Your company collects data on the health of Americans. What laws apply in the United States?


Many privacy and data security laws govern the collection and use of health data by the private sector in the United States. These laws vary in scope and substance, but a combination of these would likely apply to your business if, for example, it does any of the following in the country:

  • Diagnose or treat patient health problems;
  • Offers an application intended to promote the health or well-being of consumers;
  • Provides health insurance or assists in processing health insurance claims;
  • Collects information about the health of employees or other workers;
  • Conducts research and receives information on the health of research subjects and respondents; Where
  • Provides data processing services to organizations that perform the above functions.

In many situations, companies must obtain express consent to process health data and may be subject to detailed requirements regarding how consent is obtained (such as required information, font placement and size) and how to deal with withdrawals of consent. But there are also situations where it would be inappropriate or illegal to ask for an individual’s consent to collect or use their health data, such as using the results of a genetic test to consider promoting it. In still other situations, companies must process health data in certain ways, whether or not the data subject consents, such as where the company is subject to mandatory infectious disease reporting obligations or judicial disclosure. In all cases, companies must develop and maintain reasonable and appropriate information security measures designed to protect the security, integrity, availability and confidentiality of data.

To help illustrate the detailed legal landscape that applies to the processing of health data, here are some relevant regimes in the United States:

  • HIPAA (Health Insurance Portability and Accountability Act): This federal law applies to health care providers, health plans, and health care information centers (collectively, “covered entities”), and entities processing protected health information on behalf of covered entities (“business associates”). Just because a business provides health-related services does not make it a HIPAA-covered “healthcare provider.” HIPAA permits covered entities to use and disclose protected health information without consent for several primary purposes, including to treat the data subject, process payments, and perform internal health care operations. HIPAA also permits covered entities to use or disclose data without consent in a number of ancillary situations as long as prescribed conditions are met, such as to respond to law enforcement requests, engage in public health, fulfill research purposes or avert a serious threat. . HIPAA also requires covered entities to obtain permission to use or disclose an individual’s protected health information. Covered Entities must also post adequate privacy notices and give effect to certain data subject rights. HIPAA establishes breach reporting and data security standards that all Covered Entities and Business Associates must adhere to.
  • State Health Privacy Laws: HIPAA expressly allows states to enact health privacy laws that are stricter. Various states have enacted health privacy laws that apply to particular types of healthcare data, activities, or participants. An example is California’s Medical Information Privacy Act (CMIA). CMIA imposes privacy and security requirements on healthcare providers, among others, and defines healthcare providers broadly to include certain healthcare professionals as well as any company that offers software or hardware to a consumer in the purpose of allowing him to manage his medical information or -diagnose, treat or manage a medical condition. The CMIA can therefore apply to operators of health and wellness applications that do not involve services covered by health insurance but that involve the processing of medical information. In 2020, for example, the California Department of Justice sued CMIA against the provider of a mobile fertility tracking app for allegedly disclosing user data to third parties without consent and for failing to secure data. user data. The CMIA generally prohibits healthcare providers and their contractors from disclosing medical information without the permission of the individual concerned, unless one of the specific exceptions applies, some of which overlap with the exceptions provided by the CMIA. HIPAA law.
  • Workplace Privacy Laws: Companies have legitimate interests in collecting and using the health data of their workers, including to keep the workplace safe in accordance with Occupational Safety and Health (OSHA) regulations and to administer health benefits. At the same time, laws such as the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and other federal laws, as well as state laws such as the CMIA, restrict the collection, employers’ use and disclosure of certain types of health data. For example, the ADA prohibits employers from medically examining their employees unless the examinations are job-related and consistent with business necessity, and regulates how employers must maintain employee medical information internally; GINA prohibits employers from discriminating against any employee because of their genetic information; OSHA regulations prescribe detailed retention requirements for employee medical records; and CMIA generally prohibits employers from using or disclosing employee medical information without the permission of the individual concerned, unless one of several narrow exceptions applies.
  • Laws regulating biomedical and behavioral research on human subjects: The Federal Policy for the Protection of Human Subjects (also known as theCommon rule”) includes a set of ethical standards that 16 federal agencies in the United States have codified as regulatory requirements that apply to research studies of human subjects within their jurisdiction, and that many institutions in the United States have voluntarily adopted as a mandatory policy. The common rule requires researchers to obtain prior informed consent from an individual before beginning research. For the consent to be valid, the consent form must contain various information regarding the processing of the research subject’s personal information, including the extent to which the confidentiality of the personal data will be maintained, if the research may include genome sequencing. full and details of the researcher. the proposed storage, maintenance and secondary use for research of the individual’s privately identifiable information or identifiable biological samples.
  • Consumer Privacy Laws: At the federal level, the Federal Trade Commission (FTC) generally has the power to sue “unfair and deceptive marketing practices,” which the FTC recently used to enforce a developer of health-related apps that allegedly disclosed users’ health data to third parties in violation of its privacy policy. At the state level, five states currently have enacted general consumer privacy laws that protect the personal information of their own residents: California, Colorado, Connecticut, Virginia, and Utah. Only California’s privacy law, the California Consumer Privacy Act (CCPA), is currently in effect; the others will go into effect in 2023. These five state laws will place special requirements on the handling of health information and other “sensitive” categories of data. These requirements include in some cases opt-in consent requirements or requirements allowing consumers to opt out of certain processing activities involving sensitive data. The US Federal Privacy and Data Protection Act (HR 8152), if enacted in its current form, would also impose more onerous requirements on the handling of health data or sensitive categories of data.
  • Offense notification laws: Each state in the United States has its own data breach notification law, and many of them list health information as a type of information that triggers breach notification requirements if they have done so. subject to unauthorized acquisition and certain other conditions are met. Similarly, the federal Cyber ​​Incident Reporting for Critical Infrastructure Act recognizes the healthcare sector as a critical infrastructure sector. Once certain rules implementing this law are enacted, it is expected that companies operating in the healthcare sector will be required to report covered cyber incidents within 72 hours of having reasonably believed that the incident has occurred. , and to report data ransom payments within 24 hours of completion. their.

Companies should therefore carefully consider the privacy and data security laws that apply to them if they collect, use and disclose Americans’ health data. Given the sensitivity of health data, regulators in the United States are actively monitoring compliance in this space and class action lawsuits alleging unauthorized processing of health data are common.

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar results. For more information, please visit:


Comments are closed.