In wake of California passing strict privacy requirements last year, several U.S. states, including Oregon, North Carolina, Virginia and Washington, are considering new legislation to shore up consumer data privacy laws.
The European Union’s General Data Protection Regulation, is inspiring renewed efforts worldwide, including at the federal and state levels in the United States, to boost privacy protections.
Democrats in Congress introduced the national breach notification and privacy legislation, but many previous efforts to pass similar measures have failed.
In the meantime, federal regulators are considering changes in HIPAA aimed at reducing regulatory burdens, including ways to improve secure data sharing for patient care coordination.
Rather than wait for Congress or federal regulators to take action, some states are considering a variety of techniques designed to strengthen consumer data protections.
For instance, Oregon is considering a bill that would prohibit the sale of de-identified protected health information without first obtaining a signed authorization from an individual. This will provide patients the right to be paid for authorizing the de-identification of their PHI for sale to third parties.
In North Carolina, pending legislation would strengthen ID theft/fraud protections. Under the proposal, ransomware attacks would be considered a security breach.
In Virginia, a bill proposes new restrictions for businesses related to disposal of certain consumer records. In addition, new requirements for manufacturers pertaining to the design and maintenance of devices that connect to the internet. Businesses will be required to take all reasonable steps to dispose of consumer records. However, the provision would not apply to HIPAA covered entities and business associates, because HIPAA has its own disposal requirements.
Lastly Washington, is considering a bill that would require companies to be transparent about the type of data being collected, whether consumer data is sold to data brokers, and upon request from a consumer, delete the consumer’s personal data without undue delay.
GDPR as Inspiration
The European Union recently updated their privacy law through the passage and implementation of the General Data Protection Regulation, affording its residents the strongest privacy protections in the world.
In 2018, California enacted an new law which requires businesses to disclose the purpose for collecting or selling the information, as well as the identity of the third-party organizations receiving the data. Under this law consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data.
While most states have not implemented measures to protect their data, New York, Ohio and South Carolina have adopted cybersecurity requirements that target industries that include health plans and insurers.
According to Attorney Kirk Nahra, some states continue to examine the possibilities for increasing privacy and data security protections, both in currently regulated areas and in situations where federal law is not directly applicable through a specific law or regulation.
Nahra believes, new state privacy laws can potentially have adverse effects.
For instance, Oregon proposal permits uses of de-identified PHI. The Oregon proposal, can reduce any of the useful research, public health and other benefits that are provided by de-identified information today, and at the same time create privacy and security risks for individuals by forcing companies to retain a link between the de-identified data and an identifiable individual.