May 13, 2025 • 38 mins
Omenka Nwachukwu, Principal Consultant, Privacy and Compliance, Clearwater, speaks with Kaitlyn O'Connor, Co-Founder and Partner, Elevare Law, about the growth in state privacy laws covering wide ranges of health data and how digital health companies are being impacted. They discuss the role state legislation is playing in addressing gaps left by federal health care privacy laws, how state privacy laws are going beyond the Health Insurance Portability and Accountability Act (HIPAA) in certain areas, and trends in state regulatory activity. They also discuss how digital health companies can ensure compliance across multiple jurisdictions while maintaining innovation, adapt to a broader definition of health data under state laws, and navigate operational and technical challenges in implementing state-specific privacy requirements. Sponsored by Clearwater.
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Speaker 2 (00:04):
Support for A HLA comes from Clearwater. As the
healthcare industry's largestpure play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant andresilient state so they can
achieve their mission. Thecompany provides a deep pool of
experts across a broad range ofcybersecurity, privacy, and
(00:28):
compliance domains.
Purpose-built software thatenables efficient
identification and managementof cybersecurity and compliance
risks, and a tech enabled 24 7365 security operations center
with managed threat detectionand response capabilities. For
more information, visitclearwater security.com.
Speaker 3 (00:53):
Hello everyone. This is Omeka and Waku , principal
consultant with Clearwater'sPrivacy and Compliance
Consulting team. Over the pastfew years, we have seen
enormous growth in stateprivacy laws, which cover wide
ranges of health data, mostlyoutside HIPAA laws like the
Maryland Online Data PrivacyAct create substantial
(01:14):
challenges before healthinformation can be used for
virtually any purpose.
Developing an approach toconsumer consent that some have
commented is the opposite ofwhat HIPAA requires. Others
have stated that the New YorkHealth Information Privacy Act,
if enacted, could create achilling effect on patient
access and engagement todigital health services relied
(01:36):
upon by New Yorkers. As digitalhealth companies face hurdles
in improving their products andservices due to the financial
and operational burdens createdby the proposed act, it's a
challenging time for healthcarelegal and compliance
professionals as we are seeingmultiple laws impacting the
same data, depending on thespecific role the data plays in
(01:57):
a particular context. Joiningme to help decipher the current
state of healthcare dataprivacy regulations is Kaitlyn
O'Connor, co-founder andpartner with the firm VE Law,
where she guides virtual firstdata, analytics, medical
device, and other emerginghealthcare models through
complex legal landscapes. It isso amazing to be able to speak
(02:21):
with you. Caitlyn ,
Speaker 4 (02:22):
How are you doing ?
Thank you. I'm doing well. It'sgreat to be here. I'm excited
to dig in.
Speaker 3 (02:27):
Me too. So, let's dive in. Um, first let's talk
about state level legislation.
So what role should state levellegislation play in addressing
any gaps left by federalhealthcare privacy laws?
Speaker 4 (02:41):
Sure. So I, as I was, you know, preparing for
this discussion, I was thinkingabout this a lot. And I think
that the biggest gap that stateprivacy laws can address or can
fill is the gap betweenconsumer expectations and the
actual legal obligations of thecompanies that are collecting
(03:01):
and processing sensitive healthinformation. So, a lot of the
lawyers listening to thisprobably know that HIPAA really
only applies to coveredentities and their business
associates, but consumerwellness apps like Apple Watch
and Apple Health data , uh,apps and the AA ring and , um,
(03:23):
fertility tracker apps likelyare not covered entities or
business associates. And sothey're actually not subject to
hipaa and consumers may notrecognize that distinction. And
so I think that, you know, the,the, one of the, one of the
gaps that state lives , uh,state privacy legislation can
fill and is actively filling,is being more transparent and
(03:47):
clear with consumers about howtheir data is being used, what
their rights are in that data,and you know, who is collecting
it and who is accessing it. And, and so I think that's
probably the biggest one. Ithink sort of a , a secondary
gap that I think state privacylegislation is also filling is
a gap between provider orcovered entity ownership of
(04:11):
patient's health data orconsumers health data and
consumer individual ownershipof a person's health data.
Mm-hmm . So theother area where I see my
friends and family not fullyunderstanding the distinction
between HIPAA and state privacylaws is a lot of people don't
realize that your doctor ownsyour data, your medical record
(04:34):
data. So if your doctor iscreating a medical record or
collecting blood pressure dataabout you or collecting other
types of health data, yourprovider owns that. And while
you have a right to access itand to get a copy of your
medical records , you actuallydon't own it. And, and whereas
under state privacy law, mostof the laws that we're seeing
(04:54):
today explicitly state thatconsumers or individuals own
their health information andany other sensitive or
identifiable information that ,uh, that consumer apps might be
collecting about them. So, so,you know, just to sort of round
that out, I think the , the twomajor gaps are the, the gap
between consumer expectationsand the legal obligations that
(05:17):
companies who are collectingand managing data actually
have. And then the second iswho actually owns that data?
That , and again, that's sortof a consumer expectation, I
guess, but , but , um, butyeah, that gap between, you
know, who actually owns thatdata and , and what do users
know about who owns that data.
Speaker 3 (05:35):
Amazing. Thank you so much. Um, and when we're
talking about gaps , um,between how state privacy laws
are , uh, are , we're talkingabout how state privacy laws
are addressing those gaps, doyou feel that there are any
instances of state privacy lawsgoing beyond HIPAA in certain
areas? And if so , um, whatdoes that mean for healthcare
data governance and , um,patient rights?
Speaker 4 (05:57):
Yeah, absolutely. I think that , um, there are a
bunch of ways in which stateprivacy laws are going beyond
HIPAA in order to fill thosegaps we just talked about. The
first one is broaderapplicability to companies that
are not necessarily consideredcovered entities or business
associates under hipaa. Mm-hmm . So again,
(06:19):
companies that are sellingfertility tracker mobile apps
and Apple Health , uh, theApple Watch and Apple Health
data. Now those companies thataren't subject to HIPAA are
subject to these state privacylaws. So we're seeing broader
applicability to individuals orcompanies that are collecting
and processing consumers data.
(06:41):
I think we're also seeing abroader definition of data that
is protected. Yes . Um , so,you know, if we think about
protected health information,PHI under hipaa, a lot of times
that is thought of as medicalrecord data conversations about
healthcare between a providerand a patient that's collected,
you know, during a visit orthat happens during a visit. We
(07:03):
don't necessarily think aboutinferences about that data. We
don't necessarily think aboutbrowsing behavior on health
related websites, which issomething that is explicitly
mentioned in some state privacylaws or location data near a
clinic. Now, location data isan identifier under hipaa. So
(07:24):
technically location data ispotentially PHI. But when
you're tracking that datathrough tracking technologies
that are tracking a , a user'sbrowsing behavior and where
they are when they're lookingat a certain website, that's
not necessarily something wethink about under hipaa. But
that is something that stateprivacy laws are explicitly
(07:45):
mentioning, which is kind ofinteresting. Right. They're
getting a lot more specificthan HIPAA is, and frankly,
HIPAA is intentionally broadand we can talk about that in a
minute. But , um, they'regetting a lot more specific
about the types of data thatare subject to these state
privacy rules. Um, and youknow, we did see a year or two
ago guidance from OCR abouttracking technologies, but
(08:08):
that's not explicitly mentionedin the law . So that is
guidance that has come out thathas not made its way into the
actual statutory or regulatorylanguage that, that we are ,
that, you know , uh, coveredentities and business
associates are governed by. SoI think HIPAA's moving in that
direction, but state privacylaws are already there. Um, a
couple of other ways, morerights for consumers. So again,
(08:32):
like we said, under hipaa,providers own the data that
they collect and manage aboutpatients under state privacy
laws, users or consumers owntheir own data. And as part of
that ownership, they often aregetting more rights with
respect to that data. So, forexample, lots of state privacy
laws, in fact, maybe all ofthem, although don't quote me
(08:54):
on that, I'm, someone will hearthat and be like, actually ,
um, mm-hmm . Idid not confirm that before
this, but many state privacylaws are giving a private right
of action to consumers. So ifyou as an individual are
sharing your data with afertility tracker app and that
app has a breach, you may beable to actually sue that, that
fertility tracking app. Or ifthey aren't clear with you
(09:16):
about how they're using theirdata, using your data, and they
use it in a way they didn'ttell you about, you might be
able to take action. You mightbe able to recover from them.
