July 24, 2024
Connecticut Adds New Privacy Rules for Health Data
By adding a host of new protections for health data, Connecticut has continued to play an outsized role in privacy regulation. Learn more at TrueVault.

Data privacy remains a high priority for state lawmakers, and health data has become a special focus in 2023. California passed an amendment that bolsters protections for reproductive health data, and Washington lawmakers created a sprawling (and highly confusing) privacy law dedicated exclusively to consumer health data.

Connecticut Governor Ned Lamont also signed a bill into law over the summer that protects consumer health data. It is more substantial than the CCPA amendment, but significantly more restrained than Washington’s My Health My Data Act. As a direct change to the existing Connecticut Data Privacy Act (CTDPA), any companies that conduct business in the state should take note.

Here is an overview of the new requirements for businesses.

Consumer Health Data

Most of the changes to Connecticut’s privacy law are related to “consumer health data,” so it’s important to start with an understanding of what that term means. According to the statute:

“Consumer health data” means any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.

Protected health information that is covered by HIPAA is exempted from the CTDPA, so medical records are not what’s at issue here. Rather, it’s other data, not covered by HIPAA, that could nevertheless be used to infer or identify a health issue. For example, if a consumer had purchased items such as a pregnancy test and prenatal vitamins, a retailer could use that information to market other pregnancy-related products based on its assessed likelihood that the consumer is pregnant.

On the other hand, the definition suggests that it’s not enough to simply have that data; the controller has to use it to identify the health condition. In the pregnancy example above, if the retailer simply sold those products to the consumer but didn’t use her purchase history to infer anything or market other products to her, then it would appear that the purchase history is not “consumer health data.”

Geofencing

Geofencing is an important concept in the updated CTDPA, and one that not all businesses may be familiar with. A geofence is technology that uses location data such as GPS coordinates to create a virtual boundary. For example, marketers may use a geofence to display relevant ads if a consumer is within a certain distance to a business.

The Connecticut law creates new rules for using geofences to establish virtual boundaries around mental health facilities and reproductive or sexual health facilities.

Biggest Changes to the Law

The CTDPA amendments contain several major changes for businesses that control consumer health data.

1. Expanded scope

In a big expansion of the applicability of the CTPDA, all provisions that relate to consumer health data and consumer health data controllers apply to any business that conducts business in Connecticut or produces products or services that are targeted to state residents.

In other words, there is no minimum consumer count that must be met before businesses are required to comply with the new rules about consumer health data.

2. New Types of “Sensitive Data”

Under the CTDPA, “sensitive data” receives extra protection. Specifically, controllers must first get consent before processing any sensitive data.

These are the categories of data that are now considered to be sensitive data:

  1. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status
  2. Consumer health data
  3. The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  4. Personal data collected from a known child
  5. Data concerning an individual's status as a victim of crime
  6. Precise geolocation data

The addition of consumer health data here seems unnecessary at first, as the first category already includes “data revealing…mental or physical health condition or diagnosis.” However, it makes sense in the context of the CTDPA’s expanded scope for consumer health data (see Section #1 above). In order for the expanded scope to apply to a particular provision, it must explicitly include the words “consumer health data.”

Protection for data revealing a person’s status as a victim of a crime seems to be unrelated to the amendments regarding consumer health data, but businesses should take note anyway.

2. Requirements for Processing Consumer Health Data

The CTDPA amendments add a specialized set of rules for the processing of consumer health data. Controllers are prohibited from doing any of the following:

  1. Providing any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality
  2. Providing any processor with access to consumer health data unless the processor meets all of the statutory requirements for processors
  3. Using a geofence to establish a virtual boundary that is within 1750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data
  4. Selling or offering to sell consumer health data without first obtaining the consumer's consent

The way the law is written, it is ambiguous as to whether a controller is allowed to get consent for all of these activities or just for the sale of consumer health data. Practically speaking, it may not make a difference as controllers are unlikely to request (or receive) consent for the first three items in this list.

Ensuring that employees have a duty of confidentiality is a clear new rule that could affect many businesses. The prohibition on geofencing around certain health facilities is also a big change, though it’s likely to affect fewer businesses.

The rule about processors creates a bit of a conundrum. Under the CTDPA (and other similar privacy laws), a data recipient is only a processor if it meets certain statutory requirements, such as adhering to the controller’s instructions. If a data recipient fails to meet those requirements, it is not a processor. Instead it is considered an independent controller of the data. Therefore this new rule about providing consumer health data to processors seems to have no real meaning, at least on the surface.

The requirement to obtain consent before selling consumer health data also appears to be superfluous. As a type of sensitive data, controllers must obtain consent before any processing of consumer health data, not just for the sale of the data.

Even though the impact of some of these new rules remains unclear, they do send a clear message that consumer health data should be treated with particular care.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.