January 5, 2024 (City, State) – As new consumer privacy laws continue to emerge across the United States, healthcare companies not regulated under the Health Insurance Portability and Accountability Act (HIPAA) must stay informed in order to effectively navigate this evolving landscape and ensure compliance. In particular, healthcare organizations such as pharmaceutical manufacturers, medical device companies, and consumer-directed digital health companies need to understand if these state privacy laws apply to them.
Several states, including California, Colorado, Connecticut, Virginia, and Utah, have enacted laws to address the gaps in comprehensive federal consumer privacy legislation. While HIPAA-covered entities and business associates are generally exempt from these state laws, many healthcare companies fall outside the scope of HIPAA and must consider their obligations under the new regulations.
The California Consumer Privacy Act (CCPA) provides the broadest “HIPAA exception” among the state laws, covering medical information subject to the California Confidentiality of Medical Information Act, protected health information collected by HIPAA-covered entities or business associates, entities maintaining patient information in the same manner as health information subject to California laws or HIPAA, and personal information collected in clinical trials or biomedical research studies.
Other states, such as Colorado, Connecticut, Virginia, and Utah, have simpler HIPAA-exemption frameworks. Healthcare organizations must be aware of when they transition to a more consumer-directed orientation, as this may subject them to the new state privacy laws. For example, if a health plan offers a personal health record (PHR) app to its members, the app developer may be considered a HIPAA business associate. However, if the app developer also offers a direct-to-consumer version of the PHR app, they would no longer be a business associate and would need to comply with the state privacy laws.
It is crucial for clinical research organizations and research entities to carefully review the state privacy laws, as exemptions for personal information collected in clinical trials or biomedical research are not common among the new state laws.
The flurry of new consumer privacy laws shows no signs of slowing down, with several more states, including Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas, implementing comprehensive privacy protections in the coming years. These laws can be grouped into three styles: California-style, Virginia-style, and Utah-style. Understanding the similarities and differences between these laws is vital for companies operating in multiple states.
The California-style laws, led by the CCPA and the California Privacy Rights Act, offer strong consumer privacy rights and apply to businesses that meet certain revenue and consumer data collection thresholds. On the other hand, Virginia-style laws, exemplified by the Virginia Consumer Data Protection Act (VCDPA), introduce provisions for opt-in consent and the right to appeal privacy requests. Utah-style laws, such as the Utah Consumer Privacy Act (UCPA), have a narrower scope of applicability and grant fewer consumer rights.
Businesses that are already compliant with the existing laws in California, Colorado, Connecticut, and Virginia will only need to make incremental adjustments to accommodate the new state laws. However, it is crucial for companies to conduct an internal assessment to identify any compliance shortcomings and prepare to meet the effective dates of the new laws.
The ever-changing landscape of consumer privacy laws requires healthcare companies to remain vigilant and adaptable. By staying informed and proactively addressing compliance obligations, these companies can protect the privacy rights of their customers while navigating the complexities of the regulatory environment.