The US currently has a statutory framework in place to protect health information through the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Rule. However, it is important to note that HIPAA contains numerous exceptions and does not apply broadly outside the healthcare provider, carrier, and health plan contexts. Several US states have begun to regulate health-related personal data in a more comprehensive manner. These state laws generally include provisions and additional responsibilities for protecting sensitive personal data such as health information.

One notable example is Washington's Act, which, while not a comprehensive privacy law itself, offers very broad definitions of health data and covered organizations and has the potential to have a substantial impact on privacy in the US, particularly as it aims to close the void left by federal privacy laws like HIPAA in the post-Dobbs era.

Modeled on Washington's Act, Nevada also passed a consumer health data privacy bill, SB 370, in June 2023.

Key terms and concepts

Scope

The Act applies to any regulated entity that conducts business in Washington, produces or provides products or services targeted to Washington consumers, and solely or with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data. The Act also applies to small businesses that collect, process, sell, or share the health data of less than 100,000 consumers per year or make less than 50% of their gross revenue from the collection, processing, selling, or sharing of consumer health data and control, process, sell, or share consumer health data of less than 25,000 people. Finally, the Act applies to processors that process consumer health data on behalf of a regulated entity or small business (Section 3 of the Act).

SB 370 applies to any regulated entity that conducts business in Nevada, produces or provides products or services targeted to Nevada consumers, and, solely or with others, determines the purpose and means of processing, sharing, or selling consumer health data (Section 15 of SB 370). SB 370 also applies to processors that process consumer health data on behalf of a regulated entity (Section 14 of SB 370). It is worth noting that SB 370 does not contain separate provisions for small businesses.

'Consumer health data' is broadly defined in Section 3 of the Act as personally identifiable information that is linked or reasonably capable of being linked to a consumer that identifies the consumer's past, present, or future physical or mental health status. SB 370 has a slightly narrower definition of 'consumer health data' as it covers data that the entity uses to identify the person's health status, and thus appears to be geared toward entities that have a business use for the data (Section 8 of SB 370). The Act provides examples of types of data that constitute physical or mental health status. These examples include:

• individual health conditions, treatment, diseases, or diagnosis;
• social, psychological, behavioral, and medical interventions;
• health-related surgeries or procedures;
• use or purchase of prescribed medication;
• bodily functions, vital signs, symptoms, or measurements of anything in the list;
• diagnoses or diagnostic testing, treatment, or medication;
• gender-affirming care information;
• reproductive or sexual health information;
• biometric data;
• genetic data;
• precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
• data that identifies a consumer seeking health care services; or
• health data derived, extrapolated, or inferred from non-health data (including via algorithms or machine learning).

The Act excludes personal information used in public-interest research that is approved, monitored, and governed by an institutional review board; information used for public health purposes and activities only; personal information covered by HIPAA, the Gramm–Leach–Bliley Act (GLBA), the Fair Credit Reporting Act of 1970 (FCRA), and the Family Educational Rights and Privacy Act of 1974 (FERPA); and information originating from a HIPAA-covered entity or business associate (Section 12 of the Act)

In Section 8 of SB 370, 'consumer health data' is defined as personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present, or future health status of the consumer.

Section 8 of SB 370 also provides a list of examples of 'consumer health data.' These include information relating to:

• any health condition or status, disease, or diagnosis;
• social, psychological, behavioral, or medical interventions;
• surgeries or other health-related procedures;
• the use or acquisition of medication;
• bodily functions, vital signs, or symptoms;
• reproductive or sexual health care;
• gender-affirming care;
• health-related biometric data or genetic data;
• precise geolocation information that a regulated entity uses to indicate an attempt by a consumer to receive health care services or products; and
• health data derived, extrapolated, or inferred from non-health data (including via algorithms or machine learning).

As with the overall definition, the examples include geolocation data that is used to determine certain health information. However, the definition also includes 'information relating to' geolocation. Biometric and genetic information is consumer health data only when it is related to consumer health information, which differs from the provisions in the Act.

Section 10 of the SB 370 contains an exclusion for certain types of data, including:

• information used for certain research purposes;
• information used for public health purposes;
• personally identifiable data covered by FCRA and FERPA; and
• health data is collected and shared as authorized by other state or federal laws.

Unlike the Act, SB 370 also excludes information used to provide access to or enable video gameplay; and information used to identify the shopping habits or interests of a consumer, if not used to infer health information (Section 8 of SB 370).

Exemptions

Section 3 of the Act exempts government agencies, service providers contracted by a government agency, and tribal nations. It also excludes HIPAA-covered data, rather than entities (Section 12 of the Act).

SB 370 contains exemptions for HIPAA and GLBA-covered entities, law enforcement agencies and activities; and the contractors of law enforcement agencies, among other specific exclusions (Section 20 of SB 370).

Private right of action

The Act features a private right of action, whereas SB 370 does not.

Prohibitions

The Act, effective as of July 23, 2023, makes it unlawful to utilize a geofence around a facility that provides 'in-person health care services' (Section 10 of the Act). This prohibition applies where the geofence is used to:

• identify or track consumers getting healthcare services;
• collect health data from consumers; or
• send consumers notifications, messages, or advertisements related to their health data or healthcare.

The Act defines geofences to be virtual boundaries within 2,000 feet of the perimeter of the facility's physical location (Section 3 of the Act).

SB 370 prohibits geofencing medical facilities or facilities for the dependent or any other person or entity that provides in-person health care services or products. This prohibition applies where the geofence is used for the same purposes as in the Act. However, the prohibition is slightly narrower than the Act, as SB 370 defines geofences to be virtual boundaries with a radius of 1,750 feet of the facility's specific physical location (Section 31 of SB 370).

Requirements

The Act and SB 370 have similar requirements for impacted entities, including a consumer health data privacy policy, signed authorization for the sale of consumer health data, and other enhanced consumer rights.

Regulated entity obligations

The Act and SB 370 require the following of regulated entities:

• maintaining a consumer health data privacy policy (Section 4 of the Act and Section 21 of SB 370). The Act further requires the entity to make specific disclosures about its handling of consumer health data, follow its policy/disclosures, and prominently publish a link to the policy on the homepage. SB 370 also requires certain disclosures and the policy must clearly and conspicuously describe those disclosures. The policy must also be accessible via a conspicuous link on the homepage. Disclosures include categories of data, sources, recipients, purposes, how data subjects can exercise their rights, and other information;
• restricting access to consumer health data (Section 7 of the Act and Section 28 of SB 370). The Act restricts access to necessary employees, processors, and contractors; SB 370 restricts access to employees and processors only;
• establishing, implementing, and maintaining reasonable data security practices ( Section 7 of the Act) and policies (Section 28 of SB 370). The practices and policies must at least meet industry standards in both cases. SB 370 requires at a minimum for the policies to also meet certain state law requirements where applicable. It is reasonable to infer that due to this and the access restriction obligations, regulated entities also have a duty to implement contracts with their processors;
• establishing a consumer appeals process (Section 6 of the Act and Section 27 of SB 370) to appeal individual rights request denials, similar to the individual rights request process. Entities in each case have 45 days to respond; and
• non-discrimination (Section 5 of the Act and Section 33 of SB 370) for exercising data subject rights. The Act prohibits unlawful discrimination. Discrimination is not currently further defined in SB 370.

Processor obligations

The Act and SB 370 require processors:

• to only process consumer health data pursuant to a contract between the processor and the regulated entity. The contract must include processing instructions and restrictions on the processor. In the case of the Act, the contract must be binding and the processing must also be consistent with the instructions, although it is not clear if the terms were left out of SB 370 intentionally (Section 8 of the Act and Section 29 of SB 370); and
• to assist regulated entities in fulfilling their obligations under the law. Assistance under the Act specifically includes appropriate technical and organizational measures (Section 8 of the Act and Section 29 of SB 370).

