State Consumer Health Privacy Laws
The most striking health privacy news coming out of the states recently was the Washington state legislature’s passage of the My Health My Data Act (MHMDA). This law, which has now been in effect for several months, establishes a strict notice-and-consent framework to govern a broad range of “consumer health information.” MHMDA defines “consumer health information” expansively to include both information that is clearly health-related, such as health treatment and diagnosis information, as well as information that is not typically classified as health information under other legal frameworks. For example, the law’s definition of “consumer health data” includes certain photos of a consumer, as well as information that identifies a consumer as seeking to assess, learn about, or improve either their “mental or physical health,” which could encompass a very broad range of general wellness-related activities.
MHMDA creates obligations for businesses and nonprofit organizations of all sizes, including those with no direct connection to Washington state, as well as those entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in their collection and processing of non-HIPAA-covered consumer health data. The law imposes extremely strict opt-in consent obligations for any collection, use, or transfer of health information beyond what is necessary to provide a consumer-request product or service. And for any “sale” of consumer data—with “sale” defined using the definition of “sale” found in laws such as the California Consumer Privacy Act (CCPA)—it requires an elaborate HIPAA-style consumer “authorization.”
MHMDA requires regulated entities to publish a standalone consumer health data privacy policy. Additionally, while the law creates certain relatively standard consumer rights, it establishes rights of access and deletion that go significantly further than the right established by comparable state laws. To enforce these novel and strict requirements, MHMDA creates a private right of action as well as authorizing Attorney General enforcement.
On the heels of MHMDA, Nevada and Connecticut each passed consumer health privacy bills that incorporate aspects of Washington’s law. Connecticut’s bill, Senate Bill 3 (SB 3), was styled as an amendment to the state’s comprehensive privacy law, the Connecticut Data Privacy Act (CTDPA). We provide an overview of SB 3 in the state comprehensive privacy law section below. Shortly after the passage of Connecticut’s law, Nevada passed into law a consumer health bill—Senate Bill 370 (SB 370), which is similar, but not identical, to MHMDA. SB 370, which is enforceable only by Nevada’s Attorney General, is identical to MHMDA in many respects, with key differences. In contrast to MHMDA, SB 370 creates a use-based definition of “consumer health data” as data that a covered entity processes to identify a consumer’s health status. From this definition, SB 370 exempts information used to facilitate video game play as well as data about a consumer’s shopping habits and interests, so long as those data are not used to identify something about a consumer’s health. There are several other differences between the two laws as well—for example, SB 370 requires entities to make somewhat different disclosures in their consumer health data privacy policies than those required by MHMDA.
While MHMDA and SB 370 have created significant compliance challenges for covered entities, we have yet to see lawsuits for their alleged violation. Ultimately, the full impact of these novel consumer health privacy laws will hinge on what this enforcement looks like when it begins. One of the biggest open questions surrounding MHMDA’s private right of action is how Washington state courts will interpret the requirement that plaintiffs show an injury caused by a violation of the Act. Because the Act is enforced as a violation of the Washington Consumer Protection Act, the injury must be to the plaintiff’s “business or property.” In light of the law’s intent, will Evergreen state judges find more abstract harms—such as emotional distress or increased risk of discrimination—sufficient for the purposes of this requirement? Or will they adhere to prior case law and require the demonstration of more concrete—but harder to prove in the privacy context—harms, such as lost wages or physical harm? And how will the outcomes of cases brought by the state’s Attorney General, who is empowered to sue for violations of MHMDA without alleging harm, impact deliberations regarding cases brought by private plaintiffs (and vice versa)?
One highly anticipated trend of 2024—that additional MHMDA “copycat” bills would proliferate throughout the states—has largely not come to fruition, with a few noteworthy exceptions. In New York state, the legislature strongly considered—but ultimately did not pass—Assembly Bill A4983-D (AB A4983), a health data privacy bill that would have included many similarities to MHMDA. One provision would have required regulated entities to obtain HIPAA-style “authorization” for certain collection or other processing of regulated health information. Had it been put into practice, this onerous requirement could have prevented covered entities from engaging in many widespread and beneficial data practices, such as offering consumers discounts at local pharmacies or wellness retailers.
And still in play when this article was drafted, Washington, DC’s Attorney General Schwalb introduced MHMDA-style legislation, the Consumer Health Information Privacy Protection Act of 2024 (CHIPPA). This bill would create new restrictions on the collection and processing of “consumer health data” of DC residents or data collected in DC. CHIPPA includes a private right of action and includes definitions and requirements that are largely identical to those in MHMDA. However, the requirement for opt-in consent for the collection and sharing of consumer health data does not contain the same necessity exception language contained in MHMDA, creating even greater uncertainty and risk regarding the use of consumer health data for operationally necessary purposes.
State Medical Records Privacy and Law Enforcement Access Laws
In the aftermath of the Supreme Court’s decision in Dobbs, several states passed laws restricting law enforcement access to abortion and reproductive health–related data. In California, the legislature amended the state’s medical records law—the Confidentiality of Medical Information Act (CMIA)—to limit the disclosures that health care providers, service plans, and other CMIA-covered entities and individuals may make to out-of-state or foreign law enforcement about an individual “seeking or obtaining” a lawful abortion in California. This same amendment added language to the CMIA limiting covered entities and individuals from sharing medical information that identifies an individual seeking abortion services or a person providing or supporting these services “in an electronic health records system or through a health information exchange.”
