Current developments on the federal and state degree exhibit that regulators are centered on defending shopper well being knowledge. Particularly, state and federal regulators wish to shut the hole between HIPAA-protected knowledge and different shopper well being knowledge. HIPAA solely regulates protected well being info maintained by lined entities resembling hospitals, clinics, well being care suppliers, pharmacies, well being plans and well being care clearinghouses, and their enterprise associates. Shopper well being knowledge collected by well being apps and related gadgets, nevertheless, isn’t essentially protected by HIPAA. For these causes, regulators have made it a precedence to guard shopper well being knowledge as know-how continues to advance.

Foley’s cybersecurity and knowledge privateness staff gives a high-level overview of current federal and state developments concerning the privateness and cybersecurity necessities for well being knowledge with a deal with applicability, knowledge sale authorizations, and geofencing.

FTC’s Proposed Adjustments to the Well being Breach Notification Rule

On June 9, 2023, the U.S. Federal Commerce Fee (FTC) issued a Discover of Proposed Rulemaking in search of public feedback on proposed adjustments to the Well being Breach Notification Rule, with a deadline to submit written public feedback on August 8, 2023. Particularly, the FTC would really like the public to share their views about how the company ought to replace the rule to replicate adjustments in know-how, resembling well being apps and health trackers, and the way shoppers use these merchandise.

On the whole, the Well being Breach Notification Rule seeks to guard shoppers’ private well being data (PHR) not topic to safety beneath HIPAA. The rule requires PHR distributors and PHR-related entities to offer discover to shoppers, the FTC, and, in instances involving 500 or extra shoppers, the media following discovery of a breach.

The proposed adjustments to the Well being Breach Notification Rule embrace revisions and additions to the definitions to make clear its software to well being apps and different applied sciences not lined by HIPAA. The proposed rule clarifies the definition of “PHR identifiable well being info” to make it clear the rule applies to well being apps and comparable applied sciences not lined by HIPAA. Additional, the proposed rule expands the definition of a “PHR associated entity” to expressly embrace organizations that supply services or products via any on-line service. The proposed rule additionally clarifies {that a} “breach of safety” consists of an unauthorized acquisition of identifiable well being info that happens because of an information safety breach or an unauthorized disclosure. Amongst different issues, the proposed rule clarifies what must be in a discover to shoppers, such because the potential hurt stemming from the breach and the names of any third events which may have acquired the data.

State Shopper Well being Information Privateness Panorama

State legislatures are additionally centered on defending shopper well being knowledge exterior the scope of HIPAA. Washington, Nevada, and Connecticut have handed shopper well being knowledge privateness legal guidelines and it’s doubtless different states will comply with swimsuit. Organizations ought to monitor these developments to grasp their compliance obligations in these states. We spotlight a few of the fascinating elements of those new legal guidelines beneath.

Washington’s My Well being My Information Act

On April 27, 2023, Washington’s Governor signed HB 1115, entitled the “Washington My Well being My Information Act” (MHMDA), a landmark shopper well being knowledge privateness regulation that goes into impact March 31, 2024, for “regulated entities,” and June 30, 2024, for “small companies.” The Washington Legislature drafted this regulation in response to the current Dobbs v. Jackson Ladies’s Well being Group choice and the 14 states that banned abortion following Dobbs.

The MHMDA applies to “regulated entities” that conduct enterprise in Washington or produce or present providers focused to shoppers in Washington and alone or collectively decide the aim of accumulating, processing, sharing, or promoting shopper well being knowledge. Notably, not like different state shopper privateness legal guidelines, the regulation doesn’t comprise a income threshold and it applies no matter whether or not a corporation collects shopper well being knowledge from a sure variety of shoppers or derives a sure proportion of income from promoting shopper well being knowledge. Additional, the regulation additionally applies to any “small enterprise” that collects, processes, sells, or shares shopper well being knowledge of lower than 100,000 shoppers or derives lower than 50% of its gross income from accumulating, processing, promoting, or sharing shopper well being knowledge, and controls, processes, sells, or shares shopper well being knowledge of lower than 25,000 shoppers. Lastly, the regulation protects Washington residents and any individuals whose knowledge is collected inside the state of Washington. As such, the MHMDA casts a large internet and can apply to almost any entity that collects, processes, shares, or sells shopper well being knowledge in Washington.