Whereas under hipaa, if aprovider has a breach, you
can't necessarily sue yourdoctor for that breach. Right .
That's in the government'shands to address. So that's a
really big one that privateright of action. And I think
that goes back to what you werementioning earlier, omeka about
(09:38):
some of the, you know,challenges and some of the fear
around how broad these stateprivacy laws are is, you know,
there's a lot more risk forcompanies that are managing
that data. And I think that'sintentional. I think that's
what the state governmentswant, right? They want mobile
apps to be a little bit scaredabout the penalties that they
might be subject to if theyhave a breach or if they don't
(10:00):
comply with the law. Um, but Ithink for , for consumers, that
also gives us a lot moreconfidence in the apps that
we're using and where we'reputting our data and what's
being done with it. Because weknow that we will potentially,
hopefully be able to recover ifsomeone that we are trusting
does something wrong with thatdata. Um , so that's a big one.
(10:22):
Um, writes to delete data. Soyou can reach out to a mobile
app and you can say, delete allof my records. And they have to
do that. There are stricterconsent and use limitations.
For example, the MarylandPrivacy Act prohibits
geofencing within 1,750 feet ofany mental health facility or
(10:42):
reproductive or sexual healthfacility to identify, track or
collect data from or sendnotifications to consumers
regarding their health data. Soyou can probably tell I read
that from notes that I have infront of me 'cause it's really,
really specific and those veryspecific. Yeah. And those
strict and really specificrules are a major trend in
(11:04):
these state privacy laws where,like we said, HIPAA's
intentionally broad to, toavoid over prescription, to
avoid having to change HIPAAall of the time. State privacy
laws are not doing that. Theyare very, very strict and they
are very specific about thetypes of behaviors that they
prohibit. So that's kind of aninteresting one, right? That's
a gap that HIPAA doesn't fill.
(11:25):
That state privacy laws arekind of coming in and filling.
Um, and then I'll just mentiontwo more. I know this is a lot.
There are , you know , we couldprobably talk about this
specific question, this for along time. This , um, but two
other ways that I think , uh,state privacy laws are sort of
filling gaps that HIPAA doesn'tfill are with a focus on
transparency. So we know,again, you can request a copy
(11:46):
of your medical records fromyour doctor, but what HIPAA
doesn't say is what has to bein your privacy policy. There's
a notice of privacy practices,but that's not always
applicable to businessassociates. So if your doctor
has a business associate thatis doing something with data,
the notice of privacy practicesmight say, Hey, we can share
your data with third partiesfor operational purposes or
(12:08):
treatment purposes. But understate privacy laws, the rules
say that controllers have toprovide clear privacy notices
detailing the categories ofpersonal data that they're
processing, the purposes forprocessing. So not just this is
an operational thing, butactually, hey, we're sharing
your data with this thirdparty, or we're processing your
data to , um, you know , uh,to, to analyze it and provide
(12:33):
you recommendations forsupplementation, supplements
you should take, or things likethat. Being more specific about
why you're processing that dataand being explicit with
consumers about how they canexercise their rights. So
again, a lot of that ends up ina notice of privacy practices,
which is required under hipaa,but it's not as specific and
it's not as explicit and it'snot required by business
(12:56):
associates who are using andprocessing your data that they
get from healthcare providers.
And then lastly, specific nodsto new technology like ai for
example, that Maryland law thatwe mentioned before and that
you mentioned in the introspecifically mentions mental
health chatbots andspecifically says, if you have
a mental child mental healthchatbot, we're looking at you,
(13:16):
we're paying attention to you.
All of the rules that we say inthis law specifically apply to
you and you have to thereforecomply with them. So, so that's
kinda interesting one too,where if you listeners out
there are familiar with theproposed revisions to the HIPAA
security rule, you might knowthat there are explicit
(13:37):
mentions to new technology inthat rule. There's some,
there's some discussion aboutAI that there's some discussion
about extended reality like VRand ar, but none of those have
made it to the actual text ofthe rule, to the statute or the
regulations. And there's notreally a defined timeline as
far as how soon they will be,if at all. So while HIPAA is
(14:00):
sort of slowly making its wayin that direction, state
privacy laws are already doing,they're already saying, we know
that you AI companies exist. Weknow that the fertility
trackers exist and have thisdata, and we're paying
attention and you are the onesthat we are talking to in these
rules that, that we'redrafting. So that was a lot.
Um, I'm sure there are more,but I think, you know, suffice
(14:21):
it to say there are a lot ofgaps in HIPAA that state
privacy laws are filling. Andagain, that just goes back to
the operational difficultywhere digital health companies
are seeing this, this level ofspecificity in saying, we've
never had to deal with thisbefore. How do we, how do we
manage it?
Speaker 3 (14:39):
Exactly. Wow. That was amazing, Caitlyn , thank
you so much. Um, and it reallysounds like , um, state
regulators , uh, or stateprivacy laws, excuse me, are
going beyond hipaa , um, in amore prescriptive way and in a
faster way, potentially a moreefficient way. Um, but we'll,
we'll look at, we'll see howthat pans out , um, as time
goes on. So as we're comparingstate privacy laws versus the
(15:03):
HIPAA statute , um, I wanna askyou one question. How are state
regulators enforcing healthcaredata privacy laws differently,
and what trends are we seeingin penalties or audits? You
kind of started on this pathwith talking about , uh, uh,
individual's right to action,which they don't have under
hipaa.
Speaker 4 (15:22):
Yeah, I think that the, the, the primary way that
their , that states areapproaching enforcement is
they're being way moreproactive about auditing and
enforcement. So under hipaa,most of the time, an audit or
an investigation by OCR whoenforces HIPAA is going to be a
response to a breach that aprovider or a business
(15:44):
associate proactively reportedto OCR. So they're getting
reports all the time andthey're saying, this is a big
breach, or this is a pattern,let's go look at this more
closely. State governments arenot waiting for those reports.
They're actively going out tothe companies that they know
are subject to rule to therules that they've set forth.
And they're saying, let me seeyour documentation. Let me see
(16:06):
how you're using this data, andlet me make sure that your
privacy policy, for example, isexplicit about that and is
transparent enough about that.
And just to give you anotherexample of this, right? In
2023, California, the AttorneyGeneral in California, which
CCPA kind of set the stage forstate privacy laws, California
was the first state to do it.
(16:26):
They were really specific aboutit. And a bunch of other states
have followed suit. So in 2023,the California Ag targeted
specific mobile apps that werecollecting reproductive health
data mm-hmm . Andwhen they, after they did their
investigation, they issuedfines for failure to honor
opt-outs, improper disclosures,and misleading privacy notices.
(16:48):
So they went out and they said,your privacy notice is not as
explicit as it needs to be.
It's not as transparent as itneeds to be. It looks like
you're doing something elsewith this data that you haven't
told your users about. And sowe're gonna find you for that.
And not to say that doesn'thappen under hipaa. Right? But
again, I think it's just moreproactive by the state ag to
look, you know, to look aroundat company's websites or
(17:11):
download mobile apps and lookat the privacy notice and say,
Hey, I think this is somethingwe should look more closely at.
So I think that's the biggestone, how they're, you know, the
biggest way that they're,they're approaching enforcement
a little bit differently thanOCR or other federal agencies
that might be looking at this.
Speaker 3 (17:26):
That definitely makes sense. It's like they're
saying, we're gonna come findyou instead of waiting for you
to find us.
Speaker 4 (17:31):
Yeah. It's more similar to how the FTC is
operating, right? The FTC doesthis, OCR doesn't necessarily,
so, so it's sort of, I thinkthe ag is sort of blending that
OCDR role and the FTC role tosay, these are the things you
have to do and also this is howwe're gonna enforce it, and
this is what, what you have tosay about it.
Speaker 3 (17:50):
Nice. Thank you so much. Um, now I'm really
excited to go into this nextpart of our conversation. Let's
see how digital healthcompanies, which I know is your
area of expertise. Let's seehow they fit into this
equation. So our first questionin this section , um, with a
growing patchwork of stateprivacy laws, how can digital
health companies ensure thatthey are complying across
(18:14):
multiple jurisdictions whilemaintaining innovation? How's
that gonna work?
