US Health Data Privacy Landscape and its Ripple Effect

In 2023, the privacy race has expanded to include healthcare data, with states like Washington, Connecticut, and Nevada introducing data-specific bills to protect consumers of wellness services beyond the traditional confines of America’s healthcare system. This is in parallel to states like Illinois’ interest in biometric data privacy, with IL’s BIPA being the most consequential to-date.

Meanwhile, the FTC's regulatory actions against companies like Premom, GoodRx, and BetterHelp highlight the challenges ahead at the federal level, underscored by the agency’s proposed updates to HIPAA's Privacy Rule and Congress’s introduction of The Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act.

In the void of a comprehensive national privacy law it is clear policymakers are finding political success with reforms affecting our most sensitive data.

We unpack each of these issues and their implications for businesses below.

My Health, My Data

On April 27 2023, Washington signed the My Health My Data Act (MHMDA) into law, creating robust protections for consumers and strong requirements for businesses in areas where HIPAA does not reach.

Broad (or overboard) scope

MHMDA treats consumer health information expansively, covering genetics, biometrics, vital signs, physical and mental health status, medication purchases, appointments and treatments, public records and precise geolocation information.
Importantly, the definition is inclusive of a web search, AI chatbot and similar such online interactions where health-related information may be volunteered or inferred.

The act requires disclosure of data practices, prohibits selling of consumer health data (including biometric and location data), regulates data beyond PHI, and extends to processors and third parties.

Implications

• Wide-reaching applicability could have a significant impact on advertisers, app providers, wearable device manufacturers, wellness content publishers and technology providers not otherwise covered by HIPAA.
• “Sharing” means the disclosure of any health data to a "third party" and is delineated from sharing such data with a service provider; "selling" largely follows now-familiar definitions in California, Virginia and others.
• Requires opt-in consent before collecting or sharing health data with few exceptions for "necessary" purposes. As with the CCPA, organizations will need to carefully weigh what collection and disclosure activities are needed to actually provide a requested product or services.
• Consumer rights to confirm data collection, withdraw consent, access data or request deletion follow a now-familiar pattern, but the prescriptive mandate to publish a consumer health data privacy policy means more footer links and more information for consumers to wade through.
• Restrictions on geofencing in-person healthcare facilities require further guidance to ensure service-related notifications requested notifications are not disrupted.
• Imposes access controls, security measures, and data protection standards for regulated entities. Processors must adhere to processing instructions and contractual obligations.
• Violations of the law are considered unfair trade practices, subject to enforcement under Washington's Consumer Protection Act, and consumers have a private right of action.

Other States

This table provides a brief overview of key points and does not encompass all details of the respective health data privacy laws.

Federal Trade Commission

FTC’s recent crackdowns targeted online providers that, while health related, fall outside of HIPAA’s scope. Notable actions focussed on broken privacy promises and misrepresentations concerning targeted advertising, and in one case failures under the Health Breach Notification Rule.

• GoodRx, a telehealth and medication coupon service, was fined $1.5M for sharing health condition and medication information with targeted ad providers like Facebook, Google and Criteo among others despite promises it would “never” do so. The company also retargeted its existing customers on Facebook and Instagram with ads tailored to their health conditions without imposing onward usage restrictions as required for HIPAA Business Associates. Lastly, GoodRx falsely claimed compliance with DAA behavioral advertising principles and HIPAA while lacking adequate policies and practices supporting such compliance. This marked the FTC's inaugural enforcement of the Health Breach Notification Rule (HBNR).
  
• BetterHelp, an online counseling service, was fined $7.8M for sharing mental health data with targeted ad providers like Facebook, Snapchat and Criteo among others. The company also retargeted its existing customers on Facebook as well as prospective customers using FB’s "look-alike" audience matching capabilities. Like GoodRx, Betterhelp engaged in these activities despite making contrary promises. Lastly, the FTC noted how BetterHelp used manipulative language and prompts to nudge counseling subscriptions, and in turn to collect more sensitive information. This case marked the FTC taking action against the use of so-called ‘dark patterns’, a modern application of its unfair and deceptive practices authority.
  
• Premom, a fertility app, was charged with deceiving users by sharing their reproductive health and pregnancy status information with third parties, including Google, AppsFlyer, and two China-based firms. Easy Healthcare, the developer of Premom, failed to obtain users' consent before sharing information and used third-party automated tracking tools, SDKs, without adequately addressing privacy and data security risks. This is FTC’s second HBNR enforcement action following its settlement in February with GoodRx.

