States Look to Strengthen Protections for Consumer Health Data Post-Dobbs

The Supreme Court’s ruling in the Dobbs Decision, which overturned Roe v. Wade and Casey v. Planned Parenthood and eliminated the constitutional right to an abortion, permitted states to regulate access to abortion services. Since the Supreme Court issued its opinion on June 24, 2022, privacy, consumer and reproductive health care advocates have raised concerns about the impact the decision has already had, and will continue to have, on the use of consumer health data from apps and websites, including the potential for collection and sharing of such data without consumers’ permission or knowledge, or for use of such data for targeted advertising purposes. For more background on these concerns, see Tech Companies Need to Prepare for the Data Privacy Implications of Dobbs v. Jackson Women’s Health Organization.

Despite widespread belief to the contrary, a significant amount of consumer health-related information is largely unprotected under existing federal privacy laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) applies only to health information that is transmitted, maintained, stored, or disclosed by “covered entities” and their “business associates” as defined by the act. Most businesses collecting consumer health information through wearable technology, websites and applications do not fall under these categories and are, therefore, not within the scope of HIPAA protection. It is important to note that the lack of protection for health information that falls outside of HIPAA’s reach existed prior to the Dobbs decision and was not, as was rumored immediately after Dobbs, to have been a result of the decision. Thus, in response to concerns about perceived gaps in privacy protections for what is arguably among the most sensitive information, some states have proposed legislation which would create new or additional privacy protections for consumer health information. These states include:

  • Washington: In January 2023, companion bills on the Washington My Health, My Data Act were introduced in the Washington State House (HB 1155, referred to the Civil Rights & Judiciary Committee) and in the Senate (SB 5351, referred to the Law & Justice Committee). If passed, the new law would impose stringent obligations on regulated entities (broadly defined as entities that collect, share or sell consumer health data and determine the purpose and means of the processing) concerning the collection, sharing and use of a broad range of consumer health data. The proposed obligations include (i) maintaining and publishing a consumer health data privacy policy; (ii) adhering to data security standards; (iii) only collecting or sharing consumer health data with consumer consent or as strictly necessary to provide a requested service; and (iv) giving consumers the right to delete their health data and to revoke consent from a business’ collection and sharing of consumer health data. The proposed Washington law would further prohibit the sale of consumer health data and the use of geofences to send unsolicited messages to persons at health facilities. The law would be enforceable under the state’s Consumer Protection Act.
  • New York: In January 2023, SB 158 was introduced in the New York Senate. If passed, the new law would require businesses offering electronic health products or services (broadly defined to include software, hardware, mobile applications, websites and related products or services) to obtain affirmative and express consent from users prior to the processing of their personal health information. Additionally, businesses would be required to provide consumers with an effective mechanism to revoke their consent at any time after it has been given. The proposed law also contains a private right of action.
  • Virginia: Lawmakers have introduced companion bills HB 2219 and SB 1432, which are currently pending committee referral. These bills propose amendments to existing legislation to increase privacy protections of health records collected through the use of wearable technology, online applications and websites, and the use of aggregated consumer health information. Among other things, the legislation expands the definition of a “covered entity” to include any entity that collects consumer health information, and would require that such entities post a comprehensive consumer-facing privacy policy. The proposed legislation would also require that covered entities develop a policy which prohibits re-identification and re-association of aggregated consumer health information. Additionally, covered entities would need to receive express opt-in consent from consumers prior to collecting such health information. The Virginia law would also restrict the collection, use or disclosure of health information for any purpose other than the purpose for which the data was originally collected.

Other states, such as Illinois (SB1601), Maryland (HB 995 and SB 790), and Massachusetts (companion bills HD 3855 and SD 2118), are also considering similar laws to add further legal protection to sensitive health information and require that consumers have greater control over their information.  We expect other states will also propose new laws in the near future. As such, businesses that handle consumer health information should closely monitor the trajectory of state health data privacy bills.