Health Privacy Laws: Complicated, Confusing and More to Come
While a longstanding federal health law doesn't cover as much data as some people think, more recent state measures may be overcompensating and over-complicating health care privacy, said WilmerHale privacy attorney Kirk Nahra on a Tuesday webinar. Daniel Solove, George Washington University Law professor, predicted “we're going to see ... this complicated landscape get even more complicated.”
Sign up for a free preview to unlock the rest of this article
A major misconception is that the Health Insurance Portability and Accountability Act (HIPAA) regulates all health and medical data, Nahra said. Instead, HIPAA "covers medical information in certain contexts, held by doctors, hospitals, pharmacies, [and] health insurance.”
While once there was very little law on health and medical data, in the last decade or so, there have been “a variety of different developments that have either intentionally tried to fill in some of those gaps that were left by HIPAA or unintentionally picked up those gaps because they covered other kinds of things,” Nahra said. For example, states like Texas and California have mini-HIPAA rules. Some state comprehensive privacy laws cover a few of the gaps, and consumer health laws are developing in a few states intentionally to cover gaps HIPAA left, he said.
Nahra highlighted Washington state’s 2024 My Health, My Data Act (MHMDA). The first class-action complaint filed under the law occurred in February 2025 (see 2502120053). MHMDA is “intended to protect the health care data about you that is not subject to HIPAA,” he said. “But at the same time, it really starts to blow up what the definition of health data is,” because “at its broadest reach, it includes essentially any information that can be used to make an inference about your health.”
What gets tricky, he said, is that MHMDA also protects certain location data, which the law defines as “personal information about your location that's within a certain distance of a health care facility.” Solove said this was included to prevent tracking people seeking reproductive health care.
“We're seeing these state laws [created] for totally appropriate purposes,” said Nahra, but sometimes they unintentionally spur problems with other privacy laws and in the "rest of the health care system.”
Solove agreed. “There really is no good way to define these categories of data,” he said. “Especially in today's age of algorithms and inference, anything can be used to infer health data.”
Adding to the complexity are additional laws covering medical research, medical conditions and people with disabilities. “What we're seeing more and more are multiple laws covering the same data depending on who has it,” Nahra said. Sometimes there are “different laws for the same businesses depending on what [the company is] going to do with the data that they have," he said. "It's just an increasingly complicated situation, with more and more law coming in the short term.”
Solove noted that common-law torts on privacy and breach of confidentiality can also apply to protecting health data. Also, since HIPAA isn't preemptive, "there are instances where, even though HIPAA does not have a private right of action, people use HIPAA as the standard of care in either a negligence case or a breach of confidentiality case, and use common law to then say, ‘I get a private right of action.’”
It would be difficult to craft a law that regulates only non-HIPAA-covered health information, said Nahra. “Maybe that leads to a general, overall privacy law that provides good, general protections for all information, including whatever we're going to define as sensitive data,” he said. “The failure of Congress to have a good national privacy law is a meaningful failure at this point.”