All these enforcement actions resulted in the prohibition of sharing user health data for advertising purposes, the requirement of express affirmative consent, deletion of shared data by third parties, implementation of comprehensive security and privacy programs, and adherence to HBNR notification requirements. The companies charged are also required to publicly post a data retention schedule and retain users' personal information only for necessary purposes. GoodRx and Premom are prohibited from future privacy misrepresentations, while Premom is additionally required to send a consumer notice about the FTC's allegations and settlement.

Implications

• Facebook, Google and other adtech providers are not HIPAA covered entities and are not in the habit of signing Business Associate Agreements.
• Sharing health related data for digital advertising purposes via pixels/tags will continue to be a source of regulatory scrutiny as well as patient lawsuits.
• While encryption-in-transit and URL hashing may meet the HIPAA Security Rule, without appropriate notice and authorization, or limitations on downstream use, such disclosures can still violate the HIPAA Privacy Rule.
• Context matters. Shared “personal information” may be “health information simply due to the nature of the product or service. As such, data appended to cookies and device identifiers, hashed emails and IP addresses can trigger elevated compliance obligations.
• Ensure health data is shared for permissible and limited purposes, defined contractually.
• Contractual restrictions may not be enough. Marketers will need to review their advertising and analytics settings to, for example, disable cross-Google data sharing in Google Analytics 4.
• Never say “never”. Companies making blanket privacy claims leave themselves vulnerable to challenges. Privacy promises need to be reviewed regularly against actual business practices, and material changes not applied retroactively without due consumer notice and choice.

HIPAA & Congress

The Health Insurance Portability and Accountability Act (HIPAA) is the principle health data protection law in the US. The law is supplemented by the Privacy Rule and Security Rule which set out baseline  obligations HIPAA-covered entities and their business associates must meet. The Department of Health and Human Services (HHS) and the Office for Civil Rights enforce HIPAA compliance and address data breaches. Non-compliance can have severe consequences, including reputational damage and outflowing legal liabilities to affected persons.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act. The law expands HIPAA's Privacy and Security rules, and provides financial incentives for health care providers to adopt electronic health records (EHRs).

To enhance privacy protections in reproductive healthcare, the HHS has issued a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy Rule. The proposed changes aim to restrict the uses and disclosures of PHI related to reproductive health care. These restrictions would apply to cases involving reproductive health care provided across state lines, protected by federal law, or governed by the state where an authorized investigation or proceeding takes place.

Congress has been keeping busy as well. The Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act, was introduced by Democratic senators in March of 2023. The proposal seeks to ban the sale of precise location information by data brokers and the use of identifiable health information to target ads.

Takeaways

Statehouses are moving past HIPAA’s limitations and Congress’s repeated failures to pass a comprehensive national privacy law. While Washington’s My Health My Data Act (MHMDA) is a significant legislative development with a wide area of effect, it is still but a piece in the US’s growing patchwork of overlapping frameworks inclusive of consumer health information.

Rather than passively observing the numerous legislative and regulatory fireworks, health-related businesses should take steps to future-proof their operations and marketing activities within and across state lines. To this end we offer the below tips.

Top of Mind

1. Understand where HIPAA ends and state compliance obligations begin. Recognize that HIPAA sets a floor that, in practice, can fall short of client and partner expectations.
2. Be cautious about sharing health-related data for targeted advertising purposes, as it may attract regulatory as well as plaintiff attention.
3. Recognize that health data, particularly as broadly defined by MHMDA, is contextual. Data mapping and technology due-diligence will be critical to sustainable compliance efforts.
4. Categorize personal data by sensitivity and risk thresholds, considering factors like data context and availability.
5. Ensure the clarity and accuracy of your privacy statements. The FTC will use its deceptive practices authority alongside the Health Breach Notification Rule to pursue broken promises and inadequate compliance practices
6. Restrictions on onward use and retention of health-related data are not reserved solely for HIPAA-covered entities. State privacy laws, comprehensive like CCPA or data-specific like MHMD, require businesses to enter into bounded data processing agreements. Particular attention must be paid to health and other sensitive personal information.
7. Consent management platforms (CMPs) can play an active role in obtaining informed, demonstrable consent. However, EU-style implementations may be counterproductive in the US, and marketers should look beyond mere cookie management. In some cases compliance can mean not embedding a third-party pixel or loading an adtech tag at all.

Stay strong, stay vigilant. The health of your privacy program depends on it!