The Vermont Legislature is considering a version of the Washington State My Health My Data Act (S.173) to regulate non-HIPAA health data. If passed, the Vermont law would go into effect on January 1, 2025. The bill is premised on the legislative fact that “Vermont residents consider privacy to be a fundamental right and an essential element of personal liberty.” It has far-reaching implications for organizations operating in and around Vermont.
Briefly, the bill would impose certain disclosure and consent obligations on entities covered by the law before collecting, using, or disclosing “consumer health data,” and in a tracking manner. If used, prohibits the installation of geofences around entities that provide in-person health care services. Consumer Healthcare Activities.
Why this is important: New England and other organizations that provide services to individuals in Vermont would likely be subject to this bill and its consent and disclosure requirements. Data collection entities within adtech/martech and the broader data ecosystem may also need to change their location-based data collection practices. Legal teams should consider how and whether the organization’s activities fall within the potential scope of the bill, whether or not it considers itself a healthcare company. There is a need to.
What organizations may be subject to the law: Like Washington’s law, Vermont’s law applies to “regulated entities” (the administrator’s version of the bill). That is, an entity that does business in Vermont or that produces or provides services to consumers for which consumer health data is collected in Vermont. (a) collects, processes, sells, or shares consumer health data of fewer than 25,000 Vermont residents and derives less than 50% of the gross revenue from those activities; or (b) collects, processes, sells, or shares the health data of fewer than 25,000 Vermont residents. Regulated entities that collect, process, sell, or share consumer health data. Vermonters with fewer than 100,000 residents are defined as small businesses and are subject to fewer obligations. State agencies and service providers in Vermont are contracted to “handle the process.”[] “Providing consumer health data on behalf of a government entity” is excluded from the definition of “regulated entity.” Like other recent state privacy laws, this bill would also regulate processors (natural or legal persons who process consumer health data on behalf of a regulated entity) and, as described in the document, Processors may include Vermont government agencies and their contracted service providers.
Whose data does this bill regulate: The bill would apply to a broad group of “consumers”: Vermonters. or Individuals outside of Vermont whose consumer health data is collected in Vermont. This definition, like most comprehensive U.S. state privacy laws adopted to date, excludes “individuals.”[s] Act in the context of employment. ” How exactly that will be read remains to be seen. But unlike other U.S. states’ comprehensive privacy laws, Vermont’s bill appears to include a private right of action, so the issue is likely to be litigated, and Vermont and How federal courts interpret the meaning of this team will have far-reaching implications across the state. US.
The data regulated by this bill are: consumer health data, personal information that identifies a consumer’s past, present, or future physical or mental health condition. This includes consumer health data (personal health status, therapeutic illnesses or diagnoses, social, psychological, behavioral and medical interventions, biometric and genetic data, and data within approximately one-third of a mile). Contains an incomplete list of what constitutes (such as relevant location information). ). The bill includes data-level exemptions that could ease compliance for companies in highly regulated industries such as healthcare, financial services, and education. For example, data that is regulated by federal law (such as HIPAA, Part 2, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act) or Vermont law (Health Benefits Exchange Act) and is anonymized in accordance with the provisions below. All HIPAA Privacy Rules are exempt from the bill. In any case, just as his recent FTC enforcement actions require that the health breach notification rule be interpreted more broadly than previously understood, the bill’s broad definition of the data regulated is broadly may be interpreted.
What obligations does this bill impose? As proposed, entities subject to this bill would be required to provide consumers with access and deletion rights and control over how an entity collects, uses, and discloses consumer health data, including through sales. Required to provide revocable consent. Consent here is similar to the GDPR’s definition as a clear affirmative act. Additionally, similar to other comprehensive privacy laws in other U.S. states, covered companies will be required to control what consumer health data they collect and how that data is collected, used, and disclosed. Must maintain a disclosed consumer health data privacy policy. If an entity wants to sell a consumer’s health data, it must obtain special permission from the consumer who owns the data.
This is also prohibited AnyoneIf a geofence is used to identify or track consumers seeking health care services, collect consumer health care data from consumers, or send notifications or messages, even to non-targeted entities; There is no need to deploy geofencing around entities that provide in-person healthcare services. or consumer advertising related to consumer health data or health care services. Washington state’s My Health My Data Act includes a similar prohibition.
