State Laws, FTC Rules Are Changing Privacy Compliance Landscape; Some AI Regs Are Here

By Jane Anderson

The health care privacy landscape is expanding rapidly beyond HIPAA, and compliance professionals should consider new state laws and enforcement actions as well as proposed regulations from the Federal Trade Commission (FTC), two attorneys said.

The definition of “health data” has grown to include data not covered by HIPAA, and state and federal policymakers are taking action to protect the privacy of that data, according to Alice Leiter and Brandon Reilly, attorneys with Manatt, Phelps & Phillips LLP.

“We’ve got this increasing movement from the HIPAA universe to the non-HIPAA universe,” Leiter explained. Even artificial intelligence (AI) and machine learning (ML) are starting to be regulated.

Wearables, health equipment and health apps come to mind as having non-HIPAA-covered health data, but the scope of this data is much broader, Leiter and Reilly said at a webinar sponsored by the HCCA Sept. 28.[1] “Increasingly, almost any data point really could be considered health data, especially when it’s combined with another data point,” Leiter said. “An example of that would be geolocation data, which on its face might not seem like health data, but if the geolocation data is showing you visiting a health clinic, and particularly a specific kind of health clinic, such as a reproductive health clinic or a mental health or a substance abuse facility, you can see how quickly that enters the realm of consumer health data.”

States on the Front Lines

Most privacy professionals are familiar with the California Consumer Privacy Act of 2018, but lawmakers in many states have focused on data privacy, Leiter said. A dozen states have passed laws that protect consumer data, which can include non-HIPAA-covered health information, she said. These include:

  • Four states with laws in effect currently (California, Colorado, Connecticut and Virginia);

  • Four states with laws that will take effect late this year or in the middle of next year (Utah, with an effective date of Dec. 31; and Oregon, Tennessee and Texas, with effective dates of July 1, 2024); and

  • Four states with laws that will take effect in late 2024 or later (Montana, with an effective date of Oct. 1, 2024; Iowa and Delaware, with effective dates of Jan. 1, 2025; and Indiana, with an effective date of Jan. 1, 2026).

These laws apply to all industries. In addition, Connecticut, Nevada and Washington state have approved consumer privacy laws specific to health data, Reilly said, noting that the Connecticut law already has taken effect, while the Washington and Nevada laws will go live in spring 2024.

The laws vary in how they exempt HIPAA-related data and treat HIPAA-covered entities and business associates. “What also varies across these laws is whether, and to what extent, health and medical information might be included in a definition of what’s often called sensitive personal information or sensitive personal data,” Reilly explained. “There are also special state requirements for the handling of PHI [protected health information] that’s been de-identified under HIPAA.”

Finally, many more states are considering legislation that would protect consumer data, including non-HIPAA-covered consumer health data, Leiter said.

Overall, the landscape is becoming very complicated, Reilly said. In the three states that have legislation specific to health data—Connecticut, Nevada and Washington—“the definitions of consumer health data across all of these laws are quite expansive … in that they don’t just pertain to what we traditionally would think about information about an individual’s health condition or their heath treatment. They also pertain to information that reveals a health condition or diagnosis and information that can be used to identify or extrapolate a health condition or diagnosis.”

Therefore, he said, “data is regulated even if it does not start as something that would be considered health data, but would allow you to make an inference about someone’s health condition.” For example, if web tracking technology shows that a person reads an ad or an article on diabetes treatment, then big data tools can infer the person has been diagnosed with diabetes, Reilly said. “The fact that the individual just browsed that advertisement or that article is itself potentially consumer health data.”

The laws also require informed consent, Reilly said. “It has to be captured separately for different purposes.” Finally, these three laws require separate and detailed privacy notices. “In Washington, in particular, they’re very clear that you need a separate privacy notice that addresses specifically consumer health data,” he said.

The dozen state laws that aren’t health-care specific offer various exceptions for covered entities and business associates, Reilly said. In California, for example, HIPAA-covered entities are exempt from the law to the extent they handle PHI and if they handle non-PHI in the same manner as PHI, he said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings