New Health Data Privacy Laws are Coming — Assess Compliance With This 12-Point Checklist

Compliance
Written By Jonathan McLeod

Successful compliance with increasingly strict and regularly changing data privacy laws requires effective consent management processes.

Advertising technology companies, pharma companies and their agencies must obtain explicit consent to use protected sensitive information. Knowing what that entails can be challenging since additional new laws will come on the books in 2024 and beyond.

Categories of Protected Health Data

State and federal laws cover various categories of protected data, including:

Protected (or personal) health information (PHI) is covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA applies only to healthcare delivery and payment.

Personal identifiable information (PII) is data that uniquely identifies an individual. These can include their name, social security number and biometric data. HIPAA does not necessarily cover PII.

Sensitive personal information (SPI), a subset of PII, refers to data related to an individual, even if it doesn’t identify them. Examples include account logins, precise geolocation, racial or ethnic origins, religious beliefs, union memberships, genetic data and details about sexual orientation. HIPAA may not cover SPI.

These categories identify the protected data under current laws, but what’s driving the urgency behind the new state privacy laws? 

State Privacy Laws Expected to Surge in 2024

Twelve states have enacted privacy legislation; others have active bills under consideration. By the end of 2024, as many as 20 states will have enacted new privacy laws. For example, Washington’s My Health My Data Act (MHMDA) goes into effect on March 31, 2024. It includes new requirements that go beyond HIPAA protections for health data.

What’s driving this focus on data privacy? There are two key factors:

The General Data Protection Regulation (GDPR), effective May 2018, is a robust security and privacy law that, among other provisions, requires explicit consent for data use. It applies globally to companies dealing with EU citizens. GDRP has influenced U.S. policies, including the California Consumer Privacy Act and other state laws.

The Dobbs v. Jackson Women’s Health Organization ruling accelerated the momentum to develop privacy laws. Lawmakers sought to prevent unauthorized tracking of sensitive health data. For example, geofencing, which involves tracking geographical locations, is under heightened scrutiny, especially near health centers. Perhaps the most significant post-Dobbs privacy regulation is Washington’s My Health My Data Act. 

Privacy and Consent Management in Healthcare Marketing

To ensure our clients comply with privacy laws, Throtle developed a comprehensive privacy and consent management checklist. Here are 12 critical steps:

Consent Management

When you obtain consumer consent, you must:

1. Disclose to consumers at or before the point of collection what you will collect and how you will use that data.

2. Notify consumers of their “right to know” what personal information you are collecting. Explain how you are using it and with whom you will share it.

3. Allow consumers to access their personal information and to request its deletion.

4. Offer consumers a way to opt out of the sale of their personal information.

5. Store personal information securely to protect against unauthorized access or disclosure.

Privacy Policy

Your privacy policy should:

6. Describe the types of personal information collected and outline the purposes of collecting it.

7. Disclose whether you sell consumer data or personal information, with whom you share it and for what purposes.

8. List the consumer rights under current laws and describe how consumers can exercise these rights.

9. Provide contact information so consumers can reach out with questions or concerns.

Other Important Disclosures

Your website needs to:

10. Include an explicit statement on whether you collect or process children's data — even if you do neither.

11. Provide “Do not sell my information” and “Limit the use of my information” links.

12. Link to your privacy policy.

Embrace Privacy and Compliance by Design

Don't wait for a regulatory audit to reveal gaps in your consent management. As privacy laws become stricter and consent management receives more scrutiny, data privacy cannot be an afterthought: You must fully integrate it into your consent management operations.

At Throtle, our approach is privacy by design and compliance by design. Yours should be, too. The regulatory landscape will continue to change: Now is the time to prepare — not after an audit.

Throtle has developed a white paper that provides insights into these state data privacy laws and how they differ from HIPAA. Download it now.

Jonathan McLeod
Previous

The Critical Role of Identity Resolution in Powering Next Best Action Strategies
Next

Google Cookie Deprecation: What You Need to Know