{"id":9505,"date":"2025-02-24T14:11:41","date_gmt":"2025-02-24T14:11:41","guid":{"rendered":"https:\/\/journals.law.unc.edu\/ncjolt\/?p=9505"},"modified":"2025-02-24T14:11:41","modified_gmt":"2025-02-24T14:11:41","slug":"beyond-hipaa-how-far-can-states-go-to-protect-consumer-health-data","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/beyond-hipaa-how-far-can-states-go-to-protect-consumer-health-data\/","title":{"rendered":"Beyond HIPAA: How Far Can States Go to Protect Consumer Health Data?"},"content":{"rendered":"\n
\"\"
https:\/\/pixabay.com\/illustrations\/stethoscope-doctor-health-care-8809763\/<\/figcaption><\/figure>\n\n\n\n

In the wake of seismic political and legal shifts\u2014including a second Trump presidency, the Supreme Court\u2019s reversal of Roe v. Wade, and a surge of stricter abortion bans across the country\u2014states are ramping up efforts to protect consumer health data and privacy<\/a>.\u00a0<\/p>\n\n\n\n

With Congress stalled on passing a federal privacy law, Big Tech companies like Amazon, Meta, and Google have been able to collect, store, and share sensitive health-related information<\/a>, often without explicit consumer consent. While the Health Insurance Portability and Accountability Act (\u201cHIPAA\u201d) safeguards data collected by \u201ccovered entities\u201d (i.e., healthcare providers and health insurers), it doesn\u2019t extend to the broader digital landscape of health apps, wearable technology, or location tracking.<\/a> <\/p>\n\n\n\n

These are the kinds of apps we use every day\u2014Fitbit to track steps, a period tracker to monitor cycles, and eCommerce apps that remember our purchases\u2014without much thought about where that data travels. But companies aren\u2019t collecting this information purely to enhance user experience. <\/p>\n\n\n\n

Take Target, which famously used data analytics to predict and track pregnancies.<\/a> By analyzing shopping patterns, Target identified mothers-to-be and sent them targeted advertisements for baby products. In one case, a father discovered his teenage daughter\u2019s pregnancy through the mailings she received, before she had even shared the news with her family. <\/p>\n\n\n\n

Recognizing these gaps, Washington enacted the My Health My Data Act (\u201cMHMDA\u201d)<\/a>, the first U.S. privacy law to protect personal health data collected beyond HIPAA\u2019s scope. It broadly defines \u201cconsumer health data,\u201d<\/a> as \u201cpersonal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.\u201d<\/p>\n\n\n\n

With federal action at a standstill and the prospects of a national privacy law uncertain,<\/a> states must take the lead in protecting consumer health data.<\/p><\/blockquote>\n\n\n\n

Under the law, consumer health data can include details about mental health, reproductive health, biometric data, and even inferred health information. This includes the use of geofencing technology,<\/a> which allows companies to track when a person visits a sensitive location\u2014whether it\u2019s a routine doctor\u2019s appointment or an abortion clinic. <\/p>\n\n\n\n

More than a year after MHMDA\u2019s passage, the law is finally being put to the test in the form of a class-action suit against Amazon<\/a>. Filed in February 2025, the suit alleges that Amazon unlawfully harvested and shared sensitive consumer location data in violation of MHMDA\u2019s strict consent requirements. <\/p>\n\n\n\n

According to the complaint, Amazon embedded its Amazon Ads software development kit (\u201cSDK\u201d) in over 10,000 third-party apps, allowing it to track users\u2019 precise locations without their knowledge. The Amazon Ads SDK, which developers integrate into their apps to display advertisements, allegedly operated in the background while Amazon gathered sensitive location data\u2013\u2013even when users were not actively using Amazon\u2019s services. While users may have granted access to a particular app, they were unaware that Amazon was quietly collecting and monetizing this data behind the scenes.<\/p>\n\n\n\n

The complaint further contends that Amazon collected \u201cbiometric data and precise location data that could indicate a consumer\u2019s attempt to obtain health services. This inference-based tracking has raised concerns, especially after the overturning of Roe v. Wade and the rise of abortion bans.<\/a> In states where abortion access is heavily restricted, there are mounting concerns that such data could be weaponized in criminal investigations related to reproductive health care. <\/p>\n\n\n\n

Washington\u2019s MHMDA will continue to be closely monitored as this suit progresses, spurring discussions across the legal field. Its outcome will likely influence how other states craft their own health data privacy legislation. New York recently passed the Health Information Privacy Act (\u201cNYHIPA\u201d)<\/a>, considered by some to be \u201cthe toughest in the nation.\u201d<\/a> But Washington\u2019s law is the first to be tried in court, making the Amazon lawsuit a central case in shaping the future of digital health privacy.<\/p>\n\n\n\n

A ruling against Amazon may force companies to overhaul their data collection practices, guaranteeing greater transparency and consumer control. On the other hand, if Amazon prevails, it could weaken MHMDA\u2019s impact and make it harder for states to hold Big Tech accountable for their handling of sensitive health data.<\/p>\n\n\n\n

With federal action at a standstill and the prospects of a national privacy law uncertain,<\/a> states must take the lead in protecting consumer health data. As more states consider their own privacy laws, Washington\u2019s case will serve as an early test of how effectively these regulations can safeguard personal information in an area where digital privacy remains under constant threat.<\/p>\n\n\n\n

Anjali K. Purohit<\/strong><\/p>\n\n\n\n

Anjali attended Wake Forest University for college, where she double majored in Sociology with a concentration in Crime & Criminal Justice, and Spanish. She is a second-year student at the University of North Carolina School of Law. Her hobbies include watching sports, playing The Sims 3, and spending time with her dog, Tobie.<\/p>\n","protected":false},"excerpt":{"rendered":"

In the wake of seismic political and legal shifts\u2014including a second Trump presidency, the Supreme Court\u2019s reversal of Roe v. Wade, and a surge of stricter abortion bans across the country\u2014states are ramping up efforts to protect consumer health data and privacy.\u00a0 With Congress stalled on passing a federal privacy law, Big Tech companies like …<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[282,633,163,632],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/9505"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=9505"}],"version-history":[{"count":2,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/9505\/revisions"}],"predecessor-version":[{"id":9508,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/9505\/revisions\/9508"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=9505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=9505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=9505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}