How state laws are beefing up health data privacy protections

When it comes to healthcare data protection, most people probably think of the Health Insurance Portability and Accountability Act (HIPAA). But with the rise of technology, like wearables and telehealth, there’s more patient data out there than ever before.

With a lack of movement in Congress (but some at the Federal Trade Commission), at least 26 states including Washington and New York have begun taking data privacy, or personal control of patient information, into their own hands.

“HIPAA was written for a pre-digital age and doesn’t extend far enough to safeguard patient data in today’s environment,” Rachel Schilling, engagement manager at healthcare strategy group Rock Health Advisory, told us via email.

And this doesn’t just impact companies on an individual level: State data privacy regulations have a significant effect on the healthcare industry overall, as they’re “rewriting the rules of engagement for healthcare companies,” Pat McGloin, managing director of health and life sciences at advertising company Merge, told Healthcare Brew.

“For [healthcare] companies, that means rearchitecting data strategies, rethinking consent management, patient communications, and vendor contracts,” he said. “The challenge is that instead of one national standard, we’re looking at a patchwork of rules, which adds operational complexity and legal risk.”

This leaves healthcare companies that operate in several states to confront “constantly evolving policies” and regulatory challenges, McGloin said, adding it also means companies need to invest in stronger data governance through auditing practices and vendor oversight.

“It’s not just about ‘checking the box’ for compliance requirements—it’s about redesigning the way data is collected, stored, and shared at every level,” he said.

Laying down the laws

California was famously the first state to comprehensively regulate data collecting and selling back in 2018 with its Consumer Privacy Act, following a scandal involving data firm Cambridge Analytica, which the FTC investigated for using “deceptive practices” to collect data from millions of Facebook users. Five years later in 2023, Washington signed the My Health My Data Act into law.

While both laws are designed to give patients more knowledge of and say over how their data is used, Washington took it a step further by narrowing in on all businesses that use health data, no matter the size (California regulates companies based on a few distinctions, including if they have $25+ million in annual gross revenue, for comparison). The Washington law also allows people to prevent their data from being sold.

New York followed Washington’s lead in January when the state Assembly passed the Health Information Privacy Act, a proposed law that would create greater protections for New York residents’ health data. Though the bill still needs to be signed into law by the governor, state Sen. Liz Krueger wants the Empire State to stake its claim in protecting its citizens’ data.

“Realistically, we should all be quite concerned about private information being accessed and used in ways we never even imagined,” she told us.

Why were these laws created?

While the states are on opposite sides of the country, senators who spoke with Healthcare Brew had similar reasoning for initiating deeper data privacy laws for health information: reproductive rights.

Since Roe v. Wade was overturned in 2022, there’s been a rise in people traveling to different states to receive reproductive health care. But states with abortion restrictions may be able to track these patients, like in Texas, where there are “bounty” laws against those seeking care.

Right now, anyone can access GPS records or license plate data to see if patients are going to get abortions in states where the care is outlawed, for example. And while it hasn’t happened yet, experts worry apps tracking menstrual cycles could also sell patient data or have it subpoenaed to be used against people seeking the procedure, Krueger said.

But it doesn’t stop with reproductive health. In 2023, the FTC accused virtual therapy company BetterHelp of selling patients’ mental health data to companies including Facebook and Snapchat for advertising purposes, resulting in a $7.8 million settlement. These data privacy laws are trying to prevent these events from happening in the future.

“[Your health is] nobody’s business but yours, but now it’s big money for companies,” Krueger said.

How do the laws work?

Washington’s law requires all companies to let users opt in to having their health data collected. It does not apply to companies that only store data in the state and don’t share or sell it. That differs from most states, where health data can otherwise be collected without a user’s knowledge or consent.

It’s similar in New York, where users have to opt in, and if they don’t within 60 days, their data is automatically deleted.

“You have to give people the chance to opt in, particularly when it’s the most private and personal data that we have,” Washington state Sen. Vandana Slatter said.

These laws protect users in the specific states where they’re passed. That means even if the company isn’t based in Washington or New York, they have to abide by each state’s rules if they’re collecting data nationwide.

The New York and Washington laws differ, however, in that Washington residents have the right to sue companies if they can prove harm, whereas New York gives authority to investigate to the state attorney general.

In February, a lawsuit was filed in Washington against Amazon for allegedly violating the law.

Can these laws protect against cybersecurity issues?

Healthcare is often a target of cyberattacks, raising a question around whether data privacy can enhance data security. (See: Family ancestry company 23andMe’s up-and-down journey after 7 million customers’ data was exposed when it was hacked in 2023.)

Schilling said privacy and cybersecurity are “related but distinct.” While privacy laws focus on how data is collected, used, and shared, cybersecurity surrounds the safeguards that can prevent and stop issues.

Still, stricter privacy laws can reduce risk of cybersecurity incidents because they require companies to limit the data they collect and agree to security obligations, she said.

“What’s happening in Washington and New York is a signal of where the entire country is headed,” McGloin said. “Over time, these laws will push the industry toward a de facto national standard, one that goes further than HIPAA.”