This article was written by Powers healthcare associate Allyn Rosenberger.
When New Jersey enacted the New Jersey Data Privacy Act in January 2024, it became the fourteenth state to pass comprehensive data privacy legislation. The passage of this law came on the heels of an unprecedented 2023, in which eight other states passed similar measures.[1] While these laws address consumer data generally, healthcare organizations are not immune from the novel compliance challenges they pose.
Healthcare organizations are familiar with navigating federal laws like the Health Insurance Portability and Accountability Act (“HIPAA”) and the Federal Trade Commission Act’s Health Breach Notification Rule (“HBNR”). These laws apply nationwide, meaning a single compliance approach is feasible. The increasingly complex state data privacy law landscape, however, warrants a more nuanced compliance strategy.
Assessing the Patchwork of State Data Privacy Laws
Many state laws impose similar requirements and have common exemptions. However, there are numerous obligations that are dissimilar enough that a single compliance approach would not be realistic nor advisable from a business or legal perspective. We highlight noteworthy exemptions below and summarize them in the table at the end of this article.
HIPAA-Related Exemptions
To date, every state law exempts protected health information (“PHI”), as defined by HIPAA. Nine of the fourteen state laws also exempt HIPAA covered entities and business associates as entities in and of themselves. However, state laws without this exemption (California, Colorado, Delaware, New Jersey, and Oregon) would apply to covered entities and business associates with respect to personal information that is not PHI (e.g., information about consumers at a hospital gift shop).
While these exemptions will provide comfort to many in the healthcare industry, others that fall outside the scope of HIPAA should pay particular attention to the state law requirements. For example, digital health companies, such as healthcare mobile applications or life sciences companies collecting health information not otherwise regulated by HIPAA may find themselves subject to these laws.
Nonprofit Exemptions
If a healthcare organization is a nonprofit, then it will fall outside the purview of most state data privacy laws, except in Colorado, Delaware, New Jersey, and Oregon, where the laws do apply to nonprofit organizations that otherwise meet the applicability thresholds.
Maintaining Compliance
While the state data privacy landscape is complex, it is possible to prepare an effective compliance strategy. As a starting point, we recommend:
- Conduct a data mapping exercise to understand what data you maintain and where.
- Draft a comprehensive privacy policy that accounts for any applicable state laws.
* * *
While many healthcare players remain exempt from the state privacy laws enacted to date, others should pay close attention to their requirements and effective dates. We anticipate 2024 will only bring more states into the fold, with a handful of states poised to pass data privacy legislation within the year.
| State | Applicability Threshold* | PHI Exemption | Covered Entity / Business Associate Exemption | Nonprofit Exemption | Effective Date |
| California | $25MM+ in revenue or data of 100,000+ CA residents | Yes | Only to the extent they treat personal information as PHI | Yes | 1/1/2020 & 1/1/2023 |
| Colorado | Data of 100,000+ CO residents | Yes | No | No | 7/1/2023 |
| Connecticut | Data of 100,000+ CT residents | Yes | Yes | Yes | 7/1/2023 |
| Delaware | Data of 35,000+ DE residents | Yes | Only to the extent they use the information for public health, community health, or population health activities and purposes, as authorized by HIPAA | No | 1/1/2025 |
| Florida | $1B+ in revenue and operates certain smart speaker services or app stores | Yes | Yes | Yes | 7/1/2024 |
| Indiana | Data of 100,000+ IN residents | Yes | Yes | Yes | 1/1/2026 |
| Iowa | Data of 100,000+ IA residents | Yes | Yes | Yes | 1/1/2025 |
| Montana | Data of 50,000+ MT residents | Yes | Yes | Yes | 10/1/2024 |
| New Jersey | Data of 100,000+ NJ residents | Yes | No | No | 1/15/2025 |
| Oregon | Data of 100,000+ OR residents | Yes | No | No | 7/1/2024 |
| Tennessee | $25MM+ in revenue and data of 175,000+ TN residents | Yes | Yes | Yes | 7/1/2025 |
| Texas | Process or engage in sale of personal data and not an SBA small business | Yes | Yes | Yes | 7/1/2024 |
| Utah | $25MM+ in revenue and data of 100,000+ UT residents | Yes | Yes | Yes | 12/31/2023 |
| Virginia | Data of 100,000+ VA residents | Yes | Yes | Yes | 1/1/2023 |
*This does not include thresholds based on percentage of revenue from the sale of personal information.
[1] This excludes the health data-specific laws in Washington (“My Health My Data”) and Nevada (“Nevada’s Consumer Health Data Privacy Law”), which we will cover in a future article.
For more information about complying with these laws, please contact Rob Portman (Rob.Portman @PowersLaw.com) or Allyn Rosenberger (Allyn.Rosenberger@PowersLaw.com). The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.