Navigating the New Era of Health Data Privacy: A Closer Look at Recent Developments
In today's digital age, consumer personal data is more valuable than ever before, and its protection has become a paramount concern. With privacy regulations putting restrictions on targeting audiences based on Sensitive Personal Information (SPI) such as ethnicity and sexual orientation, the landscape is rapidly evolving. One significant type of data that demands attention is health data. Typically protected by HIPAA, health data now faces additional safeguards, especially with states requiring opt-in for Sensitive Personal Information (SPI), which can include specific health data. In addition to certain states requiring opt-in for sensitive personal data, some states are creating bills specifically for non-covered HIPAA health data or changing the definition of SPI to include health data. While most have heard about the "Washington My Health My Data Act" (MHMD), other states are passing bills, including Nevada and Connecticut.
Back in April, Washington State made a significant move in privacy law by approving the "Washington My Health My Data Act" (MHMD), marking it as one of the most pivotal developments in privacy law since the California Consumer Privacy Act (CCPA) was adopted in 2018. While this news may not have made headlines for everyone back then, it is now, with its effective date fast approaching.
Key Elements of MHMD:
Effective Dates: March 31, 2024, for regulated entities, and June 30, 2024, for small businesses.
Consent Requirements: Explicit opt-in consent for health data collection beyond product/service needs.
Data Subject Rights: Deletion rights and unique notice requirements.
Corporate Obligations: Health data privacy policy, consent for collection, and robust security measures.
One of the most significant features of the My Health, My Data initiative is that it grants individuals the right to take legal action to protect their privacy. This means that individuals have recourse if they believe their rights under the initiative have been violated, further emphasizing the importance of businesses complying with the new regulations.
Key Provisions of Nevada SB 370:
Effective Date: March 31, 2024.
Consent for Collection: Separate consent required for health data collection.
Prohibition of Data Sale: The sale of health data is prohibited without explicit consent.
Enhanced Data Privacy Measures: Secure storage and limited access requirements.
Connecticut SB 3:
Connecticut's SB 3, effective July 1, 2023, is another significant law:
Opt-in Consent: Mandatory explicit opt-in consent for consumer health data.
Data Security: Requirements for robust data security measures.
Consumer Rights: Consumer health data access, correction, and deletion rights.
Implications for Businesses:
With these significant laws coming into effect, businesses face a new landscape of health data privacy regulations. Here are the implications for businesses:
Compliance Deadline: Businesses operating in these states must swiftly adapt their data collection and management practices to align with the new requirements. Failure to comply could result in significant penalties and legal repercussions.
Data Handling Practices: Companies will need to review and potentially overhaul their data handling practices, ensuring that they have robust systems in place to obtain explicit consent for health data collection and prevent unauthorized sale of such data.
Consumer Awareness: These laws emphasize the importance of consumer awareness regarding their rights to privacy. Businesses must provide clear, accessible information to individuals about how their health data is being used, shared, and protected.
Risk Mitigation: Non-compliance with these laws poses legal risks and reputational risks for businesses. Organizations must prioritize compliance efforts to mitigate these risks and maintain customer trust.
As Washington and Nevada prepare to implement these laws, businesses dealing with health data must ensure compliance by updating policies, implementing data protection, and conducting staff training. Obtaining consent to share health data is crucial. Collaborating with trusted partners for secure data sharing helps meet regulations and builds consumer trust.
Ready to partner for consented health data and HIPAA-compliant audience targeting? Contact Reklaim today!