Speaker 4 (18:19):
Yeah, so this is a big one. This is something I
talk to my clients about allthe time. I will say it tends
to be an ongoing conversation,right? I'll respond to this as
quickly as I can here , butthere , I'm getting questions
about this all the time. We'regetting on calls sometimes
weekly as these new laws arecoming out. But I think some of
(18:39):
the key themes in the way thatI try to advise my clients is,
first and foremost, keep yourterms of use and privacy policy
as broad as possible. Now, wejust talked a lot about
specificity and transparencyand specific things that have
to be disclosed in your privacypolicy. And I'm not saying
(18:59):
don't do that mm-hmm . But what I am
saying is get creative and beas broad as possible so that as
your technology changes, as thethings you're doing change, you
don't have to go in and reviseyour documentation every single
time. A lot of times in yourterms of use or your privacy
policy, you're also committingto notifying your users anytime
(19:23):
you change the terms of thatterms of use and privacy
policy. And in fact, sometimesyou're legally required to
notify users anytime you make achange. And so you wanna avoid
making changes too frequentlybecause that can confuse your
users, that can lead to misseddetails that can, you know, put
you in a box where you arespending a lot more time
(19:45):
updating those policies thanyou really want to or really
need to. And sometimes that canput you at more risk. Sometimes
that gives your competitorsmore insight into how you're
managing compliance with all ofthese very specific laws,
right? If you're too specific,you might have a competitor
say, oh, we didn't know youcould do it that way, but it
looks like this, companies doit, let's do that. You don't
(20:06):
always have to be thatspecific. So, so I would say,
you know, keep your terms ofuse and privacy policy and your
notice of privacy practices,whatever it may be, as broad as
possible while stillmaintaining compliance. And
then I would also say, youknow, build efficient
workflows, and this is broadand it seems kind of
straightforward, but the , butthe biggest challenge that I
(20:27):
see with my digital healthcompanies is complying with
consumer requests in anefficient way, because under
hipaa, individual patientsdon't have as many individual
rights as consumers do. Understate privacy laws, digital
health companies that have beenfocused on HIPAA for a long
time aren't used to having todelete patient records in
(20:49):
response to their requests andconfirming to, I'm sorry,
consumer, I don't wanna saypatient when we're not talking
about hipaa , um, they're,they're not used to having to
managing individual requestsfor data deletion and having to
comply with that. If you're abusiness associate, which many
digital health companies are,they're often agreeing in the
BAA to notify the coveredentity if they get that
request. And then the coveredentity directs them on how to
(21:12):
deal, how to manage it, or thecovered entity responds to it
themselves. Whereas here, understate privacy laws, digital
health companies might begetting those requests
specifically directly fromindividuals and having to reply
to it to the individualdirectly. So that's one way
where you really wanna thinkabout what does your workflow
look like? What happens when apatient makes this request, or
when a user makes this request,who's getting that request?
(21:34):
What are they doing? Howquickly are they doing it? Is
your data segmented andorganized well enough that you
can quickly find thatindividual's information and
delete it? Or are you gonnahave to sort of search through
all of your different databasesand figure out what data
belongs to this person? Um, andso things like, you know,
(21:55):
tagging can be helpful forthat. Tagging the data
appropriately can be helpfulfor that. So, so building those
efficient workflows I think aregoing to be really helpful for
maintaining compliance. And ,um, it , it can be a new way to
approach this, but I think thatit's, you know, it's helpful
and I think it's important.
And, you know, in some casesyou can use ai, you can use
(22:17):
mm-hmm thetechnology that you've built to
make it easy, build it intoyour model and, and make that
process easier for you on thebackend. Um, and then lastly,
just again, you know, it'simportant to reiterate that
business associates and coveredentities, even though we're
talking a lot about the gaps inhipaa, that state privacy rules
(22:37):
are , uh, are filling, I thinkit's important to also just
reiterate that businessassociates and covered entities
are not always accepted fromcompliance with state law. So
state laws might say, if you'resubject to hipaa, you know,
comply with hipaa, and thenhere are a couple of other
things you have to do. Weacknowledge that you're already
subject to hipaa, and so we'llsort of defer to you on that.
(23:00):
But it doesn't mean you canignore the state privacy rules
because again, these stateprivacy rules are so much more
specific and strict that thereare likely going to be
additional things that you haveto do that hipaa, what you're
doing under HIPAA may not besufficient. So I think that the
key there is understand wherethe overlap is, understand
where the differences are andwhat applies to you, and then
(23:24):
implement a comprehensivestrategy that incorporates both
HIPAA and applicable state law.
And, you know, you might wannaalso think about the FTCs rules
about privacy policy. So takingthe federal landscape and the
state landscape and having acomprehensive strategy for
maintaining compliance on anongoing basis, working with a
lawyer that is tracking updatesand can keep you informed or,
(23:46):
you know, even subscribing tosome of the news outlets out
there that are tracking thesethings. So, so yeah, I think
again, it's keep your documentsas broad as possible, build
efficient workflows, and thenjust build a comprehensive
strategy and remember thatthere may be overlaps, but
there may also be distinctionsand additional things you have
to do even if you are subjectto hipaa.
Speaker 3 (24:08):
Wow, that's excellent advice. Thank you so
much. Um, so Caitlin , whatwould happen if a digital
health company was a businessassociate and thus subject to
HIPAA with duties to a coveredentity, and they were also
subject to a state privacy lawwith data deletion rights? How
(24:28):
would they respond if a user ,um, came to them and said, Hey,
I want you to delete my data,data that might be covered by a
business associate agreementand that the covered entity may
need to hold onto ?
Speaker 4 (24:39):
Yeah, so that's a really good question. My
clients ask me that questionall of the time. What usually
ends up happening is thedigital health company will
notify the covered entity thatthey got this request. The they
will send a copy of the data tothe covered entity because the
covered entity under state lawis going to be required to
(25:00):
maintain records for, you know,anywhere from like three to
seven years. So that is an ,that is actually an important
rub between state privacy lawand hipaa. Where HIPAA's going
to say, I'm sorry, excuse me,state privacy, state consumer
privacy law and state medicalrecord law, it's not a hipaa,
it's not a HIPAA requirement.
The state medical record lawmight say is likely gonna say
(25:24):
the provider has to maintain acopy of a patient's medical
records for an extended periodof time where the sa where, you
know, a different state lawmight say digital health
company, if a individualrequests that you delete their
records , you have to do that.
So what the digital healthcompany can do is they can take
the request, they, they notifythe covered entity, I'm
(25:44):
assuming they're a businessassociate, they notify the
covered entity that they gotthe request. They say, Hey,
under state law we have to dothis, but we wanna make sure
you have a copy of it so thatyou can maintain a copy of it
within your statutoryrequirements. Now, in some
cases, the digital healthcompany could say, we actually
(26:04):
can't delete your data becausewe have a relationship with
your healthcare provider who islegally obligated to maintain
this record. And our job underour contract with the provider
is to maintain these recordsfor them to comply with their
state obligation. And usuallythe state privacy law will
allow for that, right? Thestate privacy law will say, if
this is actually medical recorddata under HIPAA or under the
(26:29):
state medical record law, thenyou can maintain it for that.
It's basically like a user, anindividual can request that you
delete their data unless alegal obligation applies. And
in that case, there would be alegal obligation for the
provider to maintain that copy.
So it ends up being, you know,between the business associate
and the covered entity who'sactually responsible for
(26:51):
complying with that law is thatthe business associate has
agreed to maintain the recordsfor the provider, or the
business associate has agreedto return the data to the
covered entity so they have it,but delete the data from their
own servers so that they don'thave a copy of it themselves.
Does that make sense?
Speaker 3 (27:09):
Yes, that's perfect.
Thank you so much for answeringthat question. Just thinking
about that definition ofhealthcare data , um, as we
talked about earlier, so manystate laws are going beyond
hipaa. So how are digitalhealth companies adapting to
that broader definition thatyou so excellently explained
earlier on, how are theyadapting to that broader
definition of health data underthese state laws?
Speaker 4 (27:31):
Yeah, I think it just goes back to sort of,
well, two things. One, what Iadvise my clients is let's look
at the, the strictest rulesthat are going to apply to you
and just build your practicesaround that. Right? That's good
. So as we've said, stateprivacy laws are in a lot of
ways stricter than, than hipaa.
(27:51):
That might mean if you knowthat you are subject to CCPA
and hipaa, maybe we look atCCPA and we build your
operations and your practicesaround CCPA, we make sure that
it's also compliant with hipaa.
But you can usually restassured that if you're
complying with CCPA, you'recomplying with HIPAA because
it's already stricter. So Iusually say, number one, let's
(28:15):
figure out what the strictestrules are that are going to
apply to you and build aroundthat. Because then you're not
having to build out differentpractices in every state or
different practices forpatients that might be subject
to HIPAA and differentpractices for patients that
might not be. You've got sortof that comprehensive strategy
that already takes into accountthe strictest rules and , um,
(28:35):
you're sort of acting aroundthat. And that does two things,
right? It makes it moreefficient to comply because you
don't have to have differentpractices. But I think it also
mitigates your risk in theplaces where the rules aren't
as strict, right? If you arecomplying with CCPA, which is
stricter than hipaa, like Isaid, it's unlikely that you're
gonna have a HIPAA violationbecause you're already
(28:56):
complying with the stricterrules . So it mitigates your
risk at the same time as makingyour processes and your
compliance practices a littlebit more efficient. And then
the second one is sort of maybea , a , a subset of that, which
is data segmentation andorganization, keep your data
organized, keep it segmented sothat you know, when someone
(29:19):
asks you to delete their dataor when someone asks you for ,
uh, to , to tell them who youshared their data with, you can
do that quickly. And you're notconfused. You don't miss things
because what you don't want tohappen is you respond to an
individual request. Thatindividual goes, whoa, this
isn't what I expected. Theyreport you to the ags office,
the AG says we're gonna do aninvestigation, and then the
(29:42):
state ags office finds thingsthat you missed, that maybe you
didn't give them all theinformation you were supposed
to, or maybe your privacypolicy doesn't say that you
were doing this thing with theuser's data that you were
actually doing. So, so, youknow, building that compliance
into your data practices,keeping things organized,
(30:02):
segmenting appropriately,making sure you know where
everything is, back up yourdata so that if you have a
breach, you have a copy of itor maybe a couple copies of it.
Um, so, so you know, juststaying organized around what
you're doing with data, howyou're using it, and making
sure again, that you arebuilding those efficient
workflows around that.
Speaker 3 (30:23):
Thank you. That's really helpful. Um, so this is
a lot to take intoconsideration and it's
definitely a great idea to, tofind someone if, if, if it's
possible to that can walk youthrough it. Um, so with all
this that we've discussed , um,what are some challenges, some
operational or technicalchallenges that digital health
(30:43):
health companies might facewhen they're trying to
implement these state specificprivacy requirements? Um ,
we've talked about that datadeletion, right? That state
privacy laws implement. Anotherchallenge could be opt out
mechanisms. What have you seen?
What are some challenges? Howcan we deal with them?
Speaker 4 (31:01):
Yeah, so I hate to just like repeat what I just
said, but, but I think thebiggest challenge I see are
building those workflows aroundit. So opt out is a great one
that we haven't really talkedabout a lot yet. A lot of state
laws require much moreproactive opt out mechanisms to
allow consumers to opt out ofspecific uses, uses of their
data. So, you know, underHIPAA, where covered entities
(31:24):
can get away with a businessassociate agreement and not
have to get specificauthorization from patients to
share data with a businessassociate for treatment
purposes or operationalpurposes, the same is not true
under state law. Under statelaw, a lot of times you have to
give specific opt-out rights toconsumers to give them the
(31:46):
ability to say, no, you can'tdo any of this, any of these
things with my data . The onlything you can do with my data
is analyze it in a way that themobile app is giving me output,
right? So the only thing youcan do with my fertility data
is, let me see in my trackerwhat, what my status is. You
can't de-identify this for yourown purposes. You can't take it
(32:10):
and go train an AI algorithmwith it. You can't use it to ,
uh, track my browsing behaviorand give me targeted ads. And,
and that is something, again,HIPAA does say, you know,
patients have to give, have toprovide authorization for
marketing purposes to allowtheir data to be used through
marketing purposes, but itdoesn't go so far as all of
(32:31):
those other things. Again, theOCR guidance on tracking
technologies does requireauthorization to use tracking
technologies for make marketingpurposes, but the state laws
are just broader. And so thebiggest challenge is one, I
guess actually understandingwhat those differences are,
understanding how it's broader,and then turning that into
workflows that are stillefficient. What does our
(32:52):
opt-out language have to say?
Can it just be a check box ?
Does it have to be separate orindependent of the terms of use
that we give them? And in a lotof cases it does more similar
to like TCPA for those outthere listening who are
familiar with the TCPA consent.
State privacy laws are moresimilar to that, where you have
to give an independent checkboxor an independent consent that
(33:15):
does not, that is not sort ofmuddied by other terms of use
or other things that arerelevant to the patient or how
they're using the app has to beindependent. It has to
specifically mention everythingyou're doing, and you have to
give the patient, sometimes theuser the, the opportunity to
opt out of specific individualuses. And you have to be able
(33:35):
to do that on the backend andoperationally that can be
challenging. 'cause again, ifyour data's not segmented, if
it's not organized, it's gonnabe hard to say, okay, this
particular user says we can'tdo this with their data. How do
we make sure that their datadoesn't get into this AI model
that we're, that we'retraining? Or how do we make
sure that these trackingtechnologies are actually
(33:56):
turned off for this user? Um,so I think those are the
challenges, right? And again,it just goes back to addressing
those challenges by developinga comprehensive strategy, being
broad, but still complying withthe applicable rules and just
sort of staying on top of it,making sure you know what those
changes are and , and howyou're gonna address them when
they come up.
Speaker 3 (34:16):
Wow , those are great considerations. Thank you
so much. All right . So I knowwe've, we've been able to glean
so much knowledge from you. Ijust have one more question
before we go. Um, so lookingahead, what types of trends or
potential legislation shouldall of US healthcare
professionals and techcompanies be watching out for?
Speaker 4 (34:36):
Yeah, I love this question. Um, this is what I
spend most of my days doing islike, what's coming next? What
do my clients need to know toanticipate, you know, what's
gonna be happening next monthor in six months? The biggest
one, and we've kind of talkedabout this a little bit
already, but the biggest one isAI specific rules. Almost every
state privacy law that iscoming out now is explicitly
(34:58):
mentioning AI in some way. Andalmost every digital health
company that I talk to istrying to figure out how to
leverage AI in some way. And sopaying attention to those
specific rules like theMaryland statute that talks
about mental health, chatbots,paying attention to what do you
(35:20):
have to say in your privacypolicy about ai, the type of AI
you're using, and what it doesand how it works. What are you,
what do you have to do to themodel that you're building to
make sure that it is ethicaland accurate and , um, not
discriminating on certainusers. All of these things are
being explicitly addressed instate law in a way that they're
(35:43):
not in federal law. And some ofthat's not, you know,
explicitly related to privacy,but I think it's still relevant
in the sense that there's justa lot more for you to keep
track of and to comply with. Ifyou're in the AI space, which
again, most digital healthcompanies are in some way,
whether you're leveraging anexisting chat GPT model or
building your own generativemodel, or just building an
(36:05):
algorithm based , you know,platform or function, there
may, there is likely going tobe state law that applies to
you, that applies specificallyto you. So keep an eye out for
those AI specific rules, trackthem as they're changing. There
are , um, some policy workinggroups that are also working on
federal policy around this, butit hasn't really made it there
(36:25):
yet. So, so the state laws arereally where we're seeing more
specific mention of ai. Andthen the second one, we've
already mentioned it, and I'lljust briefly mention it again,
is proposed changes to theHIPAA security rule. A lot of
what we talked about are gapsbetween existing hipaa , HIPAA
laws and state privacy laws.
There is a proposed rule rightnow to add a bunch of that
(36:47):
stuff to HIPAA to make thesecurity rule more specific to
explicitly address evolvingtechnology. And so, you know,
paying attention to what thosechanges may look like is gonna
be important for, for thecompanies that, you know, we as
lawyers are advising, or ifyou're a digital health
company, it's going to beimportant to , uh, to
understand what those changesmay be. Um, and the last thing
(37:09):
I'll say again is like, wedunno what the timeline is on
that. That could be six months,that could be tomorrow, it
could be next year. We don'tknow. So no guarantee that
you're gonna have to make achange tomorrow, but it's
important to know that it's outthere and that if it does get
finalized, you need to knowwhat you need to do to , to
comply with it.
Speaker 3 (37:27):
That's right. That's right. Well, thank you so much.
We'll definitely be lookingahead to those changes in the
future. And that wraps up ourconversation today about state
privacy laws and their impacton digital health innovation.
