00:07
Adam Stofsky
Hey, Tor. Good morning. So we're recording this, like, right at the end of 2023, and I'm hearing a lot of people sort of freak out about what's going on in the health data world, most of it arising out of this law in Washington state called the my health, my data law, which is a state law. This is my crude understanding here, a state law that essentially regulates health data and tells companies that they need to keep health data private in certain ways. But it's much more expansive than laws like HIPAA, which really focus on hospitals. Can you tell me, is that a good summary? Like, what's going on in the world of health privacy law that people are worried about and what do they need to think about?
00:50
Thora Johnson
Okay, so, Adam, I think that's absolutely correct. People are very focused on health data going into 2024, and really they're focused on states governing health data in a way that they haven't in the past. So honestly, I've lost track. But we have about twelve state consumer privacy laws that are general privacy laws, but they all touch on health data and have special parameters around uses and disclosures of health data. And then we have three state laws that are hyper focused on consumer health data, one being my health, my data out of Washington, which is the most expansive, and that's why you're hearing the most about it. Nevada has a copycat law that is also expansive. And then Connecticut has particular amendments to its state consumer privacy law that's hyper focused on consumer health data.
01:50
Thora Johnson
So all companies going into 2024 should be thinking about what health data do I collect, am I collecting it or subject to any of these state laws that are focused on health data and what should I be doing?
02:05
Adam Stofsky
So what do these laws do that is making people freak out, for lack of a better word? What's different about that?
02:12
Thora Johnson
Right. Well, most notably and important is some of them impose a requirement to get consent from an individual before you process, collect, use their health information. So it's a new consent requirement. And additionally, there are some new disclosure requirements requiring a particular privacy notice centered around uses and disclosures of consumer health information.
02:42
Adam Stofsky
Okay, so that doesn't seem like such a big deal to me. People are, you know, companies are asking for consent to gather data anyway. Like, what's, what's going on here? What makes it different?
02:53
Thora Johnson
Well, actually, you know, I don't know that folks are getting consent to collect just general information. There isn't GDPR. Right. And I know we have a whole series on GDPR, and there's this idea of consent. But in the US, we generally have left it at a privacy notice on each website, which is a general description of uses and disclosures of information. What these state laws that are focused on health data are saying is that a general notice of privacy practices in the corner of the website may not be sufficient. You might actually need to get affirmative expression consent from the individual before the information is collected. So I know we called out Washington's law, Adam, but actually I want to put a pin on that for a second, and I want to pick on Connecticut for the moment.
03:51
Thora Johnson
So Connecticut's law is already in effect and it has special amendments to it that focus on consumer health data. So non PHI, non HIPAA data that actually requires an individual to consent before health information is collected about them.
04:12
Adam Stofsky
So is what's worrying about this? That like, the definition of health data is actually pretty broad. So, like, if you sell any kind of like, wellness product or you want to understand people's blood pressure or their bmi, is that all health data?
04:30
Thora Johnson
That's such a good question. And you're gonna have to take a look at each of the state laws of where you're operating. But for Connecticut and some of the other states, it's really focused on diagnosis and condition, be it physical or mental. But that's not as black and white as you might think. So come to your example of the wellness company, the online wellness company that's asking you an initial questionnaire to find out who you are and what you might be seeking to address and your underlying health conditions. And they ask you, have you ever been diagnosed with insomnia, or do you have a history of depression? Right. Is that condition or diagnosis? And I think the answer is likely yes.
05:22
Adam Stofsky
Sounds like me.
05:25
Thora Johnson
It's introducing some friction because there's a need to get consent before that information is actually collected from the individual.
05:34
Adam Stofsky
Wow. So the default, what you're saying is, in our system of privacy law, in the US, generally, most people can just post their privacy notices. They don't need to get express consent to collect data. But this is changing that. Companies that deal in any kind of potential health diagnosis might have to ask for consent before getting data from their customers, or they're like potentially breaking the law. Is that a good summary?
05:59
Thora Johnson
It's a really good summary. And it is potential because there's so much nuance in how these states are regulating consumer health data. So Connecticut, it is an opt in regime. Some states, like California, it's an opt out. Like, we're going to collect the information unless you tell us otherwise. And then, honestly, it's even more confusing than that and why you have to tread carefully. Because my health, my data in Washington actually doesn't require opt in consent if what you are collecting is germane to the service or product you are providing. But if there are secondary purposes for which you are collecting the health information, then consent kicks in.
06:41
Adam Stofsky
Wow. Right? Because I guess, is it considered consent if someone's, like, shopping around for a certain product to help address a certain condition that sort of assumed they're kind of consenting already just by the fact that they're shopping for it?
06:55
Thora Johnson
Is that in Washington and Nevada, that seems to be the case. But tread carefully. Connecticut is saying any collection requires consent. So I think what you're going to see, right, is because companies need to be able to scale. The Internet is across all the states, so they're going to need to scale. And I think you're going to slowly but surely see in 2024 some increased friction in the collection of health data because this consent model is going to be comme du jour. At least that's my prediction for 2024 right here. Laying it down.
07:28
Adam Stofsky
This has made me dizzier than I thought it was going to make me.
07:30
Thora Johnson
I tried not to do that. I tried very hard.
07:33
Adam Stofsky
No, it's not you. Okay. What I'm hearing is that there's a lot of companies that can get kind of scooped into this because they ask questions that might not seem like really diagnosis related or health condition related, but they might be. So things like, I'm thinking about apparel brands or even like, beverage wellness oriented, like food and beverage brands, just any sort of workout kind of exercise products.
08:00
Thora Johnson
This is why people are freaking out about health data going into 2024. It's really figuring out what state laws you're subject to and how are you going to have a scalable, programmatic approach to the collection of health data so that you're not getting bollocks up against or with the minutiae of the various states. But, Adam, it's really, I can't let this conclude without saying there's also a very prominent federal regulator who's very interested in the collection of health data these days, which is not OCR, which enforces HIPAA. It's the Federal Trade Commission. The FTC has had in 2023 several half dozen prominent enforcement actions and settlements dealing with a collection of health data. And this need to be transparent about the collection, getting affirmative express consent to the collection of health data.
08:59
Thora Johnson
So I just want to be clear that there's an overlay of federal law for those companies subject to the FTC.
09:05
Adam Stofsky
Super interesting. Wow. Okay, well, let's leave it at that. Thank you, Tora. Really appreciate it.
09:10
Thora Johnson
My pleasure.
<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/914868750?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="12032_State Health Privacy Laws in 2024"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>