How Digital Health Companies Navigate the Patchwork of State Data Privacy Laws

September 28, 2023 - Navigating compliance with HIPAA, the Federal Trade Commission (FTC) Act, and other major statutes is a complex process for any organization. However, these laws apply nationwide, making it easier for organizations that operate in multiple states to maintain compliance.

A recent surge in newly enacted data privacy laws at the state level may further complicate compliance activities, as no two laws are exactly the same. From general data privacy laws to the industry-specific My Health, My Data Act passed in Washington, the sheer number of these laws and the compliance complexities that come with them cannot be ignored.

“We've had seven new general privacy laws just in 2023, almost all of those in the last six months. Then you throw in Washington and Nevada on top of that, that's nine new laws for these folks in nine months,” said Roy Wyman, attorney and member at Bass, Berry & Sims.

“In any general area of the law, it's very rare that you'll have more than one law come up in a year. There are areas of the law like real estate where you may never see a new statute in your lifetime or in your career. It's incredibly complex and that just adds to the expense of compliance for all these companies.”

While HIPAA-covered entities have familiarized themselves with the complexities of HIPAA over the past 25 years, there will be a significant learning curve for digital health companies, which are not subject to HIPAA, to adjust to new legal requirements.

Assessing the Patchwork of State Data Privacy Laws

According to data from the International Association of Privacy Professionals (IAPP), a dozen states have enacted comprehensive privacy laws, including California, Colorado, Connecticut, Texas, and others.

These acts are all slightly different, but many are based on the California Consumer Privacy Act (CCPA), which went into effect in January 2020. The CCPA gave consumers the right to know how companies use their data and the right to opt-out of the sale or sharing of their personal data. Essentially, consumers in many states now have more control and agency over how their personal data is used.

In addition to these more comprehensive state laws, some states have passed specific laws that pertain to health data. For example, in 2021, Connecticut Governor Ned Lamont signed An Act Concerning Data Privacy Breaches into law. This action amended Connecticut’s existing data breach law to further protect patient data and medical information.

In May 2023, Washington state Governor Jay Inslee signed the My Health My Data Act (House Bill 1155) into law, bolstering health data protections for Washingtonians.

“Information related to an individual's health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected. Washingtonians expect that their health data is protected under laws like the Health Information Portability and Accountability Act (HIPAA). However, HIPAA only covers health data collected by specific health care entities, including most health care providers,” the law states.

“Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data.”

As such, the Washington law aims to modernize the state’s consumer protection framework by giving individuals to right to withdraw consent, request data deletion, and prohibit the collection and sharing of health data without consent.

In July, Nevada joined Connecticut and Washington in enacting a health data-specific privacy law. Nevada’s Consumer Health Data Privacy Law (SB 370) goes into effect in March 2024 and is similar in many ways to Washington’s My Health My Data Law.

Wyman described the Washington and Nevada laws as “the biggest change” to entities in the digital health space.

“Those laws are going to be very impactful because they are not limited like in some state laws where you have to have a certain number of consumers in that state touched,” Wyman explained. “For example, if you are offering an app that involves the collection of healthcare information and you have one user in the state of Washington or have any sort of targeting into the state of Washington, then potentially you're going to be covered by the statute.”

While HIPAA often serves as a preemption to these state laws, digital health companies not covered by HIPAA will potentially have to navigate compliance with different state laws, all with their own legal nuances.

“No two of these state laws are identical,” Wyman added. “The general privacy laws, the ones dealing with healthcare services specifically for those that are not covered entities are even more far-reaching and very different in their approach. And so, every compliance program is trying to figure out how to address it and how to deal with the different states.”

While these laws may present upfront compliance complexities for entities across the country, there are systems that organizations can put in place now to help them better manage compliance in the future.

What Can Digital Health Companies Do to Maintain Compliance?

“I think the most critical first step regardless is a data map,” Wyman suggested. “By that I mean having a spreadsheet or a diagram or something that shows all of the places where you collect personal information.”

The data map should show where that data lives on the company’s systems, the people and companies that it discloses data to, and plans for destroying that data. Essentially, organizations should have pre-defined processes for data retention, disclosures, and the entire lifecycle of each piece of data.

With a data map in place, digital health companies will be enabled to run data impact assessments, Wyman added. Data impact assessments are required by some of the state laws and can help entities determine how sensitive and vulnerable certain data is, and whether the value of maintaining that data outweighs the risks.

One of the last actions should be drafting the organization’s privacy policies, Wyman suggested. Privacy policies should be directly informed by the data maps and data impact assessments so that they are a true reflection of how data flows throughout the business. But companies should be warned, Wyman said.

“If you put out a privacy policy and your privacy policy turns out to be incorrect, at that point, the FTC can come in and say that that was an unfair trade practice under Section 5 of the FTC Act and go after you, so you've turned a state law issue into an FTC issue and made it worse,” Wyman noted.

“It's important that to take all of these steps, but it's also important that you do it in an order where you aren't wasting resources or accidentally creating additional risks.”

What About a Federal Data Privacy Law?

The patchwork of state-level privacy laws begs the question – why is there not a single, all-encompassing, federal data privacy law? It is a question that remains on the minds of data privacy experts across the country.

“I get asked that a lot,” Wyman admitted. “Obviously it depends on the law itself. A bad statute isn't going to make anything much better. But it's just so complex that yes, the federal government should step into the space and clarify it, and it should preempt the state laws. Otherwise, it's just incredibly wasteful and begging for folks to accidentally violate the law when they're doing their best to try and comply.”

In 2022, legislators introduced the promising American Data Privacy and Protection Act (ADPPA), the latest attempt at nationwide data privacy legislation. The House Committee on Energy and Commerce advanced the ADPPA to the full House of Representatives with a 53-2 vote, but progress on moving the legislation along has since halted.

Time will tell if a comprehensive, nationwide data privacy law is on the horizon. In the meantime, companies will have to focus on complying with a series of state laws aimed at protecting sensitive data and shielding consumers from harm.