2023 in Review: The Rise of Healthcare Data Privacy Regulations

By Ian Cohen, CEO, LOKKER
LinkedIn: Ian Cohen
LinkedIn: LOKKER

As consumer data privacy evolves, 2023 was the year healthcare came into focus. Many state and federal changes governing data privacy legislation went into effect. These new laws and amendments aimed to strengthen user privacy rights and hold organizations accountable to protect user data are significant. The most disruptive of these is Washington’s My Health My Data Act, which went into effect on March 31, 2024.

This law is a game changer for companies, even outside of healthcare. The law requires companies to get an explicit “opt-in” for HIPAA Consent when collecting certain types of data. What types of data are included? Here’s an overview of the law and the types of data included, at least before new interpretations from plaintiff’s attorneys. So, while the exact data types may not be 100% clear yet, some trackers are clearly out of bounds. And some new controls are clearly needed, so let’s start there.

High-profile legal actions accusing healthcare organizations of privacy violations have unfolded at an alarming rate. This sheds light on the complexities of data privacy laws and organizational accountability. In 2023 many healthcare providers became the target of Meta Pixel driven lawsuits. The reason is simple – no one wants their health data shared with Meta or any social media company. The risk is magnified because Meta can tie Facebook users’ accounts to their Instagram and WhatsApp accounts.

Yet according to the March 2024 LOKKER Online Data Privacy report, the Meta Pixel remains on 47% of websites, including 33% of healthcare websites. This is despite lawsuits, breaches, fines and FTC warnings to 130 healthcare organizations against the improper use of web trackers collecting sensitive health data. Removing the Meta Pixel or other elements from your sites mitigates this risk. Specific grounds for these lawsuits include:

Improper Data Handling: Allegations are made that the Meta Pixel collects user data without adequate consent or violates applicable privacy laws and regulations. In the LOKKER report, 10% of sites analyzed were found to be inadvertently sharing sensitive data with third parties. Sensitive data included things like credit card information or email address.

Data Breaches: Claims call out that Meta failed to protect user data, leading to unauthorized access or disclosure of personal information. Beyond Meta, data leaks come from inadvertent third-party data without proper controls in place. Organizations need to identify and audit third parties to make sure they and the data they collect are all on the trusted list.

Failure to Comply with Privacy Regulations: Allegations state that the Meta Pixel failed to comply with specific privacy regulations such as the CCPA in the United States. To be fully compliant, most sites need a consent banner. At the same time, the LOKKER report found that consent banners don’t work as expected: 98% of sites with a consent banner allow user data collection before getting user consent. While this used to work for an opt-out protocol, it doesn’t work with health data and the Meta Pixel, and is definitely insufficient to cover new laws governing health data.

The above are particularly important for Washington’s My Health My Data Act (MHMDA). The law uses a new broad definition for consumer health data (CHD). The definition reaches further than you may expect, including personal information “linked or reasonably linkable to a consumer and [that] identifies the consumer’s past, present, or future physical or mental health status.” Companies need to audit their sites to determine what pages collect CHD, then make the following changes to those pages:

  1. A new “Consumer Health Privacy Policy” with its own separate link must be available on your homepage. The new regulation states this new policy may not contain additional information which is not required under MHMDA. In other words, along with your current privacy policy, you likely need a “Health Care Privacy Policy.”
  2. Explicit opt-in consent for collection of consumer data is mandated in the law. Prior laws like CCPA only required opt-out, but now you must provide means for opt-in to collect consumer data from health related content. Also, there is a provision that unless necessary to provide service, a “separate and distinct” consent must be collected for sharing data with third parties.
  3. Data Subject Rights (Consumer Rights) are stricter. “Right to know” requires you to provide consumers a list identifying all third parties with whom you share data and an email address which consumers can use to contact your partners. “Right to Delete” does not allow for the typical exception of saving data to respond to legal claims.
  4. You now need a signed authorization for ‘Sale’ of CHD, which means exchanging CHD for monetary or other valuable consideration. A valid authorization includes 8 data points signed by the consumer and expires after one year. These requirements are so onerous, it is likely most companies will not “sell” their data. This means you must know and have controls in place for all third-party code or tags used on your web sites.
  5. Geofencing of ‘Health Care Service’ Locations is not permitted. A geofence is a virtual boundary around a physical location. An example might be detecting people within 100 feet of a dental clinic. Also, look closely at your mobile apps and how they handle geolocation.
  6. This law allows a “private right of action” by consumers. It’s different from most other privacy laws, as individual consumers can now sue companies for violating the law. Any company with healthcare content now takes on risk at a whole new level. This means organizations need to carefully track enforcement actions and prepare a response.

These are the new key provisions introduced by this law and a similar law going into effect in Nevada, followed by a similar Connecticut law in July. Making the above changes will go a long way towards compliance, but there are many nuances which will likely be played out in the courts for privacy regulations in 2024. Maintaining ongoing transparency and controls over all of the digital objects on your website is imperative.