The Vermont Legislature is considering its version (S.173) of Washington’s My Health My Data Act to regulate non-HIPAA health data. If enacted, the Vermont law would take effect on January 1, 2025. The bill is premised on a legislative finding that “the residents of Vermont regard their privacy as a fundamental right and an essential element of their individual freedom,” and it could have a broad impact on organizations operating in and around Vermont.
Briefly stated, the bill would impose specific disclosure and consent obligations on entities subject to the law before collecting, using or disclosing “consumer health data” and prohibit placing geofences around entities that provide in-person health care services if used in a way to track consumer health care activities.
Why this matters: Organizations in New England and elsewhere that serve individuals in Vermont likely will be subject to this bill and its consent and disclosure obligations. Data collecting entities within the adtech/martech and broad data ecosystems may also have to modify their location-based data collection practices. Legal teams will need to consider how and if their organization’s activities could bring them within the potential scope of the bill, whether they view themselves as a health care company or otherwise.
What organizations could be subject to the law: As in Washington’s law, Vermont’s law will apply to “regulated entities,” the bill’s version of a controller: legal entities that conduct business in Vermont or produce or provide services targeted to consumer whose consumer health data is collected in Vermont. Regulated entities that (a) collect, process, sell or share consumer health data of fewer than 25,000 Vermont residents and derive less than 50% of their gross revenue from those activities or (b) collect, process, sell or share consumer health data of fewer than 100,000 Vermont residents are defined as small businesses and would be subject to fewer obligations. Vermont state agencies and service providers contracted to “process[] consumer health data on behalf of a government agency” are exempted from the definition of “regulated entity.” Like other recent state privacy laws, the bill would also regulate processors—natural persons or legal entities that processes consumer health data on behalf of a regulated entity—and as written, those could include Vermont state agencies and their contracted service providers.
Whose data would the bill regulate: The bill would apply to a broadly defined group of “consumers,” Vermont residents or individuals outside of Vermont whose consumer health data is collected in Vermont. That definition, like most of the U.S. state comprehensive privacy laws adopted to date, excludes “individual[s] acting in an employment context.” Exactly how that would be read remains to be seen. But because the Vermont bill appears to contain a private right of action, unlike other U.S. state comprehensive privacy laws, it seems probable that this issue will be litigated, and how Vermont state and federal courts construe the meaning of this team would have broader impact across the United States.
What data would the bill regulate: Consumer health data, personal information that identifies a consumer’s past, present or future physical or mental health status. It includes an incomplete list of what can constitute consumer health data (such as about individual health conditions, treatment diseases or diagnosis; social, psychological, behavior and medical interventions; biometric and genetic data; and related location information within about a third of a mile). There are data-level exemptions in the bill that may ease compliance for entities in highly regulated industries, such as health care, financial services and education. For example, data regulated by federal law (such as HIPAA, Part 2, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act) or Vermont law (the Health Benefit Exchange) and de-identified in accordance with the HIPAA Privacy Rule are all exempted from the bill’s scope. In any event, the broad definition of data regulated by the bill could be read broadly, just as recent FTC enforcement activity requires a broader reading of the Health Breach Notification Rule than was previously understood.
What obligations would the bill impose: As proposed, entities subject to the bill would be required to provide consumers with access and deletion rights and revocable consent to how the entities collect, use and disclose consumer health data (including through sales). Consent here is similar to the GDPR’s definition of it as a clear affirmative act. Moreover, similar to other U.S. state comprehensive privacy laws, subject entities would need to maintain a consumer health data privacy policy that discloses what consumer health data it collects and how that data is collected, used and disclosed. If a subject entity wishes to sell consumer health data, it would have to receive specific authorization from the consumer whose data it is.
It also prohibits anyone—even non-subject entities—from implementing a geofence around an entity that provides in-person health care services if the geofence would be used to identify or track consumers seeking health care services, collect consumer health care data from consumers or send notifications, messages or advertisements to consumers related to their consumer health data or health care services. Washington’s My Health My Data Act contains a similar prohibition.