As more and more states are enacting privacy laws, organizations in the health care industry may be wondering what the impact these laws will have on them. At this point, there are privacy laws in 12 states, with one more (Delaware) likely to be signed by the governor soon. Those laws are in California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. (There is also a new law in Delaware currently pending the governor’s signature). Not all are in effect. Only the laws in California, Connecticut, Colorado and Virginia are effective. The others will go into effect between December of this year and 2026, as follows:
- December 31, 2023: Utah
- July 1, 2024: Florida, Oregon, and Texas
- October 1, 2024: Montana
- January 1, 2025: Delaware (pending governor signature) and Iowa
- July 1, 2025: Tennessee
- January 1, 2026: Indiana
In addition to the rolling effective dates, the laws do not have universal applicability. They apply only if your organization is doing business in one of these states and cover only “consumer” information (except for California which includes information from employees and employees of third parties). Beyond this, many have a sliding scale of revenue-generation applicability: California ($25 million), Florida ($1 billion), Tennessee ($25 million), and Utah ($25 million). For Florida, Tennessee, and Utah, if this revenue threshold is not met, then the law will not apply. California treats the revenue threshold as one of two mechanisms for determining applicability. Florida, additionally, applies only to a narrow set of companies. Finally, the laws (except California) apply only if the company processes information about a certain number of individuals in the state or sell information about certain threshold number of individuals:
- 175,000: Tennessee
- 100,000: California, Colorado, Indiana, Iowa, Oregon, Utah, and Virginia
- 50,000: Montana
- 35,000: Delaware (pending governor signature)
Texas does not provide a numerical threshold – but “small businesses” are exempt from most of the law’s obligations.
In addition to these thresholds, the laws contain many exemptions. Importantly for those in the health care space, most of these laws exempt entities that are regulated by HIPAA. Namely, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia. California, Delaware and Oregon do not provide status-based exemptions for covered entities or business associates regulated under HIPAA. Instead they exempt information that is regulated by HIPAA. The laws will of course still apply to entities collecting “health” information not otherwise regulated by HIPAA. This may include, for example, digital health or life sciences companies. In addition, Colorado, Delaware, and Oregon all apply to non-profits while the other states exempt them.
Many health care companies are addressing the in-effect California law. The upcoming Delaware and Oregon laws do not significantly differ. Below are some things to keep in mind, whether for these three, or to the extent that the others might apply to your organization:
- Notice: These laws require entities to include specific content in their privacy policies. Most who are already addressing existing comprehensive state privacy law obligations will not need to make many changes. More information about these obligations are discussed in our sister blog.
- Choice: Next, companies covered by these laws will have obligations to provide individuals with a set of rights. Which rights to provide vary by state, but usually include access, correction and deletion at a minimum. More information about these obligations are discussed in our sister blog.
- Vendors: Companies who find that these laws apply to them will also want to think about their vendor contracts. Most of the laws require that contracts with entities processing information on your behalf contain certain provisions. These include instructions (and limits) on how data is to be processed and confidentiality requirements. More information about these obligations are discussed in our sister blog.
- Sensitive information: Most of these laws include health-related information as “sensitive” and are divided between requiring consent before collecting this information (Colorado, Connecticut, Delaware, Florida, Indiana, Montana, Oregon, Tennessee, Texas and Virginia) or providing opt-outs (California, Iowa, and Utah) if collecting and processing the information. More information about sensitive information in the health care space under these laws is in our prior post on the topic.
- Profiling and behavioral targeting: Entities that engage in automatic processing of personal information in a way that produces a “legal or similarly significant effect” have obligations under these laws, discussed here. Organizations also need to keep in mind the opt-out requirements for targeted advertising. Targeted advertising and the use of tracking technologies is something that has been top-of-mind for those in the health care space of late (see our post about OCR guidance here and the FTC/OCR warning letter here).
In sum, as those in the health care space look at the increasing number of comprehensive US state privacy laws, many will take comfort from the exceptions and restrictions that exist under these laws. Others should keep these requirements in mind, along with their rolling effective dates. To learn more about these requirements, feel free to sign up for our upcoming August 1 webinar.