How State General Privacy Laws Apply to Healthcare Providers

In January, we wrote about how new comprehensive state consumer data privacy laws, such as the California Consumer Privacy Act ("CCPA"), apply to healthcare providers. At the time five states had enacted such laws: California, Colorado, Connecticut, Utah, and Virginia. Since then, in an unprecedented spate of privacy legislation, the number of states with new general privacy laws covering consumers' (and sometimes employees') "personal information" has more than doubled, now standing at 13 states.[1] This does not even include laws specific to healthcare privacy, such as the Washington State My Health My Data Act.

The following chart offers an update on how these new state privacy laws interact with protected health information (PHI) under HIPAA, covered entities, business associates, and nonprofits.

* Does not include thresholds based on percentage of revenue from sale of personal data and some other applicability details and exceptions.

+++

In general, healthcare providers and PHI continue to be largely exempt from these state privacy laws. The devil, however, is in the details.

If a healthcare provider is a nonprofit, then they will be completely exempt in every state except for Colorado, Delaware, and Oregon. Nonprofits are generally exempt from California's law (CCPA) except if they are under common control as, and share branding with, a for-profit "business" that is subject to the statute.

Every one of these states' privacy laws exempt PHI in some form. Some categorically exempt PHI, such as Connecticut's exemption for "protected health information under HIPAA." For these laws, there is an argument that PHI is exempt even if it is no longer governed by HIPAA. For example, if PHI under HIPAA is disclosed pursuant to an authorization to a third party that is not subject to HIPAA, there is an argument that the information is still PHI under HIPAA (because it meets the HIPAA definition), even if it no longer is protected by HIPAA. A few states (California, Colorado, and Oregon) limit the PHI exemption to PHI that is collected by a "covered entity or business associate" (California), "[PHI] that is collected, stored, and processed by a covered entity or its business associates" (Colorado), or "[PHI] that a covered entity or business associate processes in accordance with … [HIPAA]" (Oregon). In these states, the state privacy laws are more likely to apply to PHI once such information is no longer in the hands of a covered entity or business associate.

Nine of the 13 state privacy laws include exemptions for covered entities and business associates (Connecticut, Florida, Indiana, Montana, Iowa, Tennessee, Texas, Utah, and Virginia). These provisions arguably exempt the entire covered entity and business associate from these new state privacy laws, including with respect to personal information that is not subject to HIPAA. For example, if a hospital has a gift shop, the covered entity exemption arguably extends to information about consumers at the gift shop, even though such consumer information generally falls outside of HIPAA.

Finally, while we did not include them in the chart above, most states also have exemptions for other types of health information, such as substance use disorder records that are subject to 42 C.F.R. Part 2, health information that is subject to the state's medical records privacy law, and information that arises from PHI but has been de-identified in accordance with 45 C.F.R. § 164.514(b) of HIPAA.

Overall, healthcare providers generally can breathe a sigh of relief that they are mostly exempt from these new state privacy laws, but they should still carefully review whether such laws may apply to consumers' personal information that is not PHI.