On Demand Library
Created in partnership with
State Consumer Privacy Laws: What Non-healthcare Organizations Need to Worry About Health Data
5:09
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of Major Global Privacy Laws
General Privacy Law Principles
What Kinds of Companies Need to Worry About Health Data?
Overview of US Privacy Laws
Who Engages in a Data Breach?
Transcript

00:07
Adam Stofsky
Can you give me some examples of companies that are not HIPAA covered entities or business associates that might need to worry about health information? Let's start with the kind of category of sensitive data. Like what are we talking? Are we talking about like a yoga studio or like a wellness product? What's the universe of companies need to think about this? 


00:30
Thora Johnson
I'm going to speak in generalities because there's no other way to do it right now with the patchwork that we have. But when we're talking about general state consumer privacy laws, health information is generally condition or diagnosis. So it would be a non HIPAA covered entity. So not a healthcare provider in the traditional sense, not a group health plan, health insurer, but maybe an app. And maybe that app is asking you about your diagnosis or medical condition to be able to tailor the service it's providing to you, whether that be a sleep app or a behavioral health app that is outside the sphere of HIPAA, they need to be worried about these state consumer privacy laws. 


01:17
Adam Stofsky
So I won't name any specific companies here, but if I'm like an app that's actually providing, say, like mental health services, I link consumers up with therapists and there's a bunch of companies that do this. Now, they may be actually HIPAA covered potentially, right? 


01:38
Thora Johnson
You are a great student. Because the answer to that is yes. So if they are a provider that bills electronically for their healthcare, which any provider that bills Medicare is, because to bill Medicare, you need to enter into these electronic transactions, then their covered entities. And that platform would be a business associate and would be directly subject to HIPAA. But you could see a scenario where it was providing the same service, the telehealth service or platform service to mental health providers that don't bill electronically. And then you would be outside the sphere of HIPAA, but right in the crosshairs potentially of these state consumer privacy laws and now these three very specific health consumer privacy laws. 


02:25
Adam Stofsky
So alternatively, if there's an app that doesn't really do engage in any kind of direct referrals to health professionals, but kind of like gets a lot of info about your mental state. So I know there's a bunch of apps that send you meditation or exercises and they ask you for how are you feeling right now? And you actually track your level of anxiety or how much you're sleeping. Those kind of apps might not be HIPAA covered or business associates at all, but they do need to worry potentially about some of these state laws. Is that right? 


02:53
Thora Johnson
That's right. Most of those, or oftentimes I should say they are direct to consumer. So they're not within the world of HIPAA, but they are in the world of the state consumer privacy laws. And really, we should take a step back here and talk about general FTC principles, because the FTC has fragile jurisdiction and prohibits deceptive practices. And so the FTC has actually taken several enforcement actions against that type of app that's in the healthcare space, but not directly subject to HIPAA talking about transparency or promulgating and putting some teeth behind, needing to have appropriate transparency and collection of consents from individuals before processing their health information. 


03:49
Adam Stofsky
Let me get this straight. If you're actually like a healthcare provider or an insurer, it's kind of easier because you've got this law HIPAA you've got to follow. Well, it's not easier because HIPAA makes you do a lot of things, but at least it's clear what you need to do. But if you're, like, in this other universe of, I have a health app, or maybe I run a health food store, or maybe I just have a fashion business that asks for information that seems, I don't know, whatever, you're not a healthcare provider. I've got to worry about I got to understand the state laws, but I also have to worry about the FTC Act at the federal level. 


04:32
Thora Johnson
You do 100%. And you need to be thinking through, do I have a privacy notice for my consumers that's transparent about the information I collect? The third parties I share it with, the purposes for the collection and the sharing. And do I have requisite consents? If I'm collecting health information and thinking through? What is health information is a little bit of a challenge. As I'd said today, it's changing almost on a weekly basis what's considered health information on the various regimes. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy