With 2023 underway, healthcare providers have a more complex patchwork of privacy laws than ever before to navigate. Five states have enacted general privacy laws: California, Colorado, Connecticut, Utah, and Virginia. These laws include varying exemptions for protected health information (PHI), HIPAA de-identified information, healthcare providers, HIPAA covered entities, HIPAA business associates, and non-profits.
While all of the laws exempt PHI, healthcare providers may have obligations under these laws with respect to other personal information, such as employee information or website data.
To help healthcare providers navigate these laws, we have put together the following table:
* For purposes of the applicability threshold, we are assuming that healthcare providers do not derive 25% or more of their annual revenues from selling or sharing consumers' personal information.
Takeaways
Some takeaways based on the above:
- Healthcare providers that are HIPAA covered entities appear to be completely exempt from the Connecticut, Utah, and Virginia general privacy laws.
- For-profit healthcare providers should evaluate whether they meet CCPA's applicability threshold and, if so, should comply with the CCPA with respect to: (1) personal information collected from their websites that is not PHI; and (2) employee information.
- Nonprofit healthcare providers should evaluate whether they share common branding with a for-profit affiliate that meets CCPA's applicability threshold and, if so, should comply with the CCPA with respect to: (1) personal information collected from their websites that is not PHI; and (2) employee information.
- Healthcare providers (regardless of tax exemption status) should: (1) evaluate whether they meet the Colorado law's applicability threshold and, if so, should comply with the Colorado Privacy Act with respect to personal information collected from their websites that is not PHI; and (2) evaluate whether they sell or license HIPAA de-identified information and, if so, whether they must comply with CCPA's contractual restrictions with respect to such data.
If you would like assistance with determining applicability of state privacy laws or complying with such laws, you may contact the author or the DWT attorney with whom you work.
