In 2022, Connecticut became the fifth state to pass a comprehensive data privacy law. One particularly complex area within data privacy is consumer health data, which includes biometric data and certain location data in most states’ definitions. In 2023 legislative sessions, states have been scrambling to create regulations for collecting, sharing, and selling consumer health data via health data privacy legislation. Others are looking to amend and expand their previous data privacy laws. As of March 2023, federal regulations protect health data collected by most healthcare providers but do not protect data collected by consumer apps and websites. Until federal legislation is passed, any entity that maintains or uses health data must stay alert to distinctions and changes in state laws.

---

Illinois Health Data Privacy Bill

State Representative Ann Williams (D) introduced HB3603 in February 2023, which would amend the Protect Health Data Privacy Act. The proposal would require any individual, company, or organization that deals with health data to add a visible health data privacy policy to their website homepage. These regulated entities would not be allowed to collect, share, sell, or store health data without consent from consumers. Consumers would be given the right to withdraw consent to the use of their data at any time. The bill would also prohibit the implementation of a geofence around any location that provides health care services.

---

Maryland Bill to Regulate Consumer Health Data Privacy

State Senator Shelley Hettleman (D) introduced SB0790 in February 2023, which would regulate private entities’ collection and use of consumer health data. The bill would require private entities to obtain consumers’ consent before collecting certain categories of health data. Consumers would have the right to withdraw consent to the collection and use of their health data, request a copy of their data, and request the deletion of their data. The bill would prohibit private entities from selling, leasing, or trading consumer health data. The proposal would also prohibit the establishment of a geofence around any location that provides in-person health care services. The bill was withdrawn by its sponsor in March 2023, as was its cross-filed version (HB995).

---

Massachusetts Consumer Health Data Privacy Bill

In Massachusetts, H386 and S184 were introduced in February 2023, which would regulate consumer health data. The identical measures would require any entity that collects, shares, or sells consumer health data to clearly display a privacy policy disclosure on its homepage. Consumer consent would need to be obtained before any collection or sharing of data. Consumers would have the right to withdraw their consent to the use of their data and request the deletion of their data, which would have to be done by regulated entities within 30 days of receiving the request. The bill also prohibits regulating entities from selling consumer health data.

---

Washington “My Health, My Data” Bill

A group of Democratic Representatives introduced HB1155, the My Health, My Data Act, in January 2023, which would regulate the collection, sharing, and selling of consumer health data. The proposal establishes a broad for health data, including efforts to research health services and supplies. It would expand the application of rules from healthcare organizations to practically all business entities. The bill would prohibit apps and websites from collecting consumer health data without user consent and prevent the sale of the data. For websites, consumers would express consent by clicking a checkbox on a visible pop-up somewhere on the webpage. The proposal would allow consumers to withdraw their consent to share data and request that their data be deleted. Using a geofence for healthcare service locations would also be prohibited. The bill passed both legislative chambers as of early April 2023. A Senate version of the proposal (SB5351) was also filed.

---