Beyond HIPAA: How Far Can States Go to Protect Consumer Health Data?

https://pixabay.com/illustrations/stethoscope-doctor-health-care-8809763/

In the wake of seismic political and legal shifts—including a second Trump presidency, the Supreme Court’s reversal of Roe v. Wade, and a surge of stricter abortion bans across the country—states are ramping up efforts to protect consumer health data and privacy

With Congress stalled on passing a federal privacy law, Big Tech companies like Amazon, Meta, and Google have been able to collect, store, and share sensitive health-related information, often without explicit consumer consent. While the Health Insurance Portability and Accountability Act (“HIPAA”) safeguards data collected by “covered entities” (i.e., healthcare providers and health insurers), it doesn’t extend to the broader digital landscape of health apps, wearable technology, or location tracking. 

These are the kinds of apps we use every day—Fitbit to track steps, a period tracker to monitor cycles, and eCommerce apps that remember our purchases—without much thought about where that data travels. But companies aren’t collecting this information purely to enhance user experience. 

Take Target, which famously used data analytics to predict and track pregnancies. By analyzing shopping patterns, Target identified mothers-to-be and sent them targeted advertisements for baby products. In one case, a father discovered his teenage daughter’s pregnancy through the mailings she received, before she had even shared the news with her family. 

Recognizing these gaps, Washington enacted the My Health My Data Act (“MHMDA”), the first U.S. privacy law to protect personal health data collected beyond HIPAA’s scope. It broadly defines “consumer health data,” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”

With federal action at a standstill and the prospects of a national privacy law uncertain, states must take the lead in protecting consumer health data.

Under the law, consumer health data can include details about mental health, reproductive health, biometric data, and even inferred health information. This includes the use of geofencing technology, which allows companies to track when a person visits a sensitive location—whether it’s a routine doctor’s appointment or an abortion clinic. 

More than a year after MHMDA’s passage, the law is finally being put to the test in the form of a class-action suit against Amazon. Filed in February 2025, the suit alleges that Amazon unlawfully harvested and shared sensitive consumer location data in violation of MHMDA’s strict consent requirements. 

According to the complaint, Amazon embedded its Amazon Ads software development kit (“SDK”) in over 10,000 third-party apps, allowing it to track users’ precise locations without their knowledge. The Amazon Ads SDK, which developers integrate into their apps to display advertisements, allegedly operated in the background while Amazon gathered sensitive location data––even when users were not actively using Amazon’s services. While users may have granted access to a particular app, they were unaware that Amazon was quietly collecting and monetizing this data behind the scenes.

The complaint further contends that Amazon collected “biometric data and precise location data that could indicate a consumer’s attempt to obtain health services. This inference-based tracking has raised concerns, especially after the overturning of Roe v. Wade and the rise of abortion bans. In states where abortion access is heavily restricted, there are mounting concerns that such data could be weaponized in criminal investigations related to reproductive health care. 

Washington’s MHMDA will continue to be closely monitored as this suit progresses, spurring discussions across the legal field. Its outcome will likely influence how other states craft their own health data privacy legislation. New York recently passed the Health Information Privacy Act (“NYHIPA”), considered by some to be “the toughest in the nation.” But Washington’s law is the first to be tried in court, making the Amazon lawsuit a central case in shaping the future of digital health privacy.

A ruling against Amazon may force companies to overhaul their data collection practices, guaranteeing greater transparency and consumer control. On the other hand, if Amazon prevails, it could weaken MHMDA’s impact and make it harder for states to hold Big Tech accountable for their handling of sensitive health data.

With federal action at a standstill and the prospects of a national privacy law uncertain, states must take the lead in protecting consumer health data. As more states consider their own privacy laws, Washington’s case will serve as an early test of how effectively these regulations can safeguard personal information in an area where digital privacy remains under constant threat.

Anjali K. Purohit

Anjali attended Wake Forest University for college, where she double majored in Sociology with a concentration in Crime & Criminal Justice, and Spanish. She is a second-year student at the University of North Carolina School of Law. Her hobbies include watching sports, playing The Sims 3, and spending time with her dog, Tobie.