Caitlyn , thank you so much forthe excellent insights you
shared. I really have enjoyedthis conversation. And thanks
to our audience as well forlistening. We hope you found
(37:50):
this episode helpful inadvancing your thinking about
how to respond to the evolvingregulatory landscape. Have a
great rest of your day.
Speaker 2 (38:03):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health law
wherever you get your podcasts.
To learn more about a HLA andthe educational resources
available to the health lawcommunity, visit American
health law.org.
Speaker 2 (00:04):
Support for A HLA comes from Clearwater. As the
healthcare industry's largestpure play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant andresilient state so they can
achieve their mission. Thecompany provides a deep pool of
experts across a broad range ofcybersecurity, privacy, and
(00:28):
compliance domains.
Purpose-built software thatenables efficient
identification and managementof cybersecurity and compliance
risks, and a tech enabled 24 7365 security operations center
with managed threat detectionand response capabilities. For
more information, visitclearwater security.com.
Speaker 3 (00:53):
Hello everyone. This is Omeka and Waku , principal
consultant with Clearwater'sPrivacy and Compliance
Consulting team. Over the pastfew years, we have seen
enormous growth in stateprivacy laws, which cover wide
ranges of health data, mostlyoutside HIPAA laws like the
Maryland Online Data PrivacyAct create substantial
(01:14):
challenges before healthinformation can be used for
virtually any purpose.
Developing an approach toconsumer consent that some have
commented is the opposite ofwhat HIPAA requires. Others
have stated that the New YorkHealth Information Privacy Act,
if enacted, could create achilling effect on patient
access and engagement todigital health services relied
(01:36):
upon by New Yorkers. As digitalhealth companies face hurdles
in improving their products andservices due to the financial
and operational burdens createdby the proposed act, it's a
challenging time for healthcarelegal and compliance
professionals as we are seeingmultiple laws impacting the
same data, depending on thespecific role the data plays in
(01:57):
a particular context. Joiningme to help decipher the current
state of healthcare dataprivacy regulations is Kaitlyn
O'Connor, co-founder andpartner with the firm VE Law,
where she guides virtual firstdata, analytics, medical
device, and other emerginghealthcare models through
complex legal landscapes. It isso amazing to be able to speak
(02:21):
with you. Caitlyn ,
Speaker 4 (02:22):
How are you doing ?
Thank you. I'm doing well. It'sgreat to be here. I'm excited
to dig in.
Speaker 3 (02:27):
Me too. So, let's dive in. Um, first let's talk
about state level legislation.
So what role should state levellegislation play in addressing
any gaps left by federalhealthcare privacy laws?
Speaker 4 (02:41):
Sure. So I, as I was, you know, preparing for
this discussion, I was thinkingabout this a lot. And I think
that the biggest gap that stateprivacy laws can address or can
fill is the gap betweenconsumer expectations and the
actual legal obligations of thecompanies that are collecting
(03:01):
and processing sensitive healthinformation. So, a lot of the
lawyers listening to thisprobably know that HIPAA really
only applies to coveredentities and their business
associates, but consumerwellness apps like Apple Watch
and Apple Health data , uh,apps and the AA ring and , um,
(03:23):
fertility tracker apps likelyare not covered entities or
business associates. And sothey're actually not subject to
hipaa and consumers may notrecognize that distinction. And
so I think that, you know, the,the, one of the, one of the
gaps that state lives , uh,state privacy legislation can
fill and is actively filling,is being more transparent and
(03:47):
clear with consumers about howtheir data is being used, what
their rights are in that data,and you know, who is collecting
it and who is accessing it. And, and so I think that's
probably the biggest one. Ithink sort of a , a secondary
gap that I think state privacylegislation is also filling is
a gap between provider orcovered entity ownership of
(04:11):
patient's health data orconsumers health data and
consumer individual ownershipof a person's health data.
Mm-hmm
friends and family not fullyunderstanding the distinction
between HIPAA and state privacylaws is a lot of people don't
realize that your doctor ownsyour data, your medical record
(04:34):
data. So if your doctor iscreating a medical record or
collecting blood pressure dataabout you or collecting other
types of health data, yourprovider owns that. And while
you have a right to access itand to get a copy of your
medical records , you actuallydon't own it. And, and whereas
under state privacy law, mostof the laws that we're seeing
(04:54):
today explicitly state thatconsumers or individuals own
their health information andany other sensitive or
identifiable information that ,uh, that consumer apps might be
collecting about them. So, so,you know, just to sort of round
that out, I think the , the twomajor gaps are the, the gap
between consumer expectationsand the legal obligations that
(05:17):
companies who are collectingand managing data actually
have. And then the second iswho actually owns that data?
That , and again, that's sortof a consumer expectation, I
guess, but , but , um, butyeah, that gap between, you
know, who actually owns thatdata and , and what do users
know about who owns that data.
Speaker 3 (05:35):
Amazing. Thank you so much. Um, and when we're
talking about gaps , um,between how state privacy laws
are , uh, are , we're talkingabout how state privacy laws
are addressing those gaps, doyou feel that there are any
instances of state privacy lawsgoing beyond HIPAA in certain
areas? And if so , um, whatdoes that mean for healthcare
data governance and , um,patient rights?
Speaker 4 (05:57):
Yeah, absolutely. I think that , um, there are a
bunch of ways in which stateprivacy laws are going beyond
HIPAA in order to fill thosegaps we just talked about. The
first one is broaderapplicability to companies that
are not necessarily consideredcovered entities or business
associates under hipaa. Mm-hmm
(06:19):
companies that are sellingfertility tracker mobile apps
and Apple Health , uh, theApple Watch and Apple Health
data. Now those companies thataren't subject to HIPAA are
subject to these state privacylaws. So we're seeing broader
applicability to individuals orcompanies that are collecting
and processing consumers data.
(06:41):
I think we're also seeing abroader definition of data that
is protected. Yes . Um , so,you know, if we think about
protected health information,PHI under hipaa, a lot of times
that is thought of as medicalrecord data conversations about
healthcare between a providerand a patient that's collected,
you know, during a visit orthat happens during a visit. We
(07:03):
don't necessarily think aboutinferences about that data. We
don't necessarily think aboutbrowsing behavior on health
related websites, which issomething that is explicitly
mentioned in some state privacylaws or location data near a
clinic. Now, location data isan identifier under hipaa. So
(07:24):
technically location data ispotentially PHI. But when
you're tracking that datathrough tracking technologies
that are tracking a , a user'sbrowsing behavior and where
they are when they're lookingat a certain website, that's
not necessarily something wethink about under hipaa. But
that is something that stateprivacy laws are explicitly
(07:45):
mentioning, which is kind ofinteresting. Right. They're
getting a lot more specificthan HIPAA is, and frankly,
HIPAA is intentionally broadand we can talk about that in a
minute. But , um, they'regetting a lot more specific
about the types of data thatare subject to these state
privacy rules. Um, and youknow, we did see a year or two
ago guidance from OCR abouttracking technologies, but
(08:08):
that's not explicitly mentionedin the law . So that is
guidance that has come out thathas not made its way into the
actual statutory or regulatorylanguage that, that we are ,
that, you know , uh, coveredentities and business
associates are governed by. SoI think HIPAA's moving in that
direction, but state privacylaws are already there. Um, a
couple of other ways, morerights for consumers. So again,
(08:32):
like we said, under hipaa,providers own the data that
they collect and manage aboutpatients under state privacy
laws, users or consumers owntheir own data. And as part of
that ownership, they often aregetting more rights with
respect to that data. So, forexample, lots of state privacy
laws, in fact, maybe all ofthem, although don't quote me
(08:54):
on that, I'm, someone will hearthat and be like, actually ,
um, mm-hmm
this, but many state privacylaws are giving a private right
of action to consumers. So ifyou as an individual are
sharing your data with afertility tracker app and that
app has a breach, you may beable to actually sue that, that
fertility tracking app. Or ifthey aren't clear with you
(09:16):
about how they're using theirdata, using your data, and they
use it in a way they didn'ttell you about, you might be
able to take action. You mightbe able to recover from them.
Whereas under hipaa, if aprovider has a breach, you
can't necessarily sue yourdoctor for that breach. Right .
