Printer Friendly, PDF & Email

When healthcare and consumer data rules collide: Compliance with the latest generation of data privacy laws

Alex Dworkowitz ( and Randi Seigel ( are both Partners in the New York City office, and Brandon Reilly ( is a Partner in the Costa Mesa, California, office of Manatt, Phelps & Phillips LLP.

We live in a digital world that has continued to grow during the COVID-19 pandemic, when individuals were forced online to work, socialize, and receive healthcare and wellness services. Individuals generate tremendous amounts of personal health data as they share their information through, among other channels, browsing health-related websites, using proprietary applications (apps) and portals, and sharing on social media platforms. Many individuals appreciate the ease of sharing data, accessing the information, and receiving treatment and health-related services in the comfort of their home; it is, thus, no surprise that this has driven healthcare providers and plans to increasingly advance their digital footprint.

In the past few years, health providers and plans have been partnering with telemonitoring providers and traditionally consumer-facing digital health apps to create richer data sets from which to mine data to improve their offerings and patient or member experience, turning many consumer-facing apps into business associates. As a result, consumer or personal information (PI) data, which historically was subject to limited regulation, now may also become subject to the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively referred to as HIPAA). In some cases, PI data also may be subject to the emerging generation of consumer privacy and protection laws, such as the currently in-effect California Consumer Privacy Act (CCPA) or similar laws coming in 2023 such as the Virginia Consumer Data Protection Act; Colorado Privacy Act; and the CCPA’s successor, the California Privacy Rights Act. Importantly, these laws are likely to be further modified through amendments and forthcoming regulations, and other states are expected to pass similar laws, including potentially in New York, Washington, and Massachusetts.

Similarly, healthcare providers and health plans that have comfortably used, shared, and safeguarded protected health information (PHI) data under HIPAA now have to evaluate whether they are also subject to the CCPA and other state laws, given that the organizations collect PI through a multitude of methods, including their website and social media platforms or other operations like brick-and-mortar pharmacies that provide consumer products in addition to dispensing prescriptions.

This document is only available to members. Please log in or become a member.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field