In January, we wrote about how new comprehensive state consumer data privacy laws, such as the California Consumer Privacy Act ("CCPA"), apply to healthcare providers. At the time five states had enacted such laws: California, Colorado, Connecticut, Utah, and Virginia. Since then, in an unprecedented spate of privacy legislation, the number of states with new general privacy laws covering consumers' (and sometimes employees') "personal information" has more than doubled, now standing at 13 states.[1] This does not even include laws specific to healthcare privacy, such as the Washington State My Health My Data Act.

The following chart offers an update on how these new state privacy laws interact with protected health information (PHI) under HIPAA, covered entities, business associates, and nonprofits.

State

Threshold*

PHI Exempt

CE/BA Exempt

Nonprofits Exempt

Date

California

$25MM or 100,000
CA residents

Yes (in hands of CE/BA)

No

Generally
yes

Jan. 1, 2020 (CCPA); Jan. 1, 2023 (CPRA)

Colorado

100,000 CO residents

Yes (in hands of CE/BA)

No

No

July 1, 2023

Connecticut

100,000 CT residents

Yes

Yes

Yes

July 1, 2023

Delaware

35,000 DE residents

Yes

No

No

Jan. 1, 2025

Florida

$1B and certain smart home speakers or app stores

Yes

Yes

Yes

July 1, 2024

Indiana

100,000 IN residents

Yes

Yes

Yes

Jan. 1, 2026

Iowa

100,000 IA residents

Yes

Yes

Yes

Jan. 1, 2025

Montana

50,000 MT residents

Yes

Yes

Yes

Oct. 1, 2024

Oregon

100,000 OR residents

Yes (processed by CE/BA)

No

No

July 1, 2024

Tennessee

$25MM and 175,000 TN residents

Yes

Yes

Yes

July 1, 2025

Texas

Process or engage in sale of personal data and is not an SBA small business

Yes

Yes

Yes

July 1, 2024

Utah

$25MM and 100,000
UT residents

Yes

Yes

Yes

Dec. 31, 2023

Virginia

100,000 VA residents

Yes

Yes

Yes

Jan. 1, 2023

* Does not include thresholds based on percentage of revenue from sale of personal data and some other applicability details and exceptions.

+++

In general, healthcare providers and PHI continue to be largely exempt from these state privacy laws. The devil, however, is in the details.

If a healthcare provider is a nonprofit, then they will be completely exempt in every state except for Colorado, Delaware, and Oregon. Nonprofits are generally exempt from California's law (CCPA) except if they are under common control as, and share branding with, a for-profit "business" that is subject to the statute.

Every one of these states' privacy laws exempt PHI in some form. Some categorically exempt PHI, such as Connecticut's exemption for "protected health information under HIPAA." For these laws, there is an argument that PHI is exempt even if it is no longer governed by HIPAA. For example, if PHI under HIPAA is disclosed pursuant to an authorization to a third party that is not subject to HIPAA, there is an argument that the information is still PHI under HIPAA (because it meets the HIPAA definition), even if it no longer is protected by HIPAA. A few states (California, Colorado, and Oregon) limit the PHI exemption to PHI that is collected by a "covered entity or business associate" (California), "[PHI] that is collected, stored, and processed by a covered entity or its business associates" (Colorado), or "[PHI] that a covered entity or business associate processes in accordance with … [HIPAA]" (Oregon). In these states, the state privacy laws are more likely to apply to PHI once such information is no longer in the hands of a covered entity or business associate.

Nine of the 13 state privacy laws include exemptions for covered entities and business associates (Connecticut, Florida, Indiana, Montana, Iowa, Tennessee, Texas, Utah, and Virginia). These provisions arguably exempt the entire covered entity and business associate from these new state privacy laws, including with respect to personal information that is not subject to HIPAA. For example, if a hospital has a gift shop, the covered entity exemption arguably extends to information about consumers at the gift shop, even though such consumer information generally falls outside of HIPAA.

Finally, while we did not include them in the chart above, most states also have exemptions for other types of health information, such as substance use disorder records that are subject to 42 C.F.R. Part 2, health information that is subject to the state's medical records privacy law, and information that arises from PHI but has been de-identified in accordance with 45 C.F.R. § 164.514(b) of HIPAA.

Overall, healthcare providers generally can breathe a sigh of relief that they are mostly exempt from these new state privacy laws, but they should still carefully review whether such laws may apply to consumers' personal information that is not PHI.

 


[1] The eight new states are IowaIndianaTennesseeMontanaFloridaTexas, Oregon, and Delaware.