That's in the government'shands to address. So that's a
really big one that privateright of action. And I think
that goes back to what you werementioning earlier, omeka about
(09:38):
some of the, you know,challenges and some of the fear
around how broad these stateprivacy laws are is, you know,
there's a lot more risk forcompanies that are managing
that data. And I think that'sintentional. I think that's
what the state governmentswant, right? They want mobile
apps to be a little bit scaredabout the penalties that they
might be subject to if theyhave a breach or if they don't
(10:00):
comply with the law. Um, but Ithink for , for consumers, that
also gives us a lot moreconfidence in the apps that
we're using and where we'reputting our data and what's
being done with it. Because weknow that we will potentially,
hopefully be able to recover ifsomeone that we are trusting
does something wrong with thatdata. Um , so that's a big one.
(10:22):
Um, writes to delete data. Soyou can reach out to a mobile
app and you can say, delete allof my records. And they have to
do that. There are stricterconsent and use limitations.
For example, the MarylandPrivacy Act prohibits
geofencing within 1,750 feet ofany mental health facility or
(10:42):
reproductive or sexual healthfacility to identify, track or
collect data from or sendnotifications to consumers
regarding their health data. Soyou can probably tell I read
that from notes that I have infront of me 'cause it's really,
really specific and those veryspecific. Yeah. And those
strict and really specificrules are a major trend in
(11:04):
these state privacy laws where,like we said, HIPAA's
intentionally broad to, toavoid over prescription, to
avoid having to change HIPAAall of the time. State privacy
laws are not doing that. Theyare very, very strict and they
are very specific about thetypes of behaviors that they
prohibit. So that's kind of aninteresting one, right? That's
a gap that HIPAA doesn't fill.
(11:25):
That state privacy laws arekind of coming in and filling.
Um, and then I'll just mentiontwo more. I know this is a lot.
There are , you know , we couldprobably talk about this
specific question, this for along time. This , um, but two
other ways that I think , uh,state privacy laws are sort of
filling gaps that HIPAA doesn'tfill are with a focus on
transparency. So we know,again, you can request a copy
(11:46):
of your medical records fromyour doctor, but what HIPAA
doesn't say is what has to bein your privacy policy. There's
a notice of privacy practices,but that's not always
applicable to businessassociates. So if your doctor
has a business associate thatis doing something with data,
the notice of privacy practicesmight say, Hey, we can share
your data with third partiesfor operational purposes or
(12:08):
treatment purposes. But understate privacy laws, the rules
say that controllers have toprovide clear privacy notices
detailing the categories ofpersonal data that they're
processing, the purposes forprocessing. So not just this is
an operational thing, butactually, hey, we're sharing
your data with this thirdparty, or we're processing your
data to , um, you know , uh,to, to analyze it and provide
(12:33):
you recommendations forsupplementation, supplements
you should take, or things likethat. Being more specific about
why you're processing that dataand being explicit with
consumers about how they canexercise their rights. So
again, a lot of that ends up ina notice of privacy practices,
which is required under hipaa,but it's not as specific and
it's not as explicit and it'snot required by business
(12:56):
associates who are using andprocessing your data that they
get from healthcare providers.
And then lastly, specific nodsto new technology like ai for
example, that Maryland law thatwe mentioned before and that
you mentioned in the introspecifically mentions mental
health chatbots andspecifically says, if you have
a mental child mental healthchatbot, we're looking at you,
(13:16):
we're paying attention to you.
All of the rules that we say inthis law specifically apply to
you and you have to thereforecomply with them. So, so that's
kinda interesting one too,where if you listeners out
there are familiar with theproposed revisions to the HIPAA
security rule, you might knowthat there are explicit
(13:37):
mentions to new technology inthat rule. There's some,
there's some discussion aboutAI that there's some discussion
about extended reality like VRand ar, but none of those have
made it to the actual text ofthe rule, to the statute or the
regulations. And there's notreally a defined timeline as
far as how soon they will be,if at all. So while HIPAA is
(14:00):
sort of slowly making its wayin that direction, state
privacy laws are already doing,they're already saying, we know
that you AI companies exist. Weknow that the fertility
trackers exist and have thisdata, and we're paying
attention and you are the onesthat we are talking to in these
rules that, that we'redrafting. So that was a lot.
Um, I'm sure there are more,but I think, you know, suffice
(14:21):
it to say there are a lot ofgaps in HIPAA that state
privacy laws are filling. Andagain, that just goes back to
the operational difficultywhere digital health companies
are seeing this, this level ofspecificity in saying, we've
never had to deal with thisbefore. How do we, how do we
manage it?
Speaker 3 (14:39):
Exactly. Wow. That was amazing, Caitlyn , thank
you so much. Um, and it reallysounds like , um, state
regulators , uh, or stateprivacy laws, excuse me, are
going beyond hipaa , um, in amore prescriptive way and in a
faster way, potentially a moreefficient way. Um, but we'll,
we'll look at, we'll see howthat pans out , um, as time
goes on. So as we're comparingstate privacy laws versus the
(15:03):
HIPAA statute , um, I wanna askyou one question. How are state
regulators enforcing healthcaredata privacy laws differently,
and what trends are we seeingin penalties or audits? You
kind of started on this pathwith talking about , uh, uh,
individual's right to action,which they don't have under
hipaa.
Speaker 4 (15:22):
Yeah, I think that the, the, the primary way that
their , that states areapproaching enforcement is
they're being way moreproactive about auditing and
enforcement. So under hipaa,most of the time, an audit or
an investigation by OCR whoenforces HIPAA is going to be a
response to a breach that aprovider or a business
(15:44):
associate proactively reportedto OCR. So they're getting
reports all the time andthey're saying, this is a big
breach, or this is a pattern,let's go look at this more
closely. State governments arenot waiting for those reports.
They're actively going out tothe companies that they know
are subject to rule to therules that they've set forth.
And they're saying, let me seeyour documentation. Let me see
(16:06):
how you're using this data, andlet me make sure that your
privacy policy, for example, isexplicit about that and is
transparent enough about that.
And just to give you anotherexample of this, right? In
2023, California, the AttorneyGeneral in California, which
CCPA kind of set the stage forstate privacy laws, California
was the first state to do it.
(16:26):
They were really specific aboutit. And a bunch of other states
have followed suit. So in 2023,the California Ag targeted
specific mobile apps that werecollecting reproductive health
data mm-hmm
investigation, they issuedfines for failure to honor
opt-outs, improper disclosures,and misleading privacy notices.
(16:48):
So they went out and they said,your privacy notice is not as
explicit as it needs to be.
It's not as transparent as itneeds to be. It looks like
you're doing something elsewith this data that you haven't
told your users about. And sowe're gonna find you for that.
And not to say that doesn'thappen under hipaa. Right? But
again, I think it's just moreproactive by the state ag to
look, you know, to look aroundat company's websites or
(17:11):
download mobile apps and lookat the privacy notice and say,
Hey, I think this is somethingwe should look more closely at.
So I think that's the biggestone, how they're, you know, the
biggest way that they're,they're approaching enforcement
a little bit differently thanOCR or other federal agencies
that might be looking at this.
Speaker 3 (17:26):
That definitely makes sense. It's like they're
saying, we're gonna come findyou instead of waiting for you
to find us
Speaker 4 (17:31):
Yeah. It's more similar to how the FTC is
operating, right? The FTC doesthis, OCR doesn't necessarily,
so, so it's sort of, I thinkthe ag is sort of blending that
OCDR role and the FTC role tosay, these are the things you
have to do and also this is howwe're gonna enforce it, and
this is what, what you have tosay about it.
Speaker 3 (17:50):
Nice. Thank you so much. Um, now I'm really
excited to go into this nextpart of our conversation. Let's
see how digital healthcompanies, which I know is your
area of expertise. Let's seehow they fit into this
equation. So our first questionin this section , um, with a
growing patchwork of stateprivacy laws, how can digital
health companies ensure thatthey are complying across
(18:14):
multiple jurisdictions whilemaintaining innovation? How's
that gonna work?
