The state laws regulating collection of health and fitness data

The rise of health and fitness tracking apps has led to the collection of vast amounts of personal data, including height, weight, heart rate, blood pressure, sleep patterns, calorie intake, and sensitive health data like menstrual cycles and medical conditions. Many consumers mistakenly believe that their data is protected under HIPAA, but this is often not the case. 

Understanding HIPAA’s limitations 

HIPAA does not cover all medical, health, or wellness information. Its protections are limited to “covered entities” and their “business associates” who handle “protected health information (PHI)” within “covered transactions.” Most healthcare apps and products do not qualify under these categories, leaving much of the data they collect outside HIPAA’s protections. 

State-specific health privacy laws

To address these gaps, several states have enacted their own health privacy laws, which can be stricter than HIPAA: 

• California’s Confidentiality of Medical Information Act (CMIA), effective January 1, 2023 
• Nevada’s SB370 (NV CHD Law), effective March 31, 2024 
• Washington’s My Health My Data Act (MHMDA), effective March 31, 2024 
• Connecticut’s Data Privacy Act (CTDPA), amended effective October 1, 2024 

These laws are collectively known as the Consumer Health Data (CHD) Laws. They regulate the broad health information collected by health and wellness companies. 

Key provisions of CHD laws

While there are some differences between the CHD Laws, both Washington and Connecticut define CHD as “any personal data that a controller uses to identify a consumer’s physical or mental condition or diagnosis,” including gender-affirming health data and reproductive sexual health data. CHD overlaps with the definition of “sensitive information” in US state privacy laws, triggering various compliance obligations such as consent, opt-in and opt-out allowances, and data subject rights. 

Common requirements across CHD laws

1. Express consent: Covered entities must obtain express consent before collecting CHD. 
2. Privacy policy: A separate privacy policy specific to the processing of CHD must be maintained. 
3. Website links: A link to the CHD privacy policy must be added to the footer of websites and mobile applications. 

Consumer rights under CHD laws

Each CHD Law grants specific rights to consumers regarding their CHD, separate from other data rights. For example, a consumer’s request to delete personal information under a state data privacy law does not automatically include CHD. Consumers must specifically request the deletion of CHD. 

California’s CMIA

The California Confidentiality of Medical Information Act (CMIA) is one of the strictest state laws on medical information privacy and security. Recent bills have expanded its scope to include reproductive health apps and prohibit electronic disclosure of certain reproductive health information. 

Applicability

• Healthcare providers 
• Health plans 
• Businesses handling medical information 

Unlike HIPAA, which focuses on electronic records, CMIA covers all forms of medical information, including written and oral communications. It requires explicit patient consent to disclose medical information, except in emergencies or when required by law. 

Washington’s My Health My Data Act (MHMDA)

Under MHMDA, consumers have the right to: 

1. Know how their Consumer Health Data (CHD) is collected, shared, or sold. 
2. Withdraw consent. 
3. Delete their CHD. 

MHMDA prohibits the sale of CHD without a valid, clearly written authorization from the consumer, detailing: 

1. The specific CHD being sold. 
2. Seller and purchaser contact information. 
3. How the purchaser will use the CHD. 
4. Notice that services are not conditioned on signing the authorization. 
5. The right to revoke the authorization. 
6. Potential redisclosure of CHD. 
7. Expiration of the authorization after one year. 

Applicability

Entities conducting business in Washington or targeting Washington consumers. 

Nevada’s CHD Law

Nevada’s CHD Law requires covered entities to have a CHD Privacy Policy that includes: 

1. Categories of CHD collected and its use. 
2. Collection sources. 
3. Shared CHD and reasons for sharing. 
4. Third parties with whom CHD is shared. 

The policy must inform consumers about: 

• Purposes of collecting, using, and sharing CHD. 
• Processing methods. 
• Consumer rights to review and change CHD. 
• Notification of privacy policy changes. 
• Third-party collection of CHD over time and across services. 

Connecticut’s Data Privacy Act (CTDPA)

The CTDPA prohibits the use of geofences—virtual boundaries defined by GPS or RFID—within 1,750 square feet of mental, reproductive, or sexual health facilities. This restriction aims to protect consumer privacy by preventing location-based data collection within these areas. 

Steps to compliance with CHD laws 

Entities subject to CHD Laws should: 

1. Require express consent: Obtain active consent from consumers before collecting CHD, such as checking a box or clicking “I agree.” Passive consent (e.g., pre-checked boxes) is insufficient. 
2. CHD notice: Implement and display a CHD Privacy Policy on websites and mobile apps that collect CHD. 
3. Consumer rights notice: Clearly define consumer CHD privacy rights in the policy and provide mechanisms to exercise these rights, including correction, deletion, and opt-out options. 
4. Implement security practices: Establish and maintain policies to ensure the security of CHD. 
5. Remove geofences: Ensure compliance with geofencing prohibitions by working with IT teams. 
6. Revise vendor agreements: Update contracts to prohibit the sale of CHD and ensure compliance with processing requirements. 
7. Revise contractor agreements: Include necessary provisions regarding CHD access, use, and disclosure in contractor agreements. 
8. Train employees: Educate employees handling CHD on the specific requirements of the CHD Laws relevant to their roles. 

As health and fitness tracking apps continue to grow in popularity, understanding and complying with state-specific health privacy laws is crucial for protecting consumer data. These laws provide a framework for safeguarding sensitive health information and ensuring consumer trust.