US privacy laws governing consumer health data in 2023

The United States’ approach to data privacy and security has been sectoral, creating standards for specific industries instead of having a comprehensive privacy law that covers all data types, including health data.

Unlike the EU’s comprehensive privacy law, GDPR, the U.S. has a mix of laws such as HIPAA, COPAA, FERPA, ECPA, etc. In terms of health data, the Health Insurance Portability and Accountability Act, (HIPAA), serves to safeguard protected health information (PHI) held by healthcare providers and their business associates.

The federal laws governing consumer health data in 2023

HIPAA

HIPAA is a U.S. federal law establishing national standards for protecting the privacy and security of patients’ PHI. Healthcare entities that transmit health information electronically fall under the purview of HIPAA regulation and are required by the U.S. Department of Health and Human Services to comply with the HIPAA Privacy and Security Rule. The Privacy Rule governs the disclosure, use, or sharing of patients’ PHI, while the Security Rule outlines technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and security of patients’ electronically stored, protected health information (ePHI).

American Data Privacy and Protection Act

A federal-level data protection law abreast of the EU’s GDPR that would largely preempt state privacy laws has been in the works for decades, considering the current assortment of sectoral laws adds to unnecessary confusion and intricacies. In this regard, in June 2022, Congressional leaders released a bipartisan draft bill named the “American Data Privacy and Protection Act (ADPPA).

The proposed ADPPA could have significant implications for the breadth of health data that falls outside the purview of HIPAA. Apart from the data types already regulated by HIPAA and Health Information Technology for Economic and Clinical Health Data (HITECH), the ADPPA would address a broad range of health-related data that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.

It means that HIPAA-covered entities would be considered compliant with the ADPPA for data covered by HIPAA; for other data types, they would still be required to implement additional measures to meet the ADPPA compliance standards. For example, companies that collect health data through mobile applications or wearable fitness trackers would be subject to ADPPA. However, if a healthcare entity covered by HIPAA collects and processes similar data, they would be subject to HIPAA’s privacy and security standards for PHI, not ADPPA’s.

Additionally, a potential conflict may arise between the ADPPA’s (Appropriate Data Use and Privacy Practices Act) standards for de-identification of data and HIPAA’s standards, similar to the conflict that arose with the CCPA’s (California Consumer Privacy Act) amendment exempting certain data types from its scope if they were de-identified according to HIPAA’s strict standards.

The state laws governing consumer health data in 2023

While the enactment of a comprehensive data privacy law at the federal level remains elusive, states are taking action to fill the gaps in health data protection by either introducing amendments to the existing laws or passing bills into new laws. Washington, Massachusetts, Illinois, and New York are spearheading efforts to empower people by granting them greater control over their health data, particularly focusing on data types that fall outside the scope of HIPAA regulations. These states are at the forefront of initiatives aimed at enhancing individuals’ data privacy rights.

Washington: My Health, My Data Act

Signed into law, House Bill 1155, the WA My Health, My Data Act is a first-in-the-nation data protection solution that, in addition to protecting the personal health data of all Washingtonians, also protects the health data of visitors to Washington in search of healthcare services such as reproductive and gender-affirming services.

The WA My Health, My Data Act encompasses the following key provisions:

• Requires healthcare entities to obtain user consent before collecting, sharing, or selling consumer health data.
• Provides patients with rights related to consent and preference management, such as withdrawing consent and requesting data deletion.
• Prevents healthcare entities from using geofencing to identify or track consumers around healthcare facilities.
• Requires healthcare entities to provide consumers with a privacy policy disclosing the use of health data.

For enforcement mechanisms, the Act empowers Washingtonians to bring civil lawsuits through a private right of action. For violations of the Act, the Attorney General’s Office can conduct investigations and pursue litigation. The Act excludes government agencies, tribal nations, or contractors processing data on behalf of the government agency.

Massachusetts: Consumer Health Data Act

In February 2023, the Consumer Health Data Act (Bill H.386) was introduced in the Massachusetts House and Senate.