Speaker 4 (18:19):
Yeah, so this is a big one. This is something I
talk to my clients about allthe time. I will say it tends
to be an ongoing conversation,right? I'll respond to this as
quickly as I can here , butthere , I'm getting questions
about this all the time. We'regetting on calls sometimes
weekly as these new laws arecoming out. But I think some of
(18:39):
the key themes in the way thatI try to advise my clients is,
first and foremost, keep yourterms of use and privacy policy
as broad as possible. Now, wejust talked a lot about
specificity and transparencyand specific things that have
to be disclosed in your privacypolicy. And I'm not saying
(18:59):
don't do that mm-hmm
saying is get creative and beas broad as possible so that as
your technology changes, as thethings you're doing change, you
don't have to go in and reviseyour documentation every single
time. A lot of times in yourterms of use or your privacy
policy, you're also committingto notifying your users anytime
(19:23):
you change the terms of thatterms of use and privacy
policy. And in fact, sometimesyou're legally required to
notify users anytime you make achange. And so you wanna avoid
making changes too frequentlybecause that can confuse your
users, that can lead to misseddetails that can, you know, put
you in a box where you arespending a lot more time
(19:45):
updating those policies thanyou really want to or really
need to. And sometimes that canput you at more risk. Sometimes
that gives your competitorsmore insight into how you're
managing compliance with all ofthese very specific laws,
right? If you're too specific,you might have a competitor
say, oh, we didn't know youcould do it that way, but it
looks like this, companies doit, let's do that. You don't
(20:06):
always have to be thatspecific. So, so I would say,
you know, keep your terms ofuse and privacy policy and your
notice of privacy practices,whatever it may be, as broad as
possible while stillmaintaining compliance. And
then I would also say, youknow, build efficient
workflows, and this is broadand it seems kind of
straightforward, but the , butthe biggest challenge that I
(20:27):
see with my digital healthcompanies is complying with
consumer requests in anefficient way, because under
hipaa, individual patientsdon't have as many individual
rights as consumers do. Understate privacy laws, digital
health companies that have beenfocused on HIPAA for a long
time aren't used to having todelete patient records in
(20:49):
response to their requests andconfirming to, I'm sorry,
consumer, I don't wanna saypatient when we're not talking
about hipaa , um, they're,they're not used to having to
managing individual requestsfor data deletion and having to
comply with that. If you're abusiness associate, which many
digital health companies are,they're often agreeing in the
BAA to notify the coveredentity if they get that
request. And then the coveredentity directs them on how to
(21:12):
deal, how to manage it, or thecovered entity responds to it
themselves. Whereas here, understate privacy laws, digital
health companies might begetting those requests
specifically directly fromindividuals and having to reply
to it to the individualdirectly. So that's one way
where you really wanna thinkabout what does your workflow
look like? What happens when apatient makes this request, or
when a user makes this request,who's getting that request?
(21:34):
What are they doing? Howquickly are they doing it? Is
your data segmented andorganized well enough that you
can quickly find thatindividual's information and
delete it? Or are you gonnahave to sort of search through
all of your different databasesand figure out what data
belongs to this person? Um, andso things like, you know,
(21:55):
tagging can be helpful forthat. Tagging the data
appropriately can be helpfulfor that. So, so building those
efficient workflows I think aregoing to be really helpful for
maintaining compliance. And ,um, it , it can be a new way to
approach this, but I think thatit's, you know, it's helpful
and I think it's important.
And, you know, in some casesyou can use ai, you can use
(22:17):
mm-hmm
make it easy, build it intoyour model and, and make that
process easier for you on thebackend. Um, and then lastly,
just again, you know, it'simportant to reiterate that
business associates and coveredentities, even though we're
talking a lot about the gaps inhipaa, that state privacy rules
(22:37):
are , uh, are filling, I thinkit's important to also just
reiterate that businessassociates and covered entities
are not always accepted fromcompliance with state law. So
state laws might say, if you'resubject to hipaa, you know,
comply with hipaa, and thenhere are a couple of other
things you have to do. Weacknowledge that you're already
subject to hipaa, and so we'llsort of defer to you on that.
(23:00):
But it doesn't mean you canignore the state privacy rules
because again, these stateprivacy rules are so much more
specific and strict that thereare likely going to be
additional things that you haveto do that hipaa, what you're
doing under HIPAA may not besufficient. So I think that the
key there is understand wherethe overlap is, understand
where the differences are andwhat applies to you, and then
(23:24):
implement a comprehensivestrategy that incorporates both
HIPAA and applicable state law.
And, you know, you might wannaalso think about the FTCs rules
about privacy policy. So takingthe federal landscape and the
state landscape and having acomprehensive strategy for
maintaining compliance on anongoing basis, working with a
lawyer that is tracking updatesand can keep you informed or,
(23:46):
you know, even subscribing tosome of the news outlets out
there that are tracking thesethings. So, so yeah, I think
again, it's keep your documentsas broad as possible, build
efficient workflows, and thenjust build a comprehensive
strategy and remember thatthere may be overlaps, but
there may also be distinctionsand additional things you have
to do even if you are subjectto hipaa.
Speaker 3 (24:08):
Wow, that's excellent advice. Thank you so
much. Um, so Caitlin , whatwould happen if a digital
health company was a businessassociate and thus subject to
HIPAA with duties to a coveredentity, and they were also
subject to a state privacy lawwith data deletion rights? How
(24:28):
would they respond if a user ,um, came to them and said, Hey,
I want you to delete my data,data that might be covered by a
business associate agreementand that the covered entity may
need to hold onto ?
Speaker 4 (24:39):
Yeah, so that's a really good question. My
clients ask me that questionall of the time. What usually
ends up happening is thedigital health company will
notify the covered entity thatthey got this request. The they
will send a copy of the data tothe covered entity because the
covered entity under state lawis going to be required to
(25:00):
maintain records for, you know,anywhere from like three to
seven years. So that is an ,that is actually an important
rub between state privacy lawand hipaa. Where HIPAA's going
to say, I'm sorry, excuse me,state privacy, state consumer
privacy law and state medicalrecord law, it's not a hipaa,
it's not a HIPAA requirement.
The state medical record lawmight say is likely gonna say
(25:24):
the provider has to maintain acopy of a patient's medical
records for an extended periodof time where the sa where, you
know, a different state lawmight say digital health
company, if a individualrequests that you delete their
records , you have to do that.
So what the digital healthcompany can do is they can take
the request, they, they notifythe covered entity, I'm
(25:44):
assuming they're a businessassociate, they notify the
covered entity that they gotthe request. They say, Hey,
under state law we have to dothis, but we wanna make sure
you have a copy of it so thatyou can maintain a copy of it
within your statutoryrequirements. Now, in some
cases, the digital healthcompany could say, we actually
(26:04):
can't delete your data becausewe have a relationship with
your healthcare provider who islegally obligated to maintain
this record. And our job underour contract with the provider
is to maintain these recordsfor them to comply with their
state obligation. And usuallythe state privacy law will
allow for that, right? Thestate privacy law will say, if
this is actually medical recorddata under HIPAA or under the
(26:29):
state medical record law, thenyou can maintain it for that.
It's basically like a user, anindividual can request that you
delete their data unless alegal obligation applies. And
in that case, there would be alegal obligation for the
provider to maintain that copy.
So it ends up being, you know,between the business associate
and the covered entity who'sactually responsible for
(26:51):
complying with that law is thatthe business associate has
agreed to maintain the recordsfor the provider, or the
business associate has agreedto return the data to the
covered entity so they have it,but delete the data from their
own servers so that they don'thave a copy of it themselves.
Does that make sense?
Speaker 3 (27:09):
Yes, that's perfect.
Thank you so much for answeringthat question. Just thinking
about that definition ofhealthcare data , um, as we
talked about earlier, so manystate laws are going beyond
hipaa. So how are digitalhealth companies adapting to
that broader definition thatyou so excellently explained
earlier on, how are theyadapting to that broader
definition of health data underthese state laws?
Speaker 4 (27:31):
Yeah, I think it just goes back to sort of,
well, two things. One, what Iadvise my clients is let's look
at the, the strictest rulesthat are going to apply to you
and just build your practicesaround that. Right? That's good
. So as we've said, stateprivacy laws are in a lot of
ways stricter than, than hipaa.
(27:51):
That might mean if you knowthat you are subject to CCPA
and hipaa, maybe we look atCCPA and we build your
operations and your practicesaround CCPA, we make sure that
it's also compliant with hipaa.