The MHMDA exempts varied entities and knowledge, resembling authorities companies, tribal nations, contracted service suppliers that course of shopper well being knowledge on behalf of presidency companies, publicly out there info, de-identified knowledge in accordance with HIPAA, worker and B2B info, info ruled by HIPAA, sure info ruled by 42 C.F.R. Half 2, info ruled by the Truthful Credit score Reporting Act, info ruled by the Gramm-Leach-Bliley Act (GLBA), and knowledge ruled by the Household Instructional Rights and Privateness Act (FERPA), amongst others. Notably, the regulation doesn’t comprise a broad entity-level exemption for HIPAA-regulated entities as these entities ought to adjust to this regulation to the extent that they keep shopper well being knowledge distinguishable from HIPAA-covered knowledge.

Moreover, the definition of “shopper well being knowledge” is outlined broadly as “private info that’s linked or fairly linkable to a shopper and that identifies the buyer’s previous, current or future bodily or psychological well being standing.” The regulation additional defines shopper well being knowledge in classes, resembling:

• Basic well being knowledge e.g., (1) particular person well being situations, therapy, illnesses, or analysis; (2) social, psychological, behavioral, or medical interventions; (3) surgical procedures or procedures; (4) use or buy of prescribed medicine; and (5) bodily features, important indicators, signs, or measurements associated to a person’s bodily or psychological well being standing
• Gender-affirming care info
• Reproductive or sexual well being info
• Biometric knowledge
• Genetic knowledge
• Exact location info
• Information that identifies a shopper in search of well being care providers
• Any info {that a} regulated entity or small enterprise, or their processor, processes to affiliate or establish a shopper with shopper well being knowledge that’s derived or extrapolated from non-health info, resembling proxy, spinoff, inferred, or emergent knowledge by any means, together with algorithms or machine studying

The scope of shopper well being knowledge is far broader than protected well being info beneath HIPAA. Notably, the regulation’s definition of biometric info consists of keystroke rhythms or patterns. As such, entities that use any sort of keystroke knowledge or comparable monitoring applied sciences ought to proceed with warning as it could be accumulating shopper well being knowledge topic to the regulation’s varied obligations.

The MHMDA locations varied obligations on organizations just like different state shopper privateness legal guidelines. Nevertheless, a few obligations are at prime of thoughts for organizations. First, regulated entities and small companies should receive authorizations from shoppers to promote their knowledge. The info sale authorization necessities are like HIPAA authorizations with just a few extra necessities, resembling that authorizations expire after one 12 months and the vendor or purchaser of shopper well being knowledge should retain a replica of all legitimate authorizations for six years from the date of its signature.

Second, the MHMDA prohibits regulated entities from utilizing geofencing round an entity that gives “in-person healthcare providers.” Beneath the regulation usually, a geofence is a digital boundary that’s 2,000 ft or much less from the perimeter of an entity that gives in-person well being care providers. The regulation broadly defines “healthcare providers” to incorporate any service used to evaluate, measure, enhance, or find out about an individual’s psychological or bodily well being. As such, nontraditional well being care entities, resembling retailers, that use geofencing know-how may probably violate the regulation if such know-how is used to serve shoppers commercials associated to their well being care or well being care providers.

Though the MHMDA goes into impact March 31, 2024, the prohibition on geofencing goes into impact July 23, 2023. Organizations that gather shopper well being knowledge in Washington have to be able to adjust to this prohibition later this month.

Nevada’s Shopper Well being Information Privateness Legislation

On June 16, 2023, the Nevada Governor signed SB 370, which creates a well being knowledge privateness regulation to guard shopper well being knowledge exterior the scope of HIPAA. Nevada’s regulation will go into impact March 31, 2024. The regulation applies to a “regulated entity” that conducts enterprise in Nevada or produces or gives services or products which can be focused to shoppers in Nevada and determines the aim and technique of processing, sharing, or promoting shopper well being knowledge. There are various varieties of entities and knowledge which can be exempt from this regulation, resembling HIPAA-regulated entities, GLBA-covered monetary establishments and associates, sure info ruled by 42 C.F.R. Half 2, info ruled by FERPA, de-identified knowledge in accordance with HIPAA, publicly out there info, info that’s used to offer entry to or allow gameplay, and knowledge used to establish the buying habits or pursuits of a shopper, amongst others. Just like the MHMDA, Nevada’s regulation protects Nevada residents and any individual whose shopper well being knowledge is collected in Nevada.

