Data Privacy Regulations For Healthcare Technology

🚩🚩 Urgent compliance alert 🚩🚩: post your MHMDA Consumer Health Data Privacy Policy. Now. *** Few things are as easy for class action plaintiffs to enforce as your not posting a required new policy on your website. *** As lawyers and privacy officers debate the merits of a federal privacy law, coming from Washington state legislators in DC, that will unlikely see the light of day, a Washington state law is already very much in effect, with strict requirements and an imminent wave of private and regulatory enforcement actions.   *** MHMDA, which entered into force two weeks ago (March 31) has a robust private right of action with statutory presumptions in favor of plaintiffs. No statutory damages. But a violation of MHMDA is per se violation of Washington's Consumer Protection Act, which awards damages – including treble damages – for injuries to business or property. *** MHMDA requires regulated entities to post a Consumer Health Data Privacy Policy. While the content of this policy is similar to the content of a general privacy policy, the Washington State Attorney General clarified that businesses should post a *separate* Consumer Health Data Privacy Policy (see here FAQ 4 = “The Consumer Health Privacy Policy must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under the My Health My Data Act” https://lnkd.in/ef2EPB9Z). *** In addition to being a separate document, the Consumer Health Data Privacy Policy has a couple of wrinkles vs. a general PP.  Businesses need to: (a) break out the categories of consumer health data they collect (i.e., it’s not enough to list “health data” as many do in PPs); (b) list the specific affiliates with whom they share consumer health data (this is somewhat counterintuitive since third parties need only be listed by category). *** See our coverage of the new law here: https://lnkd.in/emrJ5sdz with Jacqueline Klosek, Steve Charkoudian, Roger Cohen, Federica De Santis, Gabe Maldoff

OCR updated its guidance on the use of tracking technologies yesterday, and my thoughts are apparently too long for a post, so here is a rare LinkedIn article from me. If this overview is too long, here's what I found most interesting: 1) Whether the information collected from a tracking technology is PHI depends in part on the intent of the individual (based on one example - tracking technologies on an unauthenticated page of a hospital website that outlines healthcare services may collect PHI if the website visitor is looking for a healthcare provider but won't collect PHI if the visitor is a student doing research). The problem, of course, is that neither the hospital nor the tracking technology vendor will know the difference. They may make inferences, but they don't know. Companies will need to evaluate their risk based on the data collected, not the potential intent of the visitor (unless their website is structured in a way that makes it clear). 2) Tracking technology vendors that collect PHI (based on the nature of the data they collect) must sign a BAA, or the regulated entity must get HIPAA authorization (which can't be obtained through a website banner). It is insufficient for a tracking technology vendor itself to de-identify PHI (in lieu of authorization or a BAA), BUT OCR states that an intermediary can be used to de-identify data before it is shared with the tracking technology provider (unclear how that will work from a tech perspective). 3) OCR clarifies that signing an agreement with BAA-like restrictions will not make a company a business associate (like the controller/processor distinction—you are what you are, and the contract doesn't change that). Bottom line—This is an enforcement priority for OCR. The best time to look at this was a few years ago, but the next best time is now. Both sides (vendors and regulated entities) need to understand what information is being collected by tracking technologies, whether it is covered by HIPAA, and then act based on that analysis. Companies that fall outside of HIPAA aren't off the hook—the FTC is watching.

The most recent trend among the states post the Supreme Court’s Dobbs Decision, is to enhance protections for “Consumer Health Data,” resulting in new laws that augment protections provided by HIPAA. Washington State, Connecticut, and Nevada have recently passed such legislation. Most significantly, Washington’s My Health My Data Act includes a private right of action. The inevitable private lawsuits and multiple class actions elevate compliance risk to heightened levels. Washington’s MHMD is the most comprehensive of these new laws and applies to any health-related data that is collected through apps, websites, or any other means when the data isn't covered by HIPAA. What do businesses need to know about Washington’s MHMDA? ☑  Consumer Health Data is a very broadly defined term that includes inferences that can be derived from even seemingly innocuous non-health-related data. ☑  The Act has a nationwide scope. Companies would be well advised to treat it like a general privacy law. It does not just apply to businesses that collect, use, disclose, or sell consumer health data of Washington consumers but also those having business or data-related business functions in the state that affect non-Washington consumers. ☑  The Act mandates businesses provide specific disclosures in data policies, obtain opt-in consent for data collection and processing, and require separate complex “valid authorization” procedures in order to sell health data. Also included are standard consumer rights: the right to know, access, withdraw consent, and delete. ☑  MHMDA’s private right of action is the first in what is, despite the title of the Act, a comprehensive privacy law. Read the full analysis on consumer health data, WA MHMDA, and other US states, such as Connecticut and Nevada, and get more key takeaways and insights from our legal team on our blog: https://bit.ly/3Ru2mZA Wayne Matus Katy Keohane, CIPP-US Rachel Walkden Jared Combs Jason Heki ☁️Matt Anderson Rachel Glasser Dona J. Fraser Leigh Parsons Freund Tony Ficarrotta Matt Barash Anthony Katsur Michael Hahn Gary Kibel Alison Pepper Christopher Oswald Sal Tripi Marc Goldberg David Kohl Angelina Eng Scott Schiller Jules Polonetsky Jessica B. Lee Gerard Stegmaier Andrew Bonzani Sheila Colclasure Matthew Novick Jason Cicchetti Dan Frechtling Jesse Redniss Seth Redniss Tom Chavez Barbara Lawler Linda Thomas Brooks Andrew Susman Tom Hespos Parbinder Dhariwal Mike Standard Nicole Killen Jason Sarfati #privacy #privacycompliance #hipaa #wamhmda #dataprotection #compliance #healthdata #consumerprotection #washington