This article was written by Powers healthcare associate Allyn Rosenberger

When New Jersey enacted the New Jersey Data Privacy Act in January 2024, it became the fourteenth state to pass comprehensive data privacy legislation. The passage of this law came on the heels of an unprecedented 2023, in which eight other states passed similar measures.[1]  While these laws address consumer data generally, healthcare organizations are not immune from the novel compliance challenges they pose.

Healthcare organizations are familiar with navigating federal laws like the Health Insurance Portability and Accountability Act (“HIPAA”) and the Federal Trade Commission Act’s Health Breach Notification Rule (“HBNR”). These laws apply nationwide, meaning a single compliance approach is feasible. The increasingly complex state data privacy law landscape, however, warrants a more nuanced compliance strategy.

Assessing the Patchwork of State Data Privacy Laws

Many state laws impose similar requirements and have common exemptions. However, there are numerous obligations that are dissimilar enough that a single compliance approach would not be realistic nor advisable from a business or legal perspective. We highlight noteworthy exemptions below and summarize them in the table at the end of this article.

HIPAA-Related Exemptions

To date, every state law exempts protected health information (“PHI”), as defined by HIPAA. Nine of the fourteen state laws also exempt HIPAA covered entities and business associates as entities in and of themselves. However, state laws without this exemption (California, Colorado, Delaware, New Jersey, and Oregon) would apply to covered entities and business associates with respect to personal information that is not PHI (e.g., information about consumers at a hospital gift shop).

While these exemptions will provide comfort to many in the healthcare industry, others that fall outside the scope of HIPAA should pay particular attention to the state law requirements. For example, digital health companies, such as healthcare mobile applications or life sciences companies collecting health information not otherwise regulated by HIPAA may find themselves subject to these laws.

Nonprofit Exemptions

If a healthcare organization is a nonprofit, then it will fall outside the purview of most state data privacy laws, except in Colorado, Delaware, New Jersey, and Oregon, where the laws do apply to nonprofit organizations that otherwise meet the applicability thresholds.

Maintaining Compliance

While the state data privacy landscape is complex, it is possible to prepare an effective compliance strategy.  As a starting point, we recommend:

  1. Conduct a data mapping exercise to understand what data you maintain and where.
  2. Draft a comprehensive privacy policy that accounts for any applicable state laws.

*          *          *

While many healthcare players remain exempt from the state privacy laws enacted to date, others should pay close attention to their requirements and effective dates. We anticipate 2024 will only bring more states into the fold, with a handful of states poised to pass data privacy legislation within the year.

State Applicability Threshold*  PHI Exemption Covered Entity / Business Associate Exemption Nonprofit Exemption Effective Date
California $25MM+ in revenue or data of 100,000+ CA residents Yes Only to the extent they treat personal information as PHI Yes 1/1/2020 & 1/1/2023
Colorado Data of 100,000+ CO residents Yes No No 7/1/2023
Connecticut Data of 100,000+ CT residents Yes Yes Yes 7/1/2023
Delaware Data of 35,000+ DE residents Yes Only to the extent they use the information for public health, community health, or population health activities and purposes, as authorized by HIPAA No 1/1/2025
Florida $1B+ in revenue and operates certain smart speaker services or app stores Yes Yes Yes 7/1/2024
Indiana Data of 100,000+ IN residents Yes Yes Yes 1/1/2026
Iowa Data of 100,000+ IA residents Yes Yes Yes 1/1/2025
Montana Data of 50,000+ MT residents Yes Yes Yes 10/1/2024
New Jersey Data of 100,000+ NJ residents Yes No No 1/15/2025
Oregon Data of 100,000+ OR residents Yes No No 7/1/2024
Tennessee $25MM+ in revenue and data of 175,000+ TN residents Yes Yes Yes 7/1/2025
Texas Process or engage in sale of personal data and not an SBA small business Yes Yes Yes 7/1/2024
Utah $25MM+ in revenue and data of 100,000+ UT residents Yes Yes Yes 12/31/2023
Virginia Data of 100,000+ VA residents Yes Yes Yes 1/1/2023

*This does not include thresholds based on percentage of revenue from the sale of personal information.

[1] This excludes the health data-specific laws in Washington (“My Health My Data”) and Nevada (“Nevada’s Consumer Health Data Privacy Law”), which we will cover in a future article.

For more information about complying with these laws, please contact Rob Portman (Rob.Portman @PowersLaw.com) or Allyn Rosenberger (Allyn.Rosenberger@PowersLaw.com). The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.


Leave a Reply