Nevada’s regulation defines “shopper well being knowledge” as “personally identifiable info that’s linked or fairly able to being linked to a shopper and is utilized by a regulated entity to establish the well being standing of the buyer.” Just like the MHMDA, Nevada’s regulation additional defines shopper well being knowledge in classes and consists of, with out limitation:

• Basic well being knowledge e.g., (1) any well being situation or standing, illness, or analysis; (2) social, psychological, behavioral, or medical interventions; (3) surgical procedures or different health-related procedures; (4) the use or acquisition of medicine; and (5) bodily features, important indicators, or signs
• Gender-affirming care
• Reproductive or sexual well being care
• Biometric knowledge
• Genetic knowledge
• Exact location info
• Any shopper well being knowledge that’s derived or extrapolated from info that’s not shopper well being knowledge, together with however not restricted to, proxy, spinoff, inferred, or emergent knowledge derived via an algorithm, machine studying, or some other means

Nevada’s regulation accommodates sure exemptions, obligations, and prohibitions, that are fairly just like the MHMDA. Nevada’s regulation requires written knowledge sale authorizations just like the MHMDA and accommodates a prohibition on geofencing. The regulation prohibits any individual from utilizing geofencing know-how “inside 1,750 ft of any medical facility” for the aim of monitoring shoppers, accumulating shopper well being knowledge, or sending notifications, messages, or commercials to shoppers associated to their well being knowledge.

Connecticut Amends the Connecticut Information Privateness Act to Embody Shopper Well being Information Privateness

On June 26, 2023, the Connecticut Governor signed off on an modification to the Connecticut Information Privateness Act (CTDPA) centered on shopper well being knowledge, amongst others. Initially, the modification associated to shopper well being knowledge was set to enter impact July 1, 2023, however the Connecticut legislature lately handed the state funds invoice, delaying the efficient date of the buyer well being knowledge provisions. These provisions will now go into impact October 1, 2023. The modification is just like the MHMDA in varied methods and beneath we spotlight a pair key necessities.

The modification to the CTDPA seeks to guard “shopper well being knowledge,” which incorporates any private knowledge {that a} controller makes use of to establish a shopper’s bodily or psychological well being situation or analysis. Just like the MHMDA, the CTDPA modification additional defines shopper well being knowledge in classes, together with gender-affirming well being knowledge and reproductive or sexual well being knowledge. Additional, the CTDPA exempts varied entities and knowledge from its scope, as we beforehand addressed.

Once more, just like the MHMDA, the CTDPA modification additionally accommodates a prohibition on geofencing. The regulation now prohibits any individual from utilizing a geofence to ascertain a “digital boundary inside 1,750 ft of any psychological well being facility or reproductive or sexual well being facility for the aim of figuring out, monitoring, accumulating knowledge from or sending any notification to a shopper concerning the buyer’s well being knowledge.” As such, organizations that use geofencing or want to use geofencing know-how should decide the needs for which it’s used, together with focused promoting.

Key Takeaways

As a result of elevated focus of federal and state regulators on defending shopper well being knowledge exterior the scope of HIPAA, organizations want to observe these developments in the event that they gather well being knowledge as these new necessities will doubtless require updates to their privateness compliance applications. Particularly, to get began, organizations ought to conduct an information mapping train and assess how they gather, course of, promote, or share well being knowledge to find out if their present operations will have to be adjusted to satisfy these new compliance obligations. As we solely highlighted just a few of the brand new necessities, organizations that course of any shopper well being knowledge ought to evaluation these new legal guidelines absolutely and repeatedly comply with the altering panorama on this area.

For extra details about complying with the Well being Breach Notification Rule or state shopper well being knowledge privateness legal guidelines, please contact any of the companions or senior counsel in Foley & Lardner’s Cybersecurity and Information Privateness staff.

The authors gratefully acknowledge the contributions of Lauren Hudon, a pupil at Marquette College Legislation Faculty and 2023 summer season affiliate at Foley & Lardner LLP.