How States Have Approached Consumer Health Information After Dobbs

The U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization marked a turning point for American health data privacy, with many stakeholders and lawmakers pursuing legislation that would offer new protections for Americans’ sensitive health information. Attempts were made federally via FTC enforcement actions and Congressional hearings, but two recent state statutes from Washington and Nevada are leading the policy shift. In April 2023, Washington Governor Inslee (D) signed the My Health My Data Act (MHMD) and in June 2023, Nevada Governor Lombardo (R) signed Senate Bill 370 (SB 370) into law.

MHMD

The MHMD is arguably the most far-reaching consumer privacy legislation since the 2018 California Consumer Privacy Act (CCPA). It introduces a new legal framework to regulate the collection, use, and transfer of “consumer health data”, for which it adopts a broader definition than any legislation has done to date. MHMD was designed post-Dobbs to supplement the federal health data protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), expanding the scope of protected health data beyond that handled by hospitals and healthcare providers. Furthermore, the Act claims to protect individuals seeking care at Washington reproductive health and gender-affirming care clinics from facing harassment through messages and advertisements sent to their mobile devices using geofencing technology. However, MHMD’s significant breadth and applicability, and vastly more stringent requirements, go beyond merely filling in the gaps left by federal law. This will have profound implications on how personal data is handled between HIPAA-covered entities and other types of entities.

• Scope (Data)

The MHMD defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and identifies the consumer’s past, present, or future physical or mental health status.” This definition, coupled with the extensive list of data types, implicates a wide and ambiguous range of personal data, entities, and consumers, including information that is not typically treated as health data under existing law. While this definition considers common online activities, and user data can be processed to reveal sensitive health information, its enforcement provision relies on a “notice and consent” framework similar to that of the EU’s GDPR, rather than establishing new standards around how entities may collect, use and transfer covered health data. Regulated entities must also obtain a consumer’s valid authorization, a more exacting form of consent that expires after one year, to sell any information deemed “consumer health data.” Explicit consent cannot be assumed, combined with other consent, acquired as a part of terms of use or other agreements, or obtained through deceptive design. Consequently, MHMD’s efficacy in achieving its stated goals will depend on users’ abilities to successfully navigate consent opt-ins while obtaining desired products and services. 

• Scope (Regulated Entities and Consumers) 

MHMD applies to organizations handling covered data related to Washington State, both within and outside its borders. Regulated entities doing business in Washington or targeting products/services at its consumers are obliged to comply, even if their actions simply involve accessibility from Washington or advertising in the state. The law covers businesses and nonprofits of any size that process consumer health data within Washington, defining a “consumer” as any individual whose health data is affected within the state. Hence, MHMD is likely to apply to any “consumer health data” accessed, travels through, or stored in Washington State. 

MHMD lacks common exceptions for product improvement, repair, product recalls, and internal operations in line with consumer expectations. It also doesn’t exempt entities covered by other legal regimes like HIPAA, GLBA, and FERPA, but only the data regulated by them. By excluding data used for public interest research from the definition of “consumer health data” instead of creating a specific exception for research, data shared with researchers could potentially be processed, transferred, and sold to other entities without being subject to MHMD’s requirements.

• Enforcement

Lastly, but notably, the bill allows for a full private right of action, which has not been the approach in other data privacy laws, with presumptions benefiting plaintiffs, in addition to Attorney General enforcement. Consumers may seek injunctions, to recover actual damages, and the court may also award treble damages up to $25,000. Under MHMD, consumers have the right to:

1. confirm whether the regulated entity is collecting, sharing or selling their consumer health data;
2. access the consumer health data;
3. obtain a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism to contact these third parties;
4. withdraw consent; and
5. delete their consumer health data. 

If any of these rights are breached, there is ample opportunity for consumer recourse. For regulated entities, many of MHMD’s data privacy provisions will go into effect on March 31, 2024. For small businesses, those provisions go into effect June 30, 2024.

SB 370 

On June 16, 2023, Nevada SB 370 was signed into law by Governor Lombardo, making Nevada the second state, after Washington, to pass broad-based consumer health data privacy legislation this session. The Act will take effect on March 31, 2024.

SB 370 and MHMD employ similar frameworks for safeguarding personal health data, each restricting the disclosure of personal health data to third parties and curtailing the use of geofencing to collect information from or target content to people entering health care facilities. SB 370, however, employs a narrower, use-based definition of “consumer health data” than MHMD, and applies to a narrower scope of covered entities, excluding HIPAA- and Gramm-Leach-Bliley Act (GLBA)-covered entities.

SB 370 is generally more business-friendly, through its greater flexibility regarding access and deletion requests, permitting consumers to ask for a list of third parties with whom a regulated entity shares their consumer health data. Unlike MHMD, it does not provide individuals with the right to access a copy of their health data held by the regulated entity. SB 370 allows regulated entities up to two years to fulfill deletion requests for consumer health data in archival or backup systems, compared to MHMD’s six-month allowance for such requests. SB 370 is solely enforceable through the state Attorney General, with no private right of action.

Recommendations 

1. For Businesses: broad applicability to businesses of all sizes and types

MHMD establishes a category called “small businesses” for regulated entities that handle consumer health data of fewer than 100,000 consumers per year and/or derive less than 50% of gross revenue from such data, controlling or processing data of fewer than 25,000 consumers. Qualifying as a small business results in only a three-month delayed effective date compared to other regulated entities. The enforcement provisions, along with the ambiguous and challenging compliance standards, are likely to lead to a surge of costly and disruptive lawsuits. Organizations of all sizes, even those who operate primarily outside of Washington, must carefully consider this risk while devising their compliance strategies to minimize the potential for litigation and nuisance claims.

2. For Consumers: strong consent-based requirements and privacy rights 

Because of MHMD’s “notice and consent” structure, it is crucial for individuals to assess whether their data falls under the scope of MHMD and to understand the rights granted to them under the Act. By being aware of the specific provisions and protections offered, individuals can make informed decisions regarding the handling of their personal health data and exercise their rights effectively when faced with new menus of consent options online. This knowledge empowers individuals to take control of their data privacy and ensure that their information is handled in accordance with their preferences and needs.

3. For Policymakers: comprehensive federal legislation taking existing frameworks into account

The Dobbs decision and technological advancements have converged to usher in a new era of health data policy, taking into account online activity that may not have implicated sensitive health information in the past. In response, policymakers working on these issues should consider not only the scope of new health privacy legislation, but also how new regulations will interact with existing frameworks, including the sensitive data protections established under the various state comprehensive privacy laws.

Furthermore, despite the protections created by these laws, they are limited to their two respective states of origin. If policymakers seek to properly safeguard health information for all Americans, they should work towards comprehensive federal privacy legislation. A federal approach would provide for consistent consumer protections which can in turn facilitate understanding of their privacy rights, and minimize business compliance difficulties as they face a growing patchwork of state laws.