Navigating the Complexities: How State-Level Privacy Laws Impact Health Data in the U.S.

Privacy is not a Constitutional right in the United States. Seriously. The word “privacy” does not appear one time in the U.S. Constitution. Despite that omission, privacy is still important to U.S. citizens, courts, and lawmakers. Throughout various court rulings and laws over the years, the government has affirmed that US citizens do have the right to privacy, not just in our homes but with our data as well.

This is especially true when it comes to health data. Health data privacy is the reason why HIPAA was enacted in the first place. But, according to privacy experts, like James Dempsey, HIPAA does not even cover the majority of health-related data. That means most of our health data is not subject to any data privacy requirements, but U.S. states are stepping in to fill that gap. 

While state-level laws are aimed at doing good for consumers, they’re also creating a lot of confusion and uncertainty for the healthcare industry. Let’s take a look.

The Growing Patchwork of State-Level Privacy Laws

Currently, twenty U.S. states have enacted data privacy laws that impact health data.

And while the technical details of each law vary, they all define personally identifiable information (PII) roughly the same. Any of this information can be considered PII that must be secured:

• Identifiers: Names, addresses, email addresses, phone numbers.
• Online Data: IP addresses, browsing history, geolocation identifiers.
• Sensitive Information: Social security numbers, biometric data, health information.

The takeaway is that if you operate, or collect data, from consumers in any of these twenty states, information that can be linked directly or indirectly to an individual is generally considered PII. Here are the states with such privacy laws:

1. California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
2. Colorado Privacy Act (CPA)
3. Connecticut Data Privacy Act (CTDPA)
4. Delaware Personal Data Privacy Act (DPDPA)
5. Florida Digital Bill of Rights
6. Indiana Consumer Data Protection Act
7. Iowa Consumer Data Protection Act (ICDPA).
8. Kentucky Consumer Data Act (KCDA)
9. Maryland Online Data Privacy Act (MODPA)
10. Montana Consumer Data Privacy Act
11. Nebraska Data Privacy Act (NDPA)
12. New Hampshire Privacy Act (NHPA)
13. New Jersey Data Privacy Act (NJDPA)
14. Oregon Consumer Privacy Act (OCPA)
15. Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
16. Tennessee Information Protection Act (TIPA)
17. Texas Data Privacy and Security Act (TDPSA)
18. Utah Consumer Privacy Act (UCPA)
19. Virginia Consumer Data Protection Act (VCDPA)
20. Washington Privacy Act (WPA) & My Health My Data Act (MHMDA)

The similarities between these laws extend beyond their definitions of PII, but the nuances in these similarities make them increasingly complex and challenging to navigate.

For example, if you operate in California and Colorado, both of those states’ laws handle consent differently. In California, businesses must give consumers the ability to opt out of the use of sensitive information, like health information. While businesses operating in Colorado must obtain opt-in consent from website visitors before using sensitive information.

That’s essentially two different approaches to gaining consent for the same data. 

And that’s not the only instance of two states with different approaches. Let’s look at Texas and Virginia, two states with comprehensive data privacy laws. Virginia requires businesses to undergo mandatory data protection assessments. But Texas does not. Easy enough. But if you operate in Virginia and Colorado, both states have mandatory data protection assessments as a requirement of their laws, but how you perform those assessments differ.

Or look at Utah. That state’s privacy law defines sensitive data similarly to California, but Utah does not require businesses to offer detailed mechanisms for consumers to control the use of their data.

You can quickly see how confusing it becomes to comply with multiple states if you operate across state lines…and we haven’t even talked about the HIPAA complexities yet.

The Intersection of HIPAA and State Privacy Laws

HIPAA, being a federal law, supersedes many of the state privacy laws. As a result, state laws often have exemptions for data that HIPAA covers. But those exemptions are often only for the data that HIPAA covers, not the covered entity itself. So a healthcare organization like Kaiser Permanente, which operates in California, is subject to both HIPAA and California’s two consumer privacy laws, Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), but some sensitive data is covered by HIPAA, and other sensitive data is covered by CCPA/CPRA. 

How can you tell the difference?

It generally comes down to when sensitive health data becomes protected health information (PHI).

If Kaiser Permanente collects email addresses through a website form to send newsletters about wellness programs, those email addresses alone are not covered by HIPAA but would fall under CCPA rules. This means Kaiser Permanente needs to offer those individuals the right to access, delete, or opt out of the sale of their email addresses under CCPA.

However, if that same website form also collects health information, by asking website visitors to select treatment they’re interested in, along with the email addresses, the combination of the two becomes Protected Health Information (PHI) and is then subject to HIPAA’s regulations.

That creates a data segmentation challenge. Kaiser Permanente would need to carefully segment its data to ensure that PHI is handled in compliance with HIPAA, while other types of personal information are managed according to CCPA requirements.

As a general rule, HIPAA identifiers like names, addresses, phone numbers, and email addresses are not exempt from state laws until they are combined with health information, like data about a physical health or mental health condition, the provision of health care, or the payment of healthcare services. At that point of combination, the data is exempt from state-level laws, and HIPAA applies.

IP Addresses Add Complexity

Now, let’s talk about IP addresses. HHS considers IP address + health information to be PHI. However, a recent ruling in the U.S. District Court for the Northern District of Texas determined that IP address + browsing data on an unauthenticated webpage is not PHI. Great. So you’re clear from HIPAA if you collect IP addresses and browsing data from your website visitors. 

