Health Jurisdictions Amplify Protections for Individual Health Information

Health Jurisdictions Amplify Protections for Individual Health Information

States Across the Nation Strengthen Health Data Privacy Beyond HIPAA's Scope

In an effort to safeguard sensitive health data, more states are enacting laws that extend privacy protections beyond the Health Insurance Portability and Accountability Act (HIPAA). These measures aim to provide individuals with greater control over their health information, especially data that has fallen outside HIPAA's purview.

One such example is Washington's My Health, My Data Act, which has been created to shield health information not protected by HIPAA. This legislation covers data like reproductive care, gender-affirming treatments, and location data when seeking medical assistance. Companies are barred from gathering or sharing this kind of information without explicit consent, and individuals in Washington can take legal action against those that violate the law.

Nevada has followed suit with a similar law, providing stronger privacy rights for health data, particularly reproductive health information. However, it only allows the state's attorney general to take legal action, and individuals cannot sue companies directly.

Virginia is another state making strides in health data privacy. In July 2025, new rules under the Virginia Consumer Protection Act will take effect, focusing on sensitive health topics like pregnancy, birth control, and sexual health. Businesses will be required to obtain explicit consent before collecting or sharing such data, and violations may lead to lawsuits and fines.

New York's Health Information Privacy Act has been introduced, though it does not enable individuals to sue. Instead, the state possesses the power to enforce the law, with penalties reaching up to $15,000 per violation or a portion of the company's revenue. This law aims to hold businesses accountable for handling health information, particularly those operating in New York or serving its residents.

California and Colorado are among the states that have enacted broad privacy laws that encompass health-related data, extending beyond medical records to include sensitive data like an individual's sexual orientation or mental health status. The specifics of what constitutes sensitive data may vary state by state, but the message is clear: people are demanding increased privacy for their health information.

With more states implementing privacy protections, businesses, both inside and outside the healthcare sector, must reconsider their strategies for collecting and using personal health information. It appears that reliance solely on HIPAA is no longer sufficient, and companies must now adhere to both federal and state regulations to avoid legal problems.

Sources:- ENGROSSED SUBSTITUTE HOUSE BILL 115- State Laws Expand Health Data Privacy Beyond HIPAA Limits- Washington HB 1155 Protects Data Not Covered by HIPAA

1. In an effort to provide individuals with greater control over sensitive health data, more states are enacting laws that extend privacy protections beyond the Health Insurance Portability and Accountability Act (HIPAA), as demonstrated by Washington's My Health, My Data Act.
2. Similar legislation, such as Nevada's law, aims to provide stronger privacy rights for health data, particularly reproductive health information, as individuals demand increased privacy for their health information in states like Virginia, New York, California, and Colorado.
3. Virginia's new rules under the Virginia Consumer Protection Act, effective in July 2025, will focus on sensitive health topics like pregnancy, birth control, and sexual health, and businesses will be required to obtain explicit consent before collecting or sharing such data.
4. California and Colorado have enacted broad privacy laws that cover health-related data, including sensitive data like an individual's sexual orientation or mental health status, indicating a broader movement towards increased health data privacy protections.
5. With these privacy protections being enacted across the nation, businesses must reconsider their strategies for collecting and using personal health information, as they must now adhere to both federal and state regulations to avoid legal problems, given that reliance solely on HIPAA is no longer sufficient.

Read also: