California, Virginia Launch Data Privacy Laws; More Coming in Other States

Earlier this year, California and Virginia enacted comprehensive consumer data privacy laws. Now, three more states — Colorado, Connecticut, and Utah — have similar legislation taking effect in 2023 that could change how health information (HI) professionals manage data. The regulations will allow individuals to retain more control over their personal data by limiting its use and sale and provide an avenue to opt out of targeted advertising.

Given the ubiquity of digital data and the possibility of misuse, there has been renewed interest in enhancing consumer privacy protections by state legislatures. Distinct from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these laws safeguard the sensitive data companies collect about consumers who engage with their businesses. This information may include race or ethnicity, religious beliefs, health conditions and diagnoses, sexual orientation, and immigration status. It also covers anything that may identify an individual or their location, such as precise geolocation, genetic, or biometric data. However, de-identified data, publicly available information, and data from consumers acting in a commercial or employment capacity are generally excluded from these laws.

Although some states appear to exempt healthcare companies and related data altogether, the laws are not always clear-cut, says Adam Greene, JD, MPH, an attorney specializing in health information privacy and security laws at Davis Wright Tremaine LLP in Washington, DC.

"Organizations should look closely at the very specific language of the healthcare exemptions because they vary by state," he says, adding that some companies may need to consult counsel to fully interpret the law's impact on their data management strategies. "The interplay of these laws and HIPAA can be complex and potentially affect even personal information collected from business-to-business contacts like a referring physician."

Greene says that HI professionals must remain keenly aware of how personal information is collected and used on the company’s digital platforms. For example, in recent years, several hospitals and telemedicine providers have come under increased scrutiny after tracking pixels embedded on their websites and patient portals compiled patient data, including personal health information (PHI), for targeted advertising purposes. The spate of unauthorized disclosures prompted the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS) to issue guidance for data managers to determine what qualifies as HIPAA-protected PHI on their digital platforms.

Each state's Attorney General (AG) will oversee the enforcement of the new guidelines. Businesses must obtain consent to process an individual’s personal data, whether they are collecting, using, selling, storing, disclosing, or analyzing it. In addition, they typically must limit the collection of personal data to only what is reasonably necessary and publish a privacy policy and opt-out method on their website.

Here's what HI professionals should know about the legislation in Colorado, Connecticut, and Utah:

Colorado

The Colorado Privacy Act applies to businesses that control or process the personal data of at least 100,000 Colorado consumers annually. It also affects companies that control or process the personal data of 25,000 or more residents and receive revenue or discounted goods or services from the sale of that data. The bill will take effect on July 1.

Covered entities and business associates are excluded. However, in a change from other states, HIPAA-covered entities and nonprofits are not fully exempted. "If you're a healthcare nonprofit, the law could apply to personal information on your website that is not PHI subject to HIPAA," says Greene.

Jennifer McCann, RHIA, CHPS, CTR, president-elect of the Colorado Health Information Management Association (CHIMA), says CHIMA will share the Colorado AG’s resources with members so they can determine the necessary updates to their data processes.

"I don't know that there'll be many changes for healthcare organizations, but it's a good reminder to review current policies and procedures and seek legal advice," she says.  

Connecticut

The Connecticut Data Privacy Act focuses on two types of businesses: in the preceding calendar year, those that controlled or processed the personal data of at least 100,000 residents; and those that handled more than 25,000 residents' data while earning over 25 percent of their gross revenue from data sales. It will take effect on July 1.

Exempt from the law are nonprofits, HIPAA-covered entities, PHI used by a covered entity or business associate, and personal data used only for conducting payment transactions.

Elizabeth Taylor, MS, RHIT, CHC, CHPC, board liaison and advisor for the Connecticut Health Information Management Association (CtHIMA), expects that the law will not substantially impact the state's healthcare organizations since most are nonprofits. For-profit organizations will need to determine if they meet the applicable guidelines.

Still, businesses will be given some leeway to correct inappropriate disclosures as they acclimate to the new guidelines. "The law provides an enforcement grace period following enactment," says Taylor. "Through December 31, 2024, the AG must provide businesses with a notice of alleged violations and 60 days to cure them. By January 1, 2025, businesses must have controls in place to collect consent and respond to consumer opt-out requests." 

Utah

The Utah Consumer Privacy Act applies to businesses with annual revenues of $25 million or more. In addition, those companies must control or process the personal data of at least 100,000 residents each year or manage the data of 25,000 residents and obtain over half of their gross revenue from personal data sales. The bill will take effect on Dec. 31.

Like Connecticut, nonprofits, HIPAA-covered entities, and PHI used by a covered entity or business associate are exempt from the Utah law.

"This is another layer of protection for consumers alongside our stringent HIPAA laws," says Amanda Fowler-Kummer, MS, CCBT, CDIP, CPC, CCS, president of the Utah Health Information Management Association (UHIMA).

While the exemptions in the bill may mean minimal changes for healthcare facilities, she says HI professionals should be aware that a more precise definition of biometric data has been added to the legislation since its introduction. Biometric data captured from a patient in a healthcare setting is now excluded.

Consumer Privacy Laws on the Horizon

Several more states have recently passed consumer privacy legislation. In March, Iowa became the sixth state to do so, though the bill won't take effect until Jan. 1, 2025. Governors in Indiana and Tennessee signed legislation in May, with respective effective dates of Jan. 1, 2026, and July 1, 2025.

Consumer privacy bills also have been introduced in at least a dozen other states this year, including Illinois, Louisiana, New Hampshire, Oklahoma, and Texas, according to the International Association of Privacy Professionals, which tracks the legislative efforts. Many bills are under committee review, and Montana's awaits the governor's signature.

Greene says more states will likely adopt these comprehensive laws. "We're seeing something similar to state breach notification laws, with California the first to do so and every state eventually doing the same."

Amid the push for greater data privacy for consumers, HI professionals will need to reevaluate their data management processes to ensure they align with the organization's standards and state regulations.

Steph Weber is a Midwest-based freelance journalist specializing in healthcare and law.