In 2022, Connecticut became the fifth state to pass a comprehensive data privacy law. One particularly complex area within data privacy is consumer health data, which includes biometric data and certain location data in most states’ definitions. In 2023 legislative sessions, states have been scrambling to create regulations for collecting, sharing, and selling consumer health data via health data privacy legislation. Others are looking to amend and expand their previous data privacy laws. As of March 2023, federal regulations protect health data collected by most healthcare providers but do not protect data collected by consumer apps and websites. Until federal legislation is passed, any entity that maintains or uses health data must stay alert to distinctions and changes in state laws.
Illinois Health Data Privacy Bill
Maryland Bill to Regulate Consumer Health Data Privacy
State Senator Shelley Hettleman (D) introduced SB0790 in February 2023, which would regulate private entities’ collection and use of consumer health data. The bill would require private entities to obtain consumers’ consent before collecting certain categories of health data. Consumers would have the right to withdraw consent to the collection and use of their health data, request a copy of their data, and request the deletion of their data. The bill would prohibit private entities from selling, leasing, or trading consumer health data. The proposal would also prohibit the establishment of a geofence around any location that provides in-person health care services. The bill was withdrawn by its sponsor in March 2023, as was its cross-filed version (HB995).
Massachusetts Consumer Health Data Privacy Bill
Washington “My Health, My Data” Bill
A group of Democratic Representatives introduced HB1155, the My Health, My Data Act, in January 2023, which would regulate the collection, sharing, and selling of consumer health data. The proposal establishes a broad for health data, including efforts to research health services and supplies. It would expand the application of rules from healthcare organizations to practically all business entities. The bill would prohibit apps and websites from collecting consumer health data without user consent and prevent the sale of the data. For websites, consumers would express consent by clicking a checkbox on a visible pop-up somewhere on the webpage. The proposal would allow consumers to withdraw their consent to share data and request that their data be deleted. Using a geofence for healthcare service locations would also be prohibited. The bill passed both legislative chambers as of early April 2023. A Senate version of the proposal (SB5351) was also filed.
Get The Latest DMGS Updates!
Enter your email address to subscribe to this blog and receive notifications of new posts by email.