DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


State-Level Health Data Privacy Laws in The U.S.

health data privacy laws

Health technologies, the need for ease of access, and the collection of personal health information continue to expand. The need for robust health data privacy protections is more critical than ever. In response to growing concerns about the handling of consumer health data, several states have proposed and enacted laws that establish stringent privacy requirements. This article delves into the details of health data privacy laws in Washington and Nevada.

Washington: My Health My Data Act (MHMD)
Effective Date: March 31, 2024

In the spring of 2023, Washington became the first U.S. state to pass a health-focused privacy law that provides stronger protections for non-HIPAA health-related personal information. The My Health My Data Act (MHMD) broadens the scope of consumer privacy rights concerning health data beyond the protections offered by HIPAA and other health-related laws. One of the key provisions of the MHMD Act is the requirement for regulated entities to obtain opt-in consent before they can collect, share, or sell consumer health data.

Applicability

The MHMD Act applies to any entity that collects consumer health data, regardless of revenue or the volume of data processed. This includes health providers, wellness companies, and other businesses handling personal health information, including apps.

Consumer Rights

Consumers can access their health data, request deletion, and withdraw consent at any time. The MHMD Act provides consumers with the right to know/access consumer health data, delete such information, and withdraw consent that had previously been granted. Organizations are also required to provide consumers with the right to appeal any denial of a request.

Consumer Health Data Definition

The MHMD Act defines consumer health data as personal information that can identify a person’s past, present, or future physical or mental health status. This information can be linked or reasonably linkable to a consumer.

Consent Requirements

Under the MHMD Act, explicit, affirmative consent is required from consumers before collecting, sharing, or selling their health data.

  • Consent to Collect: Regulated entities must ask consumers for opt-in consent unless the collection is necessary to provide a product or service that the consumer has requested.
  • Consent to Share: Regulated entities must obtain separate consent to share consumer health data.
  • Consent to Sell: Regulated entities must obtain a valid authorization to sell consumer health data. This authorization must be a document written in plain language that specifies the data being sold, the names and contact information of the parties involved, the purpose of the sale, and other mandatory disclosures. The consumer must sign and date the authorization.

Enforcement

The MHMD Act is enforced by the Washington AG, but consumers may also file private rights of action for violations of the MHMD Act.

Us Privacy Law Tracker

Nevada: Senate Bill 370
Effective Date: March 31, 2024

Nevada’s SB 370 parallels Washington’s MHMD Act, focusing on enhancing privacy rights and data protection for consumer health data that may not otherwise be covered by existing federal or state legislation.

Applicability

SB 370 applies to entities conducting business in Nevada or targeting Nevada consumers and determining the purpose and means of processing consumer health data. Nevada’s SB 370, like MHMDA, foregoes the processing volume and monetary applicability thresholds that we are accustomed to seeing in many state data privacy laws.

SB 370 generally does not apply to persons, entities, and data whose collection and disclosure of data is already regulated by federal law. The law exempts data regulated by federal laws such as HIPAA, GLBA, and FERPA, as well as certain governmental uses.

Consumer Health Data Definition

Nevada Senate Bill 370 (SB 370) defines consumer health data as personally identifiable information that a regulated entity uses to identify a consumer’s health status. This information can include:

  • Health conditions or diseases
  • Medical interventions
  • Surgeries
  • Reproductive or gender-affirming care
  • Biometric or genetic data
  • Precise geolocation data
  • Information derived from non-health data

Consumer Rights

Similar to other state-level data privacy rights, consumers are granted several rights regarding their health data, including the right to confirm whether a regulated entity is collecting, sharing, or selling their health data; the right to obtain a list of third parties with whom their health data has been shared or sold; the right to terminate a regulated entity’s collection, sharing, or selling of their health data; and the right to delete their health data.

Consumer Notice

Regulated entities must disclose their data practices via a conspicuous link on their websites, detailing categories of collected data, sharing practices, and consumer rights. This disclosure must detail the following:

  • Categories of Data Collected: List the types of consumer health data collected and the sources from which this data is obtained.
  • Data Sharing Practices: Specify the categories of consumer health data shared and identify the recipients of such data.
  • Data Usage and Processing: Describe how consumer health data will be used and processed by the entity, including the purposes for its collection, use, and sharing.
  • Consumer Rights Request Process: Outline the procedure for consumers to submit rights requests.
  • Policy Change Notification Process: Explain how consumers will be informed of significant changes to the policy.
  • Third-Party Data Collection: Summarize the extent to which third parties may collect consumer health data across different websites or online services.
  • Policy Effective Date: State the date when the policy becomes effective.

Affirmative Consent

Entities must obtain prior affirmative consent for the collection, sharing, or selling of consumer health data.

Geofencing Restrictions

Prohibits the tracking of consumers via geofencing technology around healthcare facilities for purposes such as:

  • Identifying or tracking consumers seeking in-person healthcare services or products
  • Collecting consumer health data
  • Sending notifications, messages, or advertisements to consumers related to their consumer health data or health care services or products

Enforcement

Violations constitute deceptive trade practices, investigated and enforced by the Commissioner of Consumer Affairs and the Attorney General of Nevada, but without a private right of action.

Conclusion

In conclusion, the health data privacy landscape in the U.S. is rapidly evolving, with states like Washington and Nevada leading the charge. Washington’s My Health My Data Act and Nevada’s Senate Bill 370 both take significant steps to extend privacy protections beyond what federal laws currently offer, addressing the unique challenge posed by health data collection and processing practices. Both laws emphasize the importance of explicit consent, consumer rights, and transparent data practices, ensuring that individuals have greater control over their personal health information. These legislative measures reflect a growing recognition of the need for robust privacy protections as health technologies continue to advance and become more integrated into daily life. As other states consider similar legislation, these laws may serve as models, contributing to a more comprehensive and cohesive approach to health data privacy across the United States.

To learn more about US privacy laws, check out
the Clarip US Privacy Law Tracker

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?

CONTACT

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

    •   888-252-5653