Consent

Processing of consumer health data requires consent for collection or sharing unless it is necessary to perform a service or provide a product requested by the consumer. Consent is necessary under the Act for the collection or sharing of consumer health data; collection, use, or sharing of additional categories of consumer health data; or collection, use, or sharing for secondary purposes (Sections 4-5 of the Act). Consent is necessary under SB 370 under the same circumstances, as well as for sharing of consumer health data with additional third parties or affiliates (Sections 21-22 of SB 370).

Consent is defined under the Act, while under SB 370, consent is only qualified as being 'affirmative' and 'voluntary.' The Act defines 'consent' as a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement. Consent cannot be obtained through a consumer's:

• acceptance of a general or broad terms of use;
• hovering over, muting, pausing, or closing a piece of content; or
• agreement obtained through the use of deceptive designs (Section 3).

The sale of consumer health data under the Act requires a separate 'valid authorization' that meets specific requirements and is signed by the consumer (Section 9 of the Act). Similarly, under SB 370, the sale of consumer health data requires separate 'written authorization' that meets specific requirements, is drafted in plain language, and is signed by the consumer (Section 30 of SB 370).

Individual rights

The Act and SB 370 both grant individuals:

• the right to confirm whether a regulated entity (or a small business) is collecting, sharing, or selling the person's health data;
• the right to withdraw consent for a regulated entity's collection or sharing, or in the case of SB 370, selling their health data;
• the right to access certain information. In the case of the Act, the right is to access health data held by a regulated entity, along with a list of all third parties and affiliates with whom the regulated entity has shared or sold that data and contact information for each. In the case of SB 370, the right to access does not include a copy of the data itself, but rather just a list of all third parties with whom the regulated entity has shared, or sold, consumer health data relating to the consumer; and
• the right to delete the person's health data. In the case of the Act, the entity must delete the data from all records, including archives and backups, and notify all affiliates, processors, contractors, and other third parties with whom the regulated entity has shared consumer health data of the deletion request. Under SB 370, the entity has 30 days to delete the data from its records and network, but up to two years for data stored on archives or backups, if the delay is necessary to restore such systems. The entity must also notify the same third parties as the Act (Section 6 of the Act and Sections 22 and 24-26 of SB 370).

Under the Act, entities have 45 days (extendable once) from the time of receipt, while under SB 370 entities have 45 days (extendable once) from the time of authenticating the request. Extensions are allowed under both laws when reasonably necessary.

Effective dates

The effective dates for the Act were drafted in a somewhat ambiguous manner, but the obligations are intended to impact larger companies first. The prohibition on geofencing in Section 10 was effective for everyone as of July 23, 2023. Regulated entities that are not small businesses must comply with the entirety of Sections 4 through 9 from March 31, 2024. Small businesses, as defined in the Act, must comply with the entirety of Sections 4 through 9 from June 30, 2024.

The effective date for SB 370 is March 31, 2024.

Enforcement

Violations of the Act are considered unfair or deceptive trade practices under the Washington Consumer Protection Act (WCPA) (Section 11 of the Act). Similarly, violations of SB 370 are considered unfair or deceptive trade practices under the Nevada Consumer Protection Act (NCPA) (Section 34 of SB 370). Each State's respective consumer protection act allows enforcement by the Attorney General (AG). As noted, the Act allows for the private right of action under the WCPA, while SB 370 specifically does not (Section 34 of SB 370).

The private right of action in Washington allows for injunctive relief and actual damages, with treble damages possible. The AG may in each case pursue injunctive relief and monetary damages for restitution and legal costs. In Nevada, administrative fines are also possible.

Jennie Cunningham Associate
[email protected]
Kilpatrick Townsend & Stockton LLP, New York