WA, NV and CT Enact Sweeping Health Data Laws, While Seven Additional States Tackle Privacy

Lawmakers in multiple states focused heavily on consumer data privacy and health data privacy this spring, as 10 states bolstered their consumer data protections by enacting new laws.

Three states—Washington, Nevada and Connecticut—led the pack by approving significant new restrictions and requirements for entities that handle consumer health data. Meanwhile, seven additional states—Delaware, Oregon, Iowa, Indiana, Montana, Tennessee and Texas—enacted more general data privacy legislation, and Florida approved a new law banning offshore storage of medical data.

Washington kicked off the busy legislative season in April with the passage of an amended version of the My Health My Data Act (HB 1155).[1] The new law, signed by Gov. Jay Inslee (D) on April 27, is set to impose “sweeping new requirements on the collection, processing, and sale of consumer health data in the state,” according to attorneys Kirk Nahra, Ali Jessani and Samuel Kane, all of whom practice with WilmerHale.[2]

“While we have seen an increased interest in the regulation of health data by the Federal Trade Commission, the My Health My Data Act would represent a novel step towards regulating health data at the state legislative level,” the three attorneys wrote shortly before the bill was signed.

The legislation imposes “robust requirements on the collection, sharing, and sale of consumer health data, including separate affirmative opt-in consent requirements for collection and sharing, as well as a distinct requirement for ‘valid authorization’ of sale” Nahra, Jessani and Kale wrote. Most importantly, the law would be enforceable through a private right of action—potentially exposing regulated businesses to substantial legal exposure for violations.

The Washington legislation expands on the HIPAA framework by “supplementing the limited protections for health data offered by HIPAA,” the attorneys wrote. It employs an expansive definition of “consumer health data,” which covers any “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.”

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field