Nevada to the Rescue

11 July 2023

The latest health data privacy move just came from an unexpected location (unexpected for me, anyway): Nevada.

Why Nevada of all places? Part of the answer lies in the current politics of data privacy law. Because of lack of progress in Washington, a number of states have passed their own online consumer privacy laws in recent years. This organization lists ten states that have passed comprehensive data privacy laws within the last few years. (Note that Nevada isn’t on their list, since Nevada’s law is more narrowly about health data — more on that further down in this newsletter).

Wouldn’t this make more sense at the federal level? Since the internet doesn’t respect state boundaries (or at least, doesn’t respect them well or efficiently), it would certainly make more sense to have privacy law at the national rather than state level. From companies’ perspectives, compliance is much easier when laws are uniform. So why isn’t it happening nationally? It’s hard for me to believe that the interest isn’t there.

One possible explanation is simply that Congress is less able to pass legislation these days due to polarization. While privacy seems to me to be pretty bipartisan (or at least populist, both on the left and the right), gridlock may just have an inhibitory effect across the board. Raashee Gupta Erry, writing for the privacy consultancy Lucid, is optimistic for progress on health privacy law at the federal level, reasoning that it may be politically easier than comprehensive privacