First-of-its-kind new consumer health data privacy laws enacted in Washington and Nevada protect personal health data not covered by the Health Insurance Portability and Accountability Act (“HIPAA”). The goal is to provide state-level protection and prepare for state-level protection. Litigation and enforcement may increase.
Effective March 31, 2024, this law imposes requirements related to a new category of consumer health data (“CHD”), creates consumer rights/protections, and strengthens privacy enforcement and litigation. may be introduced.
Regulated entities and data
- Both laws apply to entities and data processors acting on their behalf that conduct business or provide products/services to consumers in the state and determine, alone or jointly, the purposes and means of dealing with CHD. Washington's law also applies to “small businesses” that meet certain consumer and revenue criteria, and they have until June 30, 2024 to comply.
- Protected consumers generally include state residents and individuals for whom CHD is collected within the state.
- Both laws exempt certain types of data, such as those under HIPAA and the Gramm-Leach-Bliley Act.
main duties
- Consent and Permission to Collect/Sell/Share. Unless providing a product/service requested by a consumer, entities must separately obtain affirmative consent before collecting or sharing CHD. An entity must obtain a separate consumer authorization before selling or offering to sell CHD, and that authorization is valid for one year.
- privacy policy. Entities must create a privacy policy that includes specific content, including the categories of CHD collected. Collection, Use, and, in the State of Nevada, Sharing Purposes. The sources from which CHD is collected and shared, or the sources from which CHD is collected and shared. Mechanism for a consumer to exercise his CHD rights/submit a claim. Washington state requires a “consumer health data privacy policy” that is distinct from a general privacy policy.
- Security management. Entities must implement security safeguards and restrict access to CHD.
- Data Processing Agreement. Third-party CHD processing is subject to contract.
- right. Essentially, both laws provide for consumer rights. This includes the right to: Learn about collecting/sharing/selling and accessing/reviewing his CHD by companies. List of third parties with whom the entity has shared/sold her CHD. Withdraw your consent or stop collecting/sharing your CHD. And delete CHD.
- Geofencing limitations. Geofencing, a technology designed to establish a virtual perimeter around a specific geographic location, can be used to identify consumers seeking healthcare services, collect CHD, or send related notifications/advertisements. It is prohibited for the purpose of
execution
- Perhaps most importantly, Washington State is the first to give consumers a private right of action for CHD-related violations. Conversely, Nevada only allows enforcement by the government.
- Violations of Washington state law: itself Violations of Washington state consumer protection laws may result in damages, costs and attorney's fees of up to $25,000. By allowing private litigation, this law ushered in a new era in privacy litigation and significantly increases the risk of plaintiff/class action lawsuits.
Recommendations
Given the potential for litigation and government enforcement, companies that collect CHD will need to review and possibly revise their policies, statements, and data sharing and collection practices, including eliminating geofencing.