Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.
Below, we have prepared a summary of some obligations that these laws require of regulated companies. Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.
Consumer Health Data (CHD) Laws
Overview. In the wake of recent court decisions and lawmaking centering on reproductive health rights, certain states, like Connecticut, Maryland, Nevada and Washington have turned to privacy legislation to better protect individuals’ health-related data – otherwise known as “consumer health data,” which is broadly defined to include “personal information relating to the past, present, or future physical or mental health of a consumer.” Additionally, “consumer health data” includes information that can be used to make inferences about someone’s health. CHD laws expand beyond traditional notions of health information in health-related industries such as hospitals, pharmacies, and clinics and encompass industries that use any data remotely related to a person’s health in their business. For example, a pharmacy that has a mobile application that indicates when a user is at a nearby location could be CHD. A gym tracking a member’s weight and weight loss journey or a meal delivery service that sells “heart healthy,” “low cholesterol,” or “keto” meals and tracks users’ meal selections are additional examples of collecting CHD. The broad scope of CHD means that organizations in the beauty, wellness, fitness, nutrition, and retail industries, to name a few, could be impacted.
Notably, CHD Laws do not apply to information that is Protected Health Information (PHI) under HIPAA. Thus, PHI is excluded from the CHD definition. CHD also excludes information collected for employment purposes (Employee Data), information used to engage in public or peer-reviewed, historical or statistic research, subject to oversight and personal information governed by other federal laws such as the Gramm-Leach-Bliley Act (GLBA), Social Security Act Title XI, Fair Credit Reporting Act (FCRA), the family educational rights and privacy act (FERPA), and similar statutory requirements.
Who is Regulated? Unlike HIPAA, which limits the covered entity definition to select entities and vendors that work with those entities, CHD Laws typically apply to any entity doing business in these states that may collect, buy, access, acquire or otherwise process consumer health data. Additionally, CHD laws do not impose monetary/volume processing thresholds (e.g., processing personal information of 100,000 residents) for the laws to apply to your organization.
Enforcement. CHD Laws are enforced by the state attorneys general. However, Washington’s CHD Law also provides individuals with a private right of action – meaning consumers do not have to wait for the government to enforce their rights under Washington’s CHD Law, they can sue for any injury caused to them by a company’s violation of the Washington law.
CHD Law Obligations. Given the wide scope of these CHD Laws, entities must be aware of their obligations when handling CHD, but more importantly how to identify what CHD is.
- Obtain consent.
- Regulated entities will need specific consent before collection of CHDs. In this case, “collection” also means processing in any manner.
- Consent under certain CHD Laws must be separate from other consents (e.g., WA).
- Maintain and publish a “consumer health data privacy policy” and consent disclosure.
- Ensure a robust security program to protect CHD.
- Conduct data protection assessments for CHD processing that presents a “heightened risk” to consumers.
- Obtain authorization for the sale of CHD.
- Adhere to contracting requirements when engaging a processor of CHD.
Federal Trade Commission (FTC) Act
Overview. The FTC Act prohibits companies and individuals from engaging in unfair or deceptive acts or practices in or affecting commerce. As it relates to “health information,” the FTC prohibits entities from disclosing individuals’ health information for advertising without their affirmative express consent. This means regulated persons and companies must ensure their health data practices are not substantially injuring consumers, including by invading their privacy. It also means that regulated persons and companies cannot mislead consumers about what is happening with their health information. Failure to do so may be an unfair and deceptive trade practice and subject to FTC enforcement action and fines. What makes the FTC Act so unique is its broad scope in comparison to the CHD Laws.
Like CHD, health information regulated by the FTC is broadly defined and is “anything that conveys information or enables an inference about a consumer’s health.” Health information may include browsing information (e.g., cookies dropped on a browser to track users across various websites, including health-related websites for advertising purposes), location information (e.g., data showing a consumer visited a drugstore/pharmacy) or purchase information (e.g., data showing a consumer bought a home pregnancy test). To avoid violating the FTC Act, the FTC has recommended that companies should take a broad view of what constitutes health data and handle it accordingly.
Enforcement. The FTC enforces regulated persons and entities’ use of health information. Most recent scrutiny for violating the FTC Act concerning health information has been through the use of tracking technology, such as cookies, web beacons, and pixels that collect health information without individuals’ consent. Through its recent enforcement actions, as well as recent FTC guidance, companies have been warned that they must closely monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps.
Who is Regulated? Any person or entity that uses health information. This includes HIPAA-covered entities. If a HIPAA-covered entity is deploying deceptive practices to acquire PHI, enforcement would then be subject to the FTC’s enforcement.
FTC Health Breach Notification Rule (HBNR). Another unique aspect of the FTC’s enforcement and regulation of “health information” is through its Health Breach Notification Rule. Only select entities are subject to the HBNR’s reporting obligations. These entities include non-HIPAA regulated entities that collect or process electronic personal health records (PHRs). Examples of entities mainly covered by this Rule include health applications (e.g., calorie tracking or fertility tracking applications) and service providers of these companies that have access to the electronic PHRs.
HBNR covered entities that experience a breach of security must report to the FTC through the FTC’s HBNR online portal. A “breach of security” is defined as “unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure by the company itself.” A breach concerning 500 or more people must be reported to the FTC within 60 days of discovery of the breach, whereas a breach of less than 500 people must be reported 60 days following the end of the calendar year the breach occurred. Failure to report a breach could result in monetary penalties.