But you can usually restassured that if you're
complying with CCPA, you'recomplying with HIPAA because
it's already stricter. So Iusually say, number one, let's
(28:15):
figure out what the strictestrules are that are going to
apply to you and build aroundthat. Because then you're not
having to build out differentpractices in every state or
different practices forpatients that might be subject
to HIPAA and differentpractices for patients that
might not be. You've got sortof that comprehensive strategy
that already takes into accountthe strictest rules and , um,
(28:35):
you're sort of acting aroundthat. And that does two things,
right? It makes it moreefficient to comply because you
don't have to have differentpractices. But I think it also
mitigates your risk in theplaces where the rules aren't
as strict, right? If you arecomplying with CCPA, which is
stricter than hipaa, like Isaid, it's unlikely that you're
gonna have a HIPAA violationbecause you're already
(28:56):
complying with the stricterrules . So it mitigates your
risk at the same time as makingyour processes and your
compliance practices a littlebit more efficient. And then
the second one is sort of maybea , a , a subset of that, which
is data segmentation andorganization, keep your data
organized, keep it segmented sothat you know, when someone
(29:19):
asks you to delete their dataor when someone asks you for ,
uh, to , to tell them who youshared their data with, you can
do that quickly. And you're notconfused. You don't miss things
because what you don't want tohappen is you respond to an
individual request. Thatindividual goes, whoa, this
isn't what I expected. Theyreport you to the ags office,
the AG says we're gonna do aninvestigation, and then the
(29:42):
state ags office finds thingsthat you missed, that maybe you
didn't give them all theinformation you were supposed
to, or maybe your privacypolicy doesn't say that you
were doing this thing with theuser's data that you were
actually doing. So, so, youknow, building that compliance
into your data practices,keeping things organized,
(30:02):
segmenting appropriately,making sure you know where
everything is, back up yourdata so that if you have a
breach, you have a copy of itor maybe a couple copies of it.
Um, so, so you know, juststaying organized around what
you're doing with data, howyou're using it, and making
sure again, that you arebuilding those efficient
workflows around that.
Speaker 3 (30:23):
Thank you. That's really helpful. Um, so this is
a lot to take intoconsideration and it's
definitely a great idea to, tofind someone if, if, if it's
possible to that can walk youthrough it. Um, so with all
this that we've discussed , um,what are some challenges, some
operational or technicalchallenges that digital health
(30:43):
health companies might facewhen they're trying to
implement these state specificprivacy requirements? Um ,
we've talked about that datadeletion, right? That state
privacy laws implement. Anotherchallenge could be opt out
mechanisms. What have you seen?
What are some challenges? Howcan we deal with them?
Speaker 4 (31:01):
Yeah, so I hate to just like repeat what I just
said, but, but I think thebiggest challenge I see are
building those workflows aroundit. So opt out is a great one
that we haven't really talkedabout a lot yet. A lot of state
laws require much moreproactive opt out mechanisms to
allow consumers to opt out ofspecific uses, uses of their
data. So, you know, underHIPAA, where covered entities
(31:24):
can get away with a businessassociate agreement and not
have to get specificauthorization from patients to
share data with a businessassociate for treatment
purposes or operationalpurposes, the same is not true
under state law. Under statelaw, a lot of times you have to
give specific opt-out rights toconsumers to give them the
(31:46):
ability to say, no, you can'tdo any of this, any of these
things with my data . The onlything you can do with my data
is analyze it in a way that themobile app is giving me output,
right? So the only thing youcan do with my fertility data
is, let me see in my trackerwhat, what my status is. You
can't de-identify this for yourown purposes. You can't take it
(32:10):
and go train an AI algorithmwith it. You can't use it to ,
uh, track my browsing behaviorand give me targeted ads. And,
and that is something, again,HIPAA does say, you know,
patients have to give, have toprovide authorization for
marketing purposes to allowtheir data to be used through
marketing purposes, but itdoesn't go so far as all of
(32:31):
those other things. Again, theOCR guidance on tracking
technologies does requireauthorization to use tracking
technologies for make marketingpurposes, but the state laws
are just broader. And so thebiggest challenge is one, I
guess actually understandingwhat those differences are,
understanding how it's broader,and then turning that into
workflows that are stillefficient. What does our
(32:52):
opt-out language have to say?
Can it just be a check box ?
Does it have to be separate orindependent of the terms of use
that we give them? And in a lotof cases it does more similar
to like TCPA for those outthere listening who are
familiar with the TCPA consent.
State privacy laws are moresimilar to that, where you have
to give an independent checkboxor an independent consent that
(33:15):
does not, that is not sort ofmuddied by other terms of use
or other things that arerelevant to the patient or how
they're using the app has to beindependent. It has to
specifically mention everythingyou're doing, and you have to
give the patient, sometimes theuser the, the opportunity to
opt out of specific individualuses. And you have to be able
(33:35):
to do that on the backend andoperationally that can be
challenging. 'cause again, ifyour data's not segmented, if
it's not organized, it's gonnabe hard to say, okay, this
particular user says we can'tdo this with their data. How do
we make sure that their datadoesn't get into this AI model
that we're, that we'retraining? Or how do we make
sure that these trackingtechnologies are actually
(33:56):
turned off for this user? Um,so I think those are the
challenges, right? And again,it just goes back to addressing
those challenges by developinga comprehensive strategy, being
broad, but still complying withthe applicable rules and just
sort of staying on top of it,making sure you know what those
changes are and , and howyou're gonna address them when
they come up.
Speaker 3 (34:16):
Wow , those are great considerations. Thank you
so much. All right . So I knowwe've, we've been able to glean
so much knowledge from you. Ijust have one more question
before we go. Um, so lookingahead, what types of trends or
potential legislation shouldall of US healthcare
professionals and techcompanies be watching out for?
Speaker 4 (34:36):
Yeah, I love this question. Um, this is what I
spend most of my days doing islike, what's coming next? What
do my clients need to know toanticipate, you know, what's
gonna be happening next monthor in six months? The biggest
one, and we've kind of talkedabout this a little bit
already, but the biggest one isAI specific rules. Almost every
state privacy law that iscoming out now is explicitly
(34:58):
mentioning AI in some way. Andalmost every digital health
company that I talk to istrying to figure out how to
leverage AI in some way. And sopaying attention to those
specific rules like theMaryland statute that talks
about mental health, chatbots,paying attention to what do you
(35:20):
have to say in your privacypolicy about ai, the type of AI
you're using, and what it doesand how it works. What are you,
what do you have to do to themodel that you're building to
make sure that it is ethicaland accurate and , um, not
discriminating on certainusers. All of these things are
being explicitly addressed instate law in a way that they're
(35:43):
not in federal law. And some ofthat's not, you know,
explicitly related to privacy,but I think it's still relevant
in the sense that there's justa lot more for you to keep
track of and to comply with. Ifyou're in the AI space, which
again, most digital healthcompanies are in some way,
whether you're leveraging anexisting chat GPT model or
building your own generativemodel, or just building an
(36:05):
algorithm based , you know,platform or function, there
may, there is likely going tobe state law that applies to
you, that applies specificallyto you. So keep an eye out for
those AI specific rules, trackthem as they're changing. There
are , um, some policy workinggroups that are also working on
federal policy around this, butit hasn't really made it there
(36:25):
yet. So, so the state laws arereally where we're seeing more
specific mention of ai. Andthen the second one, we've
already mentioned it, and I'lljust briefly mention it again,
is proposed changes to theHIPAA security rule. A lot of
what we talked about are gapsbetween existing hipaa , HIPAA
laws and state privacy laws.
There is a proposed rule rightnow to add a bunch of that
(36:47):
stuff to HIPAA to make thesecurity rule more specific to
explicitly address evolvingtechnology. And so, you know,
paying attention to what thosechanges may look like is gonna
be important for, for thecompanies that, you know, we as
lawyers are advising, or ifyou're a digital health
company, it's going to beimportant to , uh, to
understand what those changesmay be. Um, and the last thing
(37:09):
I'll say again is like, wedunno what the timeline is on
that. That could be six months,that could be tomorrow, it
could be next year. We don'tknow. So no guarantee that
you're gonna have to make achange tomorrow, but it's
important to know that it's outthere and that if it does get
finalized, you need to knowwhat you need to do to , to
comply with it.
Speaker 3 (37:27):
That's right. That's right. Well, thank you so much.
We'll definitely be lookingahead to those changes in the
future. And that wraps up ourconversation today about state
privacy laws and their impacton digital health innovation.
Caitlyn , thank you so much forthe excellent insights you
shared. I really have enjoyedthis conversation. And thanks
to our audience as well forlistening. We hope you found
(37:50):
this episode helpful inadvancing your thinking about
how to respond to the evolvingregulatory landscape. Have a
great rest of your day.
Speaker 2 (38:03):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health law
wherever you get your podcasts.
To learn more about a HLA andthe educational resources
available to the health lawcommunity, visit American
health law.org.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.