Next Steps in Privacy Protections for Health Data in a Post-Dobbs World

By: Elle Borgdorff

The Health Insurance Portability and Accountability ACT (HIPAA) was passed on August 21, 1996. Following rapid advances in electronic technology, Congress recognized that these advances could endanger the privacy of health information. [1] In the nearly three decades since, privacy concerns have only continued to grow, specifically surrounding private health data connected to technology, and digitized healthcare platforms. Under HIPAA, healthcare providers and insurers must safeguard privacy and security of patients’ personal data.[2] What many Americans do not know is that health data that is collected by non-covered entities is not afforded protection under HIPAA.[3] Non-covered entities include apps and websites that are used to monitor fertility, fitness, sleep, mental health, and more.[4] In contrast, as defined in HIPAA, covered entities are health care clearinghouses, health plans, and “health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards”.[5]


Recently, a first of its kind law seeking to protect personal health data, beyond HIPAA protections, was passed in Washington state. On April 27, 2023 the My Health My Data Act was signed into law by Governor Jay Inslee.[6] The Act will not go into effect until March 31, 2024.[7] The My Health My Data Act was developed due to an increased need to protect patient data, in an ever digitizing health care landscape. The Act protects patient’s health data stored by non-covered entities, from being collected and shared without consent. Under this new law, there are specific requirements for regulated entities. These entities now must follow requirements regarding how and when they may collect and share an individual’s personal health data.[8] Washington is not the only state passing laws seeking to protect health data, and they most likely won’t be the last. In 2021, Connecticut’s Governor Ned Lamont signed An Act Concerning Data Privacy Breaches into law, which amended Connecticut’s data breaching law to provide more protection for patient medical information and data.[9] In July 2023, Nevada also enacted a health data-specific privacy law – Nevada’s Consumer Health Data Privacy Law (SB 370), which is very similar to Washington’s law.[10]


Citizens in Washington State, like many Americans, hold their privacy rights as an “essential element of their personal freedom”.[11] Because information related to one’s personal health is “among the most personal and sensitive” categories of private data, the Washington legislature found it critical to enact a broader sweeping protection for its citizens than HIPAA alone provides.[12] The Act works to “close the gap between consumer knowledge and industry practices”, by ensuring stronger protections for individuals’ health data.[13] It does so by: requiring disclosures about collection, sharing, and using information – and requiring consent from consumers to use data in this way; providing consumers the right to have their data deleted; allowing the sale of consumer health data, only with valid authorization by the consumer themselves; and making it illegal to use a geofence around facilities that provide health care services.[14] Companies that break the new law’s provisions, can face enforcement actions and even penalties up to $7,500 per violation from the Attorney General of Washington State.[15] The law also permits civil lawsuits from consumers, which makes it one of the few data privacy mandates in the country that allows private right of action.[16]


Washington’s law provides an incredible amount of safeguards for individual health data that companies frequently collect.[17] The type of personal health data that is collected includes information from telehealth platforms, period tracking apps, and users geo-location records that may reveal visits to health care facilities – including abortion clinics.[18] After the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2023, which overruled Roe v. Wade and Planned Parenthood v. Casey, returning to individual states the right to regulate abortions [19]; privacy and civil liberties advocates have warned that states limiting abortions could seek to use information from apps, internet searches, and location records to find folks seeking abortions.[20] After a Nebraska woman was charged with two felonies related to an abortion, Meta Platforms Inc., was scrutinized because information about her pregnancy was used from private messages on Meta’s Facebook messenger. [21]The American Civil Liberties Union (ACLU) of Washington has supported the My Health My Data Act, stating that the act is a “critical step toward reducing barriers to abortion and gender-affirming care.”[22]


In response to growing concerns about the impact of Dobbs, in early 2023 the Health and Human Services Department proposed a rule titled HIPAA Privacy Rule To Support Reproductive Health Care Privacy.[23] The proposed change would modify the existing standards that permit use and disclosure of health information. Under the proposed rule, uses and disclosures of health information related to “criminal, civil, or administrative investigations or proceedings against individuals, covered entities, or their business associates” would be prohibited in instances where the reproductive health care being provided, is lawful under the circumstances.[24]

Citations:

  1. Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 1, Introduction. Available from: https://www.ncbi.nlm.nih.gov/books/NBK9576/
  2. Andrea Vittorio, Washington Shields Abortion Data in First-in-Nation Privacy Law, BLOOMBERG LAW (Apr. 27, 2023, 1:07 PM) https://news.bloomberglaw.com/privacy-and-data-security/washington-shields-abortion-data-in-first-in-nation-privacy-law
  3. H.R. 1155, 2023 Leg., 68th Sess. (Wash. 2023).
  4. Vittorio, supra note 2.
  5. To Whom Does the Privacy Rule Apply and Whom Will It Affect?, U.S. DEP’T. OF HEALTH AND HUMAN SERV. NATL. INST. OF HEALTH.
    https://privacyruleandresearch.nih.gov/pr_06.asp#:~:text=Covered%20entities%20are%20defined%20in,which%20HHS%20has%20adopted%20standards. (Last visited Oct. 11, 2023).
  6. Protecting Washingtonians’ Personal Health Data and Privacy, WASH. STATE OFFICE OF THE ATTORNEY GENERAL, https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy (last visited Oct. 2, 2023).
  7. Vittorio, supra note 2.
  8. WASH. STATE OFFICE OF THE ATTORNEY GENERAL, supra note 5.
  9. Jill McKeon, How Digital Health Companies Navigate the Patchwork of State Data Privacy Laws, HEALTHITSECURITY (Sept. 28, 2023) https://healthitsecurity.com/features/how-digital-health-companies-navigate-the-patchwork-of-state-data-privacy-laws.
  10. McKeon, supra note 20.
  11. H.R. 1155, supra note 3.
  12. Id.
  13. Id.
  14. Id.
  15. Vittorio, supra note 2.
  16. Id.
  17. Vittorio, supra note 2.
  18. Vittorio, supra note 2.
  19. Dobbs v. Jackson Women’s Health Org., 142 S. Ct. 2228, 2284 (2022).
  20. Vittorio, supra note 2.  [
  21. Id.
  22. Id.
  23. HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (April 17, 2023).
  24. Id.