers in a fiscal year, whichever is greater.
Until Congress passes a national consumer data protection act, states continue to fulfill their role as the laboratories of democracy. Elements of these laws may very well be included in a future federal law. In the meantime, companies dealing in data must comply with a mosaic of state consumer health data privacy laws.
Epstein Becker Green Attorney Ann W. Parks contributed to the preparation of this post.
ENDNOTES
[1] See Reed Abelson and Julie Creswell, Cyberattack Paralyzes the Largest U.S. Healthcare Payment System, N. Y. Times (Mar. 5, 2024).
Blog Editors
Authors
Of Counsel
Associate
