Strong momentum continues for the implementation and enforcement of state data privacy legislation in 2024, with Kentucky, Maryland, Nebraska New Hampshire and New Jersey enacting comprehensive data privacy laws in 2024. When combined with similar laws passed by various states in the prior year, there is a total of 17 comprehensive state privacy statutes that are currently in effect or slated to take effect over the next several years. Meanwhile, regulatory enforcement under the recently enacted laws in California, Colorado, Connecticut, Utah and Virginia is under way, offering practitioners insight into the practical impact of the privacy statutes in these states.
Health care providers, pharmaceutical companies, medical and digital health care device manufacturers and biotechnology firms, as well as entities involved in related sectors, would be prudent to closely monitor the recent developments that directly affect their information practices, particularly concerning the hot topics of sharing data with third parties, the use of website technologies and the rise of artificial intelligence.
State Privacy Laws' Application to Life Sciences and Pharmaceutical Companies
The new data privacy laws regulate the use of personal information by businesses (some laws also apply to nonprofits). Personal information is very broadly defined, and may include internet activity, cookies, geolocation and so forth. Each of the state laws features a threshold of applicability based on revenue, number of consumers whose data the business controls or whether the organization derives revenue from the sale of personal information.
Additionally, certain categories of personal information are defined as “sensitive,” which may include data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, and genetic or biometric data. The definitions vary from state to state, making compliance particularly difficult. Processing sensitive personal information mandates higher compliance obligations for a business, including in certain circumstances affording consumers a right to opt out of the processing of their information. And as “controllers” of this type of data – through the conduct of clinical trials, physician cooperative testing and patient assistance programs, among others – pharmaceutical and device companies must consider their own risks in the collection, storage and protection of this data.
Typically, state data privacy laws either contain entity-level exemptions for entities covered by the federal Health Insurance Portability and Accountability Act (HIPAA), irrespective of the data involved (e.g., Connecticut), or are limited to data covered under HIPAA (e.g., California and Oregon). Several laws feature exemptions for personal information collected in clinical trials or other biomedical research studies, or similar exemptions relevant to health and life sciences data. Again, however, these exemptions are not uniform. Pharmaceutical and life sciences companies need to assess carefully the applicability of each of the state privacy laws to their particular business model, paying close attention to the differences between the state laws.
To the extent an organization needs to comply with a state's privacy laws, it is required to maintain and regularly update a consumer privacy policy, provide consumers and patients with notice of their rights regarding their data, implement reasonable security measures to protect the personal information collected, implement data processing agreements with vendors, and conduct awareness training for stakeholders and employees. As practice proves, many organizations fail to adequately undertake these measures, with many businesses relying on outdated policies, leading to a failure to provide consumers or patients with ways to exercise their rights to know or to delete or to honor those rights, let alone have data processing agreements in place.
One state law of particular significance to pharmaceutical and life sciences companies is the Washington My Health My Data Act (WMHMDA), which took effect in March 2024. Unlike other privacy laws, it confers protections only on “consumer health data,” which includes data linked to an individual's past, present or future health status. Notably, organizations should examine this definition carefully, as data not traditionally viewed to be “health data” is included; for example, data that identifies a consumer seeking health care services.
The WMHMDA does not contain applicability thresholds based on revenue or number of consumers, such as those found in other privacy laws, and applies broadly to entities that (1) conduct business in Washington and (2) determine “the purpose and means of collecting, processing, sharing, or selling of consumer health data.” In broad strokes, an approach to building compliance under WMHMDA is similar to that under the comprehensive state privacy laws, meaning that a policy honoring consumer rights, vendor data-sharing agreements and similar compliance measures are required.
WMHMDA, however, features stronger consent-based requirements and privacy rights for consumers. Notably, a key feature of WMHMDA is a private right of action, which greatly increases the risk that organizations face from failing to comply with this law. Given the wide application and broad definitions, the exact scope of this law remains unclear. Yet, pharmaceutical companies already are being targeted by plaintiffs for alleged violations.
Lessons Learned from Regulatory Enforcement
The Offices of Attorney General (OAGs) in several states publish reports on their enforcement activity, which is a valuable resource to businesses within the life sciences sector looking to mature their organizations' privacy compliance programs. Again, many such businesses may not qualify for HIPAA exemptions to the state data privacy laws, and the clinical trial data exemption is not available in many states. Yet, life sciences businesses may be employing the very same data practices on which OAGs have focused early enforcement efforts.
Key areas of focus for state regulators have been reviewing privacy policies, sensitive data collection, teens' data practices and practices involving the “sale of personal information” – another very broadly defined term that encompasses practices such as the use of third-party marketing or analytics cookies – or participation in cooperatives where businesses exchange customer and patient data in order to market their programs to each other's customers and patients. The regulators have highlighted the importance of thorough and transparent disclosures to consumers, especially when their data is being shared in ways that a consumer may not reasonably anticipate. Life sciences businesses should take note and carefully evaluate exactly how they are using patient data, whether it is being shared with other entities and for what purposes, and that all disclosures are updated and provide transparency.
In addition, in the past year the FTC has taken enforcement actions against a telehealth and prescription drug provider and an online counseling service in connection with allegations of sharing sensitive health data with third parties for advertising purposes after promising to keep such data private. Both entities were required to pay millions of dollars in penalties and to take corrective action to prevent future unauthorized disclosure of users' sensitive health information. Notably, the drug provider was not a covered entity under HIPAA so it was not subject to HIPAA's requirements, similar to many life sciences businesses. The FTC, however, has general authority to regulate privacy practices under section 5 of the FTC Act, which prohibits unfair and deceptive trade practices. In its guidance on Health Privacy, the Commission states: “If your company makes privacy promises – either expressly or by implication – the FTC Act requires you to live up to those claims.”
Action Steps Toward an Effective Compliance Program
Compliance with data privacy laws requires a life sciences business to have a nuanced understanding of its data needs and current information practices. Practically, this understanding has to be based on a current data map that allows the business to understand how data was collected (with an express consent or otherwise), how it is being used and for what purposes, with whom it is being shared and how long it is being stored. Furthermore, the time of keeping data “just in case” is long past: organizations need to remember that more data equals more risk and, frequently, heightened compliance obligations. Data privacy laws are based on the principle of data minimization, which means that a business may collect and process only the data that it needs and only for as long as it needs to do so.
With the proliferation of technologies, from apps tracking health-related information or geolocation of consumers seeking care to artificial intelligence models supporting business functions such as scheduling and patient answering service, it is incumbent on life sciences businesses to understand the privacy impact of such technologies up front, or else risk expensive regulatory enforcement or even class action litigation. A key practice in this respect is not to merely delegate compliance to a company's regulatory or legal departments, but to install privacy advocates in each department that uses personal data, most especially marketing, information technology, research and development, and information security; of course, with the buy-in and support from executive leadership.
While the costs of achieving compliance may be high, the risk of regulatory fines and litigation is not the only driver of compliance. Increasingly, businesses view the consumer trust that may be earned by building a mature privacy program as a competitive advantage, which, moreover, is increasingly taken into account in business valuations. Just as organizations invest in intellectual property assets such as patents and trademarks, a mature compliance program should be viewed as a valuable business asset.
Originally published by Pharmaceutical Compliance Monitor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.