The digital age brought innovative new ways to monitor personal health, with individuals able to quickly view and record information from both their own observations and professional exams. Fitness trackers, diet apps, and similar aids now make independent health maintenance more efficient and effective than ever before.
But how secure is that digital healthcare data?
Of course, it depends on the company collecting it, but it also depends on individual state laws. Unlike more traditional healthcare records, which fall under the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, the privacy of these new types of information is thus far governed more by states. So along with closely reading user agreements, patients and consumers need to know the local rules regarding this data collection and sharing. After all, your health history potentially affects insurance coverage, employability, and even legal cases.
The following four states enacted more specific laws in 2023 regarding these personal health details. If you live in one of these jurisdictions, it helps to know what is now legally protected (although legislation obviously never provides any guarantee of compliance).
California: Confidentiality of Medical Information Act (CMIA) Update, AB 254
California’s AB 254 amended the existing medical data security law to include reproductive and sexual health app recordings. The law already prohibited entities from “sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.” AB 254 expanded the definition of medical information to cover fertility trackers and other reproductive health aids.
Nevada: SB 370
Nevada’s 2023 SB 370 contained numerous updates to address modern concerns, but one standout involved definition updates similar to California’s. Privileged “consumer health data” was modernized to include any “personally identifiable information that is linked or reasonably capable of being linked to a consumer and is related to the health of the consumer.” This more clearly safeguarded health data consumers themselves gathered and recorded, such as that found on health and fitness apps.
Washington: My Health My Data Act (MHMDA), HB 1155
Washington’s MHMDA, or HB 1155, also clarified “consumer health data” guards. Again, apps that tracked any bodily functions fell firmly into this category after the passage of this bill. Although the purchase of everyday health products, such as toiletries, still did not meet the definition, any assumptions made using this data were shielded. Washington’s official government website used the example of a retailer that assigned a “pregnancy prediction score,” based on product purchase history, to illustrate information that would constitute consumer health data.
Connecticut: Data Privacy Act (CTDPA) Update
Connecticut’s extensive 2023 CTDPA amendment largely consisted of language clarifications as well, including the protection of “biometric data.” The additional bill specified information “generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual” fell under the umbrella of secure biometric data.
The amendment also listed in more depth what was not protected, such as “de-identified” data that had erased any traits that could link the statistics to any individual.
Why Does It Matter?
As noted, many entities can use private health information to harm individuals. Personal health problems present a potential liability to employers, for example, and seemingly innocuous health trackers could allow businesses to ferret out information they find worrisome. And despite any laws governing hiring practices, businesses can use this information in unpredictable ways.
Technology is a double-edged sword, and although these new apps have the potential to improve health, they also come with risks that users should carefully consider. Knowing privacy laws is one of many steps that can help in deciding what technology to use, and what to avoid.