But, you’re not clear from having to protect that data from state-level privacy laws. All of the 20 state privacy laws consider IP addresses as an identifier. That means that healthcare organizations operating in states with privacy laws must still treat visitor IP addresses with the same level of protection as other personal information, regardless of HIPAA’s rules.

HIPAA vs State Laws

To be extremely clear, if you’re a HIPAA covered entity that operates in any of the twenty states with data privacy laws, collecting only these identifiers from website visitors means you must comply with the state law where your consumers are:

• Name
• Address
• Email Address
• Phone Number
• Date of Birth
• Social Security Number
• Photographs or Videos
• IP Address
• Cookies and Device Identifiers
• Online Browsing Behavior
• Geolocation Data
• Job title
• Educational Background
• Survey Responses
• Consent Records
• Purchase History
• Engagement Metrics

Now if you add health information like the following with the above identifiers, then it becomes PHI and you must comply with HIPAA:

• Medical History: Records or summaries of past or current medical conditions, treatments, and procedures.
• Treatment Information: Data about specific treatments or therapies received or planned.
• Treatment Seeking Information: Information pertaining to someone seeking a doctor or scheduling an appointment.
• Health Insurance Information: Insurance provider, policy numbers, and coverage details.
• Genetic Information: Information related to genetic tests or family medical history.
• Prescription Information: Details about medications prescribed, dosage, and frequency.
• Health Risk Factors: Information about lifestyle, diet, smoking, and other factors that impact health.

Let’s run through a few quick scenarios to test your expertise.

Think of state-level privacy laws and HIPAA as a partnership. Individually, they cover different aspects, but when they work together, they ensure that all sensitive data is fully protected.

Risks of Non-Compliance with State-Level Laws

At this point in time, healthcare organizations are well aware of the risks of not complying with HIPAA in their marketing. Many of them have put new processes in place, and adopted new technology (like Freshpaint), to help with HIPAA compliance. 

But, many organizations are still struggling to understand and comply with state-level laws. Despite that, the risks of non-compliance with state-level laws are serious:

Risk 1: Fines and lawsuits

Most states have severe financial penalties for not complying with their privacy laws. In California, for example, CCPA imposes fines of up to $7,500 per violation. This means if a healthcare organization is caught improperly sharing website visitors' data with a third-party marketing tool without authorization, they could be fined $7,500 for each visitor's data that was shared with that tool. So if that organization shared data from 1,000 visitors, that’s a $7,500 per visitor, which equals a total fine of $7,500,000. That’s not small.

There’s also the risk of “double dipped” enforcement. Enforcement against healthcare organizations could involve HIPAA violations, with state laws playing a complementary role. For example, if a healthcare organization in Colorado failed to meet both HIPAA and CPA requirements, it could be subject to enforcement actions under both frameworks.

Lastly, there are lawsuits. Currently only California’s CCPA has a private right of action, meaning citizens can sue an organization if they feel their health data was improperly used. But states like New York and Massachusetts, are considering private right of action options in their privacy laws. 

Risk 2: Court-ordered injunctions

An Attorney General in any state with a privacy law can seek court orders to stop a business from continuing any practices that violate their laws.

So, if a state attorney general determines that a healthcare organization is violating the law by sharing health data with an advertiser, even if its purpose is to improve advertising efficiency, that state could bar you from using advertising data altogether.

This has happened on the federal level, with Cerebral being banned from using data in advertising, so there is precedent for state attorneys general to follow suit.

Risk 3: Mandatory corrective actions 

If that’s not enough states require organizations that have violated their laws to take specific corrective actions to address and rectify violations. These actions could be anything from implementing enhanced privacy protections, to revising privacy policies, to improving data security measures.

None of those are small actions. Even a seemingly simple action such as revising a privacy policy requires reworking how an organization manages the data of its consumers.

Risk 4: Impact on brand trust 

Anytime an organization violates privacy regulations, consumer trust is the first thing that’s lost. This is especially true in healthcare where trust is a “daisy chain.” 

Each link of the daisy chain represents a relationship built on trust: Any breach of trust can undermine confidence and erode patient-provider relationships. A loss of trust over how an organization handles data can cause patients to rethink where they get their care.

Balancing Data Use and Privacy Compliance

Data is essential for marketing in any industry. It helps fuel performance and provides insight into how visitors interact with your website. But, in healthcare marketing, data is a double edged sword. On one side, it’s extremely useful. On the other side, it can be risky for privacy compliance. 

A seemingly obvious solution is compliance for all state-level laws and HIPAA is to just stop using data. Go dark. But this approach risks ruining your marketing altogether. Without data, you’re completely blind to marketing performance and opportunities to improve. 

A better approach healthcare organizations are using is to comply with the strictest state standards where they operate. So a healthcare organization like HCA Healthcare, which operates in twenty different states, would likely choose to follow California’s standards set in the CCPA and CPRA. Because of how high of a bar California set in those laws, compliance with them should help HCA ensure compliance in other states, but it’s not guaranteed.

The best approach to compliance across the board is to get complete control over your data with privacy-first marketing. A privacy-first approach uses technology to help you get control over when, where, and how your marketing data is used. This approach prioritizes first-party data and completely removes the reliance on third-party data from your marketing stack.

One well-known healthcare organization tried the “going dark” approach for their ad campaigns and saw their cost-per-lead skyrocket. That led to unsustainable marketing, so they decided to implement a privacy-first approach with Freshpaint. Once implemented, they saw their cost per lead drop by 70% since they were able to control the data they were sharing with third-party advertisers.

Interested in taking a privacy-first approach with your healthcare organization? See a demo of Freshpaint’s Healthcare Privacy Platform here.