LSHC Horizons Brochure 2024 - Flipbook - Page 42
Hogan Lovells | 2024 Life Sciences and Health Care Horizons | Privacy and Cybersecurity
42
States are reining in the use of consumer health data
State legislators have a newfound enthusiasm
for restricting the use of consumer health
data that is not protected by Health Insurance
Portability and Accountability Act (HIPAA).
Last year three states – Connecticut, Nevada,
and Washington – enacted new laws restricting
the use of consumer health data. These laws
require notice and opt-in consent before
consumer health data can be used and prohibit
data sales unless a longer written authorization
is obtained. Geofencing is also prohibited
within a specified range of mental health,
reproductive health, and other care providers.
Compliance requirements
Covered businesses will have new obligations
to obtain opt-in consent for many uses and
disclosures of consumer health data that are
not necessary to provide a product or service
that the consumer requested. Consent obtained
via acceptance of a company’s Terms of Use
will not be sufficient. Nevada and Washington
require companies to obtain “written
authorization” – similar to an authorization
under HIPAA – from consumers prior to
selling or offering to sell their consumer
health data (including some cases where
health data is made available through thirdparty web trackers). Notably, Connecticut
requires only opt-in consent for such practices.
Businesses will also have additional, unique
notice obligations under these laws. The
privacy policy requirements in Nevada and
Washington’s laws differ significantly from the
notice requirements in general state privacy
Marcy Wilder
Partner
Washington, D.C.
laws, such as the California Consumer Privacy
Act (CCPA), and Washington’s law will require
a separate privacy policy for consumer health
data collected from Washington residents.
Under these new laws, businesses are also
prohibited from implementing a “geofence”
of less than 1,750 to 2,000 feet around certain
health care facilities to identify, track, collect
data from, or send any notification to a
consumer regarding the consumer's health
data. Geofences include technology that uses
GPS coordinates, cellular data, or even Wi-Fi
to establish a virtual boundary and the laws
will prohibit companies from using certain
location-based check-in features or targeting
advertisements to consumers based on a visit
to certain health care facilities.
Next steps
Businesses subject to the new Connecticut,
Nevada, or Washington laws should determine
whether they process consumer health data and
if so, operationalize the requirements taking
account of the broad definition of consumer
health data. Specifically, as needed: (1) update
consumer privacy notices; (2) implement
a process for collecting additional opt-in
consents or authorizations; and (3) prevent
the use of impermissible geofencing. We are
counseling clients on how to comply with these
new laws efficiently and in alignment with their
existing compliance programs.
Donald DePass
Counsel
Washington, D.C.
Paige Papandrea
Associate
New York
