Digital health companies face a growing challenge as state-level data privacy laws multiply. Unlike national regulations like HIPAA, these state laws vary significantly, posing complex compliance hurdles. In 2023 alone, seven general privacy laws emerged, with Washington and Nevada adding two more. To adapt, digital health firms need data mapping, impact assessments, and precise privacy policies. While the absence of a federal data privacy law persists, companies must focus on adhering to these evolving state laws to protect personal data and consumer interests in the absence of comprehensive federal guidance.
As the landscape of data privacy laws evolves, digital health companies face intricate compliance challenges, particularly with the growing patchwork of state-level regulations.
Compliance with established federal statutes like HIPAA and the Federal Trade Commission (FTC) Act can already be a daunting task for any organization. These laws have a national scope, which simplifies compliance for companies operating across multiple states. However, the recent surge in state-level data privacy laws introduces a new layer of complexity, as each state crafts its unique legislation.
Roy Wyman, an attorney and member at Bass, Berry & Sims, highlights the gravity of this situation, stating that in 2023 alone, there have been seven new general privacy laws, with Washington and Nevada contributing an additional two. This proliferation of laws in such a short timeframe is exceptional, adding significant compliance costs and complexities for digital health companies.
Unlike HIPAA-covered entities, which have become accustomed to its intricacies over the past 25 years, digital health companies not subject to HIPAA will face a steep learning curve as they adapt to these new legal requirements.
Assessing the Diverse Landscape of State Data Privacy Laws:
According to data from the International Association of Privacy Professionals (IAPP), several states, including California, Colorado, Connecticut, and Texas, have enacted comprehensive privacy laws. While these laws share some similarities, many draw inspiration from the California Consumer Privacy Act (CCPA), which granted consumers more control over their personal data’s usage and sharing.
In addition to general privacy laws, some states have implemented specific regulations for health data. For instance, Connecticut strengthened its data breach law in 2021 to provide additional protection for patient data. Washington’s My Health My Data Act signed into law in May 2023, aims to modernize consumer protection by offering individuals the right to withdraw consent, request data deletion, and restrict health data collection and sharing without consent.
Nevada has also joined this trend, passing the Consumer Health Data Privacy Law in July. This law, which takes effect in March 2024, mirrors many aspects of Washington’s legislation.
Wyman emphasizes that these state laws can be far-reaching, potentially affecting digital health companies that have even a single user or any form of targeting within a specific state.
Challenges in Navigating State Data Privacy Laws:
One of the key challenges digital health companies face is the lack of uniformity among these state laws. Each law comes with its own set of nuances and requirements, complicating compliance efforts. While HIPAA often preempts state laws, companies not covered by HIPAA must navigate a patchwork of unique regulations.
Steps to Maintain Compliance:
To effectively manage compliance with these diverse state laws, digital health companies should consider the following steps:
1. Data Mapping: Create a comprehensive data map to identify where personal information is collected, stored, and shared within the organization. This map should also include plans for data destruction.
2. Data Impact Assessments: Perform data impact assessments as required by some state laws. These assessments help determine the sensitivity and vulnerability of data, allowing companies to weigh the value of retaining it against the associated risks.
3. Privacy Policies: Draft privacy policies based on the insights gathered from data maps and impact assessments. Accuracy is crucial in these policies, as any discrepancies can lead to FTC enforcement under Section 5 of the FTC Act.
The Quest for a Federal Data Privacy Law:
The complex web of state-level privacy laws prompts questions about the absence of a comprehensive federal data privacy law. While there have been attempts, such as the American Data Privacy and Protection Act (ADPPA), progress in passing such legislation remains uncertain.
Wyman acknowledges the need for federal intervention to clarify and preempt state laws, reducing inefficiencies and the risk of inadvertent non-compliance. Until a comprehensive federal law emerges, companies must prioritize compliance with evolving state regulations to safeguard sensitive data and protect consumers.