This Act has many provisions similar to Washington’s My Health, My Data Act:

• Both Acts define “consumer health data” as a consumer’s past, present, or future physical or mental health status.
• Displaying a privacy policy disclosure on their homepage.
• Obtaining consumer consent before any collection or sharing of their health data.
• Enabling consumers to exercise consent management practices, such as the right to withdraw consent or request deletion of data.

This Act deviates from the Washington Act in its enforcement mechanism by not providing a private right of action for consumers to bring suit against violators.

New York: Amendments to Privacy Standards for Electronic Health Products

In January 2023, bill number S158, titled “an act to amend the general business law in relation to privacy standards for electronic health products and services and permissible data brokering,” was added to the floor calendar for vote.

The amendment is meant to regulate software or hardware, including a mobile health application, website, or other related products or services, designed to maintain personal health information, diagnose, or infer a medical diagnosis in order to make personal health information available to a user or to a healthcare provider. It applies to an entity, including a data broker, that offers electronic health products or services.

Similar to health data protection bills introduced in other states, this bill aims to provide consumers with extended control over their private health information. The amendment intends to govern companies involved in the collection and sale of consumer health information and create a legal framework for residents to reclaim and retain control of their health information.

Provisions from the amendments, in addition to provisions similar to the above data protection bills, are as follows:

• The amendment prohibits covered entities from engaging in data processing, geofencing, or data brokering unless the user has given explicit consent.
• The amendment permits a user to consent to data processing or data brokering on behalf of his or her defendant minors.
• Through a private right of action, consumers can bring suit against the violator on their own behalf as well as on behalf of their minor defendants.

Illinois: Health Data Privacy Bill

Applications and programs that track vast amounts of information – from tracking one’s heart rate or menstrual cycle to cataloging calorie intake and sleep habits – have no obligation under existing federal law or Illinois law to obtain user consent for data collection or processing practices. As such data is not subject to HIPAA regulation, companies sell, or share it widely without the consent of individuals.

HB 3603, introduced in February 2023, would amend the Protect Health Data Privacy Act to oblige individuals, companies, or organizations that deal with health data to become more transparent about their data collection practices. It would ensure that consumers have more control over their data and that the companies get written consent from each customer before engaging in data processing activities.

Conclusion

Compliance with HIPAA should not be understood as a green light to overlook all other data privacy laws. The current data privacy landscape requires healthcare organizations to be wary of multiple changes that are taking place at the federal and state levels. In some cases, compliance with HIPAA equates to compliance with other, more general data privacy standards. However, healthcare organizations still need to closely follow new and updated state privacy laws to ensure their policies, procedures, and practices tick off all the compliance standards for various types of data.

How can healthcare providers enhance transparency?

Consent management platforms help to create a sense of trust between healthcare providers and patients by providing greater transparency. Through these platforms, patients are able to take control of their personal data by viewing what information is collected, how it is being used, who has access to their data, and what they must consent to before it is shared.

What is Cassie and how does it help healthcare providers strengthen patient trust?

Cassie is the Consent and Preference Management platform for organizations processing complex and high volumes of data; they rely on Cassie to build stronger customer relationships through the respect of individual choices.

We believe that customers should be in control of their data. We build stronger customer relationships by respecting individual choices and driving deeper insights through enhanced preference management.

Our advanced preference management system allows the auditable capture of brand, pricing, channel, relationships and other important customer choices. We apply customers’ preferences across your communications channels in micro-seconds. We go beyond compliance. If granular detail matters: Cassie delivers.

Cassie offers a viable solution for healthcare providers to comply with the stringent regulations laid out by HIPAA, ensuring the safe and confidential handling of all patient data.

• Achieve comprehensive compliance with HIPAA regulations
• Securely store patients’ personal data
• Create a detailed audit trail for all access permissions and modifications
• Offer a convenient method for securely tracking, managing, and sharing sensitive data
• Enhance the understanding of how patient data is utilized and ensure its appropriate use.

To discover how Cassie can assist healthcare providers in surpassing their compliance goals and achieving advanced levels of connected care, take a look at our healthcare sector case study.