FTC Act Obligations.
- Avoid making false or misleading claims that your company is “HIPAA Compliant,” “HIPAA Secure,” “HIPAA Certified” or the like.
- Be transparent about the organization’s health information practices.
- Tell consumers the whole truth, and do not bury key facts in a privacy policy, a Terms of Use section, or other places where consumers are not likely to read and understand them.
- Evaluate the size, color, and graphics of all statements to consumers regarding health information to ensure they are clear and conspicuous.
- If subject to the FTC’s HBNR, timely report breaches of health information using the FTC’s online portal.
HIPAA
Overview. HIPAA is typically the health law that comes to mind when organizations are thinking about the health data it collects. HIPAA regulates entities’ transmission or use of individually identifiable health information, in any form or medium, whether electronic, paper or oral – also known as PHI. HIPAA established three primary rules for safeguarding PHI. First, the Privacy Rule sets limits and conditions on the uses and disclosures of PHI that covered entities and business associates may make without an individual’s authorization and provides individuals with rights concerning their health information. The Security Rule requires covered entities and their business associates to implement safeguards to protect the confidentiality, integrity, and availability of all electronic PHI (ePHI) the covered entity or business associate creates, receives, maintains, or transmits. Finally, the Breach Notification Rule requires HIPAA-covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media, following a breach of unsecured PHI.
Who is Regulated? Covered Entities and Business Associates.
A HIPAA “Covered Entity” includes healthcare providers (e.g., doctors, clinics, nursing homes, dentists, pharmacies, psychologists) health plans (e.g., health insurance companies, health maintenance organizations (HMOs), Company health plans for employees and their families) and healthcare clearinghouses (e.g., an organization that electronically transmits different types of medical claims data to insurance providers).
A HIPAA “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity. Common examples of a Business Associate include:
- IT Consultants
- Cloud Storage Providers
- Law Firms
- Pharmacy Benefits Managers (PBMs)
- Practice Management Services
- Electronic Records Vendors
- Accountants and Actuarial Service Providers
However, Business Associates can also include marketing companies that send materials to patients on behalf of a Covered Entity or a mailing company that sends materials on a clinic or hospital’s behalf. Even if a company claims that it is not a business associate, if HHS determines that a company is handling PHI, it will be a Business Associate and required to comply with HIPAA. In other words, taking an organizational stance that your company is not a Business Associate is insufficient. Acting like a Business Associate, and processing PHI on behalf of a Covered Entity, will bring entities within HIPAA’s scope.
Enforcement. The Department of Human and Health Services (HHS) Office for Civil Rights (OCR) enforces HIPAA.
Obligations under HIPAA. Covered Entities and Business Associates have several obligations under HIPAA, but the biggest trouble companies find themselves in is not knowing that they are a Covered Entity or Business Associate to begin with.
- Determine if your organization functions as either a Covered Entity or Business Associate under HIPAA.
- Conduct data mapping to identify where PHI lives/is housed within your organization’s information systems.
- Develop and implement HIPAA policies and procedures designed to safeguard PHI.
- HIPAA’s Privacy, Security and Breach Notification Rules (HIPAA Rules) outline specific technical, physical and administrative safeguards that Covered Entities and Business Associates must have in place.
- Conduct a HIPAA risk assessment identifying any risks to PHI based on your organization’s policies and procedures, vulnerabilities information systems or based on prior threats/events (e.g., security incident/ breach).
- If you are a Covered Entity, implement a notice of privacy practices (i) informing individuals of how you plan to use and disclosure their PHI, (ii) the organization’s duty to protect PHI, (iii) individuals’ rights to their PHI and (iv) how to contact the organization for more information and to make a complaint.
- Ensure a Business Associate Agreement (BAA) is in place between Covered Entities and Business Associates (and subcontractors of Business Associates) describing the permitted uses and disclosures of PHI and the safeguards that must be in place to protect PHI being handled by the Business Associate or subcontractor.
- Train personnel and document training on HIPAA requirements under the HIPAA Rules.
What Should I Do Now?
Distinguishing health data laws is challenging. On the surface, these laws seem similar and appear to overlap because their aims align to protect individuals’ health information. However, there are important distinctions under these laws.
For example, if your organization is not a HIPAA Covered Entity or Business Associate, but is otherwise processing health-related information, your organization may be covered under the FTC Act and/or CHD Laws.
The best step moving forward is understanding what laws apply to your organization and working with legal counsel to make the determination. Organizations should consider the following questions:
- Is my organization collecting health information of U.S. persons?
- If no, does my organization (i) provide services to an organization collecting health information and (ii) have access to such information? If the answer is yes, move on to the next question.
- Who does the health data concern (e.g., my employees, my customers/clients, my customers’ customers/clients)?
- What type of health data is collected (e.g., information about allergies, weight, reproductive data, medication, bodily functions, vital signs, sexual health information, biometric data, genetic data, tracking technology that could reveal someone’s health information, location data that could reasonably indicate a person’s attempt to acquire or receive health services or supplies)?
- How is my organization using this health data? For what purpose?
- Where is health data located in my organization’s information systems?
- What type of format (electronic, paper or both)?
- Is health data disclosed or made available to any third party (i.e., does your organization provide access to information systems that house/store health data)?
For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.