Since the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent laws enacted by multiple states to criminalize abortions under many circumstances, protection of patient privacy has become an area of great concern. As a result of the increased attention paid to abortion and reproductive services, states that do not restrict access to abortion and abortion-related services are enacting laws to protect patient privacy and better ensure that individuals seeking these services will not be subject to data collection and tracking in connection with seeking out these services. Trends in state privacy laws include prohibitions on geofencing, limitations on the collection and sale of data, limitations on who can access data, and protections from out-of-state law enforcement investigations.
Geofencing involves setting up a virtual perimeter around a specific real-world zone or location. In healthcare, geofencing is used in advertising to create a digital “fence” around a particular location and deliver location-based ads to healthcare providers or other individuals who enter the area based on their location data. Several states have enacted laws that prohibit the establishment of geofences around healthcare facilities. Washington, which became the first state to enact a comprehensive consumer health information privacy law in the United States when it enacted the My Health, My Data Act, has the broadest state-level protections related to health data. The Washington law prohibits companies that do business in Washington or provide services that target Washington residents from implementing a geofence around an entity that provides in-person healthcare services where the geofence is used to track or target visitors at healthcare facilities, collect health data from consumers, or send advertisements to consumers relating to their health data or healthcare services. New York and Connecticut have implemented laws which have similar prohibitions on geofencing, and Nevada’s geofencing law is set to take effect on March 31, 2024.
Limitations on collecting and selling data
Additional methods to safeguard consumer health data include imposing limitations on collecting, using, and selling data. Nevada’s SB 370, effective March 31, 2024, imposes new requirements pertaining to the collection, use, and sale of consumer health data on “regulated entities.” Regulated entities include any person who conducts business in Nevada or produces or provides products or services targeted to Nevada consumers, and who determines the purpose and meaning of processing, sharing, or selling consumer health data. The law requires regulated entities to refrain from collecting and sharing consumer health data, except with the voluntary consent of the consumer or to the extent necessary to provide a product or service the consumer requested. Similarly, Connecticut enacted a data privacy law, effective July 1, 2023, which prohibits the sale of consumer health data without the consumer’s prior consent. These safeguards recognize the need for keeping consumer health data private to ensure consumer safety.
Access to data
To further protect patient privacy, states are also limiting access to health data through provisions in newly enacted privacy laws. For example, in California, AB 352 amended the Confidentiality of Medical Information Act (CMIA) to limit user access privileges to information systems that contain medical information relating to gender affirming care, abortion and abortion-related services, and contraception to only those people who are authorized to access specified medical information. Similarly, Nevada’s SB 370 requires that regulated entities ensure that only employees with a “need to know” have access to health data.
Protections from out-of-state law enforcement
Several states have established limitations that protect individuals from investigations and inquiries conducted by out-of-state law enforcement agencies with regard to abortion-related services. California amended the CMIA to prohibit healthcare providers, service plans, contractors, and employers from cooperating with any inquiries or investigations from agencies of another state, or otherwise disclosing medical information, that would identify individuals when such inquiries or investigations are related to abortion or abortion-related services that are legal in California.
Illinois HB 4664, signed into law on January 13, 2023, protects patients and providers in Illinois from legal action under surrounding state laws that prohibit access to reproductive healthcare, including abortions and abortion-related services. Illinois is situated among midwestern states that have made certain abortions and abortion-related services illegal and has therefore become a safe haven for those seeking care. The legislation shields patients and providers from both civil and criminal discovery from out-of-state law enforcement agencies.
It is likely that more states will enact laws that aim to protect consumer and patient privacy. Entities that collect consumer health data should continue to monitor state legislative efforts to protect consumer health information and evaluate and revise their policies to comply with newly enacted state laws.
Nixon Peabody will continue to monitor the nationwide privacy landscape as more states introduce privacy laws in the absence of federal legislation.