Connecticut, Washington set fitness data rules

Washington and Connecticut already have state laws on the books that reach health and fitness data collected outside traditional medical settings, including some information gathered by wearable devices and wellness apps. Washington’s My Health My Data Act took effect for most regulated entities on March 31, 2024, with small businesses following on June 30, 2024, according to the Washington attorney general’s office. Connecticut’s consumer health data provisions took effect on October 1, 2023, as part of amendments to the Connecticut Data Privacy Act. The two laws matter because HIPAA does not cover all health-related data. Washington’s statute says directly that HIPAA covers health data collected by specific healthcare entities, while data collected by noncovered entities, including certain apps and websites, does not receive the same protections. Amazon Web Services, in its HIPAA compliance materials, similarly says HIPAA applies to covered entities and their business associates, not every company handling health-adjacent consumer data. (atg.wa.gov) ### Which fitness and wearable data can fall into this gap? Washington’s law is written broadly enough to reach consumer health data collected by noncovered entities, including apps, websites and other businesses that determine how that data is collected, processed, shared or sold. The attorney general’s office says the law was designed to protect sensitive health data from being collected and shared without consent, and the statute says it was meant to close the gap for data outside HIPAA. (app.leg.wa.gov) Connecticut’s law uses the term “consumer health data” for personal data used to identify a consumer’s physical or mental health condition or diagnosis. Legal analyses of the statute say that can include data points that are not themselves a diagnosis but can be used to infer one, which is why companies handling wellness, reproductive-health or similar data have had to review their practices. (atg.wa.gov) ### What does Washington require before a company collects or shares the data? Washington’s law requires additional disclosures and consumer consent around the collection, sharing and use of consumer health data, according to the statute and the attorney general’s guidance page. The law also gives consumers deletion rights, bars the sale of consumer health data without a valid authorization signed by the consumer, and prohibits geofencing around healthcare facilities for certain purposes. (orrick.com) The Washington attorney general’s office also says violations are enforceable under the state Consumer Protection Act through attorney general enforcement and private action. That has made the law a compliance issue not only for healthcare companies, but also for consumer-facing technology and wellness businesses that target Washington residents. ### How is Connecticut’s approach different? Connecticut’s attorney general guidance says the state privacy law generally applies only above certain processing thresholds, but it applies to all consumer health data controllers that do business in Connecticut, regardless of size. (app.leg.wa.gov) That makes the consumer health data provisions broader in reach than the baseline Connecticut Data Privacy Act thresholds. Connecticut also requires consent before processing sensitive data, and consumer health data was added to that category through the 2023 amendments. (atg.wa.gov) Analyses of Section 42-526 say the law restricts employee and contractor access, requires contractual controls for processors, regulates sharing and sale of consumer health data, and includes geofencing limits tied to healthcare services. Enforcement runs through the Connecticut attorney general rather than a private right of action. (portal.ct.gov) ### Why does remote patient monitoring come up in the same conversation? Remote patient monitoring can sit on either side of the line depending on who is collecting the data and under what arrangement. AWS says HIPAA applies when covered entities and their business associates process protected health information in HIPAA-eligible services under the required safeguards. That means a wearable maker or app company may face state consumer-health-data rules when operating outside HIPAA, while a hospital-run monitoring program may also need HIPAA controls, business associate agreements and contracted vendors if it handles protected health information. (cga.ct.gov) The next step for companies is usually to map which data flows are consumer wellness data under state law, which are protected health information under HIPAA, and which systems and vendor contracts govern each category. (app.leg.wa.gov) (aws.amazon.com)