Other states—including Colorado, Connecticut, Hawaii, Illinois, Massachusetts, New Jersey, New Mexico, New York, Rhode Island, Washington, and Vermont—have since passed similar laws. As with MHMDA and SB 370, we have not seen public enforcement of these new medical records privacy laws. Where enacted, however, they signal an important message about states’ strong commitment to abortion access for both state residents and those traveling from other states alike.
State AI Health Laws
Predictably, at least some lawmaker focus in 2024 has shifted toward regulating the use of AI in health care contexts. In California, Assembly Bill 3030 (AB 3030) and Senate Bill 1120 (SB 1120) were recently signed into law by Governor Newsom. When it takes effect, AB 3030 will require certain health care providers operating in the state that use AI to communicate with patients without that communication being reviewed by a human provider to disclose their use of AI to those patients and to provide instructions for contacting a human provider. SB 1120 requires physicians to provide oversight when AI tools are used to “inform decisions to approve, modify, or deny” requests made by providers to authorize their provision of health care services.
State Comprehensive Privacy Laws
Amid all these other changes, new state comprehensive privacy laws have been coming into effect across the country. As of this article’s publication, 19 (or 20, if you include Florida’s narrowly applicable law) state comprehensive privacy bills have been passed into law, with eight (or nine, including Florida) of these laws in effect and 11 more set to take effect between January 1, 2025, and January 1, 2026. Barring the passage of a broadly preemptive federal comprehensive privacy law, more such laws will doubtlessly be passed in the states in the 2025 legislative session and the sessions to follow.
State comprehensive privacy laws typically exempt HIPAA-covered data collected in the consumer contexts, including browsing health-related web content. Most of these laws require opt-in consent for the collection of sensitive personal information (SPI), although Utah’s and Iowa’s laws provide the right to opt out of the collection of these data instead, and California’s law grants consumers the right to limit the use of their SPI. These laws all place restrictions on covered entities’ collection and processing of consumer’s “sensitive personal information,” which they typically define to include health-related information such as “data revealing mental or physical health condition” and “diagnosis” information. Several states have iterated upon this definition in their laws to explicitly include particular forms of health information. For example, Delaware included “pregnancy data” as a category of sensitive personal information in the Delaware Personal Data Privacy Act (DPDPA).
As mentioned above, Connecticut took this a step further, passing an amendment with consumer health-related provisions to its comprehensive privacy law, the CTDPA, which took effect July 1, 2023. The health provisions of this amendment—SB 3—were closely modeled on MHMDA when first introduced but were ultimately narrowed. These provisions add “consumer health data” to the CTDPA’s categories of “sensitive data,” which cannot be processed without a consumer’s consent. SB 3 defines “consumer health data” as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.” Among other modifications, SB 3 amended the CTDPA to require consumer consent for the sale of “consumer health data” and to forbid the geofencing of health facilities for certain purposes.
The Maryland Online Data Protection Act (MODPA), which was signed into law in May 2024 and takes effect on October 1, 2025, defines SPI to include data “revealing … consumer health data,” which is “personal data that a controller uses to identify a consumer’s physical or mental health status.” Significantly, MODPA breaks from the model established by the other state comprehensive privacy laws in the restrictions that it places on the collection and processing of SPI. MODPA permits controllers to collect, process, or share SPI only where such collection or processing is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains” (emphasis added). And it bans completely the “sale” of sensitive data. Both provisions will have significant implications for entities operating in the consumer health and wellness spaces.
What’s Next for State Health Privacy Legislation?
What do we see coming for state health privacy legislation? The developments we’ve seen over the past couple of years reflect some key trends that are likely to continue to influence lawmakers. And state lawmakers will continue to wrestle with several tricky health privacy issues. First, the uncertainly caused by the broad and open-ended definition of “consumer health data” in MHMDA led to narrower, use-based definitions in the Nevada and Connecticut laws. Lawmakers will continue to refine these definitions, seeking to balance considerations including clarity of scope, so that entities can know what data are subject to the laws, and ensuring that the strictest requirements are applied to the data that are the most sensitive or capable of causing harm. We expect policy considerations around the crafting of such definitions to become increasingly nuanced, as lawmakers gain understanding of the burden that overly broad definitions place on a range of innocuous business activity while remaining mindful that constricted definitions can create inadvertent loopholes and that downstream recipients of data may not use the data for the same purposes as the original collector.
Second, legislators and enforcers are likely to add nuance to their treatment of health inferences. In other words, all inferences about health may not be equal in the eyes of the law, with regulators and legislators developing more granular criteria about the conditions under which inferences related to health are treated as health information. As deliberations regarding this topic become more nuanced, lawmakers may begin to consider the accuracy or specificity of an inference and whether a health-related inference was made deliberately or only incidentally.
Third, we are likely to see more distinctions regarding the sensitivity of different forms of health information (e.g., the fact that someone is interested in yoga or has allergies versus the fact that someone is pregnant or is addicted to an illegal drug). We have already seen some indications that state policymakers are moving in this direction, as they have called out certain forms of health information in particular within their definitions of consumer health data and SPI.
Finally, one thing we can be certain of is that state lawmakers will continue to innovate new ways to regulate health privacy and health-related personal information. The already-complex consumer health privacy landscape will become more complex and more restrictive in many ways. And these state law developments will impact a very wide range of companies and other entities, including those that don’t even think of themselves as a health-related business. Thus, as new laws, new regulations, and new enforcement actions emerge in coming months and years, this will continue to be an important space to monitor closely and respond to quickly.