Beyond HIPAA: How state laws are reshaping health data compliance

We are in an era where smartphones track sleep patterns, fitness apps monitor heart rates, and online searches reveal sensitive medical inquiries. As a result, the notion of “health data” has expanded dramatically. This transformation has exposed a critical gap in privacy protections. While HIPAA remains the bedrock of federal health privacy regulation, its scope is limited to covered entities like healthcare providers and insurers. It does not address the vast and growing world of consumer-generated health data collected by wellness apps, digital platforms, or advertising technologies. The Federal Trade Commission (FTC) has taken some steps to try and fill the gap through its enforcement of the Health Breach Notification Rule and section 5 of the FTC Act dealing with deceptive trade practices. The FTC can use its authority to issue fines against both HIPAA and non-HIPAA entities, but its authority is limited to narrowly defined breaches of personal health records and areas where entities are deemed to be deceptive in their business practices.

Recognizing these gaps, states have stepped into the regulatory void. California and Washington have led the way with sweeping legislation, namely the Consumer Privacy Rights Act (CPRA) and the My Health My Data Act. These state laws redefine how companies must handle consumer health data and are forcing healthcare providers, digital health platforms, and even non-healthcare companies to rethink their data practices from the ground up.

A recent lawsuit, Maxwell v. Amazon, underscores what’s at stake. The plaintiffs in this case allege that Amazon’s advertising software collected precise location data from consumers without their knowledge, allowing the company to infer sensitive health information, such as visits to mental health clinics or reproductive care centers. Apps like The Weather Channel and OfferUp had embedded Amazon’s software development kit, which allegedly siphoned location data even when users were not actively using the apps. The lawsuit points to violations of several federal laws, including the Federal Wiretap Act and the Computer Fraud and Abuse Act. More notably, it also invokes Washington’s My Health My Data Act, highlighting a growing trend of leveraging state privacy laws in consumer protection litigation.

Washington’s law is particularly groundbreaking because it applies to any entity that collects health-related data, regardless of whether it is a traditional healthcare provider. It defines “consumer health data” broadly to include information that can be used to infer a person’s physical or mental health status. The law requires clear, affirmative consent for data collection and sharing, restricts the use of geofencing near sensitive locations, and provides a private right of action, meaning individuals can sue for violations. This expands the risk landscape for businesses of all kinds, not just those in the healthcare sector.

California has also significantly expanded its data privacy framework. The CPRA, which amends the earlier California Consumer Privacy Act (CCPA), enhances protections for sensitive personal information, including health data. It gives consumers the right to know what data is collected, to opt out of its sale or sharing, and to request its deletion. The California Delete Act goes further by requiring data brokers to register with the state and enabling consumers to request, through a centralized mechanism, that their personal data be deleted across all registered brokers. These developments create additional compliance responsibilities for organizations operating in California or collecting data from California residents.

New York has joined the movement with its own legislation, S. 929, enacted in March 2024. Much like Washington’s law, New York’s statute applies to companies beyond the traditional healthcare setting and imposes strict consent and transparency requirements. It aims to protect consumers from the unauthorized collection and use of health-related data and prohibits the use of location data to infer medical conditions or treatment-seeking behavior. It also gives regulators and private citizens the authority to enforce the law, adding another layer of potential legal exposure for companies that fall short.

As more states follow suit, organizations must grapple with a patchwork of laws that differ in scope, definitions, consent standards, and enforcement mechanisms. This evolving legal landscape can be especially daunting for multi-state providers and digital health startups with limited compliance resources. Yet waiting for federal legislation is not a viable strategy—compliance must begin now.

To stay ahead of regulatory risk, companies must first understand what data they collect and how it might be classified under emerging laws. Location data, browsing behavior, biometric identifiers, and wearable device outputs may all fall under the umbrella of consumer health data. Even seemingly innocuous information, like search queries or app usage patterns, could be used to infer sensitive health details.

Transparency is now a baseline requirement. Companies must revise their privacy policies and user interfaces to provide clear, plain-language disclosures. Consent processes must move beyond pre-checked boxes and dense legalese. Users need to be given meaningful choices about how their health data is collected and used. This includes implementing robust opt-in mechanisms and providing easy-to-use tools for consumers to access or delete their data.

Data minimization is another key principle that companies must embrace. Collecting only the data that is strictly necessary for a specified purpose and retaining it only as long as needed reduces both regulatory exposure and security risks. Organizations should also scrutinize their vendor relationships. Any third party that processes health-related data on their behalf must be held to the same high standards of compliance through contractual agreements and ongoing oversight, and once a vendor relationship ends, return or certified destruction of health-related data must occur.

Perhaps most importantly, organizations must prepare for enforcement. The inclusion of private rights of action in laws like Washington’s My Health My Data Act means that litigation is no longer merely a theoretical risk. Plaintiffs’ attorneys are watching closely, and the reputational damage from a privacy lawsuit can be swift and severe.

Despite these challenges, there is an opportunity for organizations to distinguish themselves through leadership in privacy. By investing in privacy-by-design principles, strengthening internal governance, and demonstrating a commitment to transparency and consumer trust, healthcare and wellness organizations can turn compliance into a competitive advantage.

To navigate these emerging issues and learn how your organization can build a forward-looking compliance strategy, join us for our upcoming webinar: From CPRA to My Health, My Data Act: How to Stay Compliant with State Consumer Healthcare Privacy Laws. We’ll explore the latest legal developments, offer practical guidance, and provide insight into what’s on the horizon. The webinar takes place 1 to 2 p.m. ET on July 30.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.