Overview
New state privacy laws regulating health data impose significant obligations and heightened litigation and regulatory risks. During this webinar, Elliot Golding and Sam Siegfried discussed how these laws apply, what they require, and practical tips to implement and operationalize compliance.
Top takeaways included:
- Consumer health data laws apply broadly. Businesses should examine whether and how these laws apply because some: (a) do not exempt HIPAA-regulated entities (California, Colorado and Washington) or nonprofits (Colorado and Washington), (b) apply even to small businesses (Washington, Nevada and Connecticut), and (c) cover health inferences derived from non-health data (e.g., online browsing activity).
- Enforcement risks are real, significant and increasing. State and federal regulators are actively investigating and enforcing these laws, which will increase now that the California Privacy Protection Agency can commence enforcement. Litigation has also been significant and will also increase once Washington’s private cause of action takes effect this month.
- Act now. Key compliance steps include:
- Updating or developing consumer health data privacy policies (including posting a distinct Washington notice using a distinct website hyperlink)
- Executing data processing contracts with service providers
- Obtaining consent to process health data that satisfies new heightened requirements
- Identifying and developing policies to manage cookies and tracking technologies to ensure compliance with transparency and consent requirements, such as implementing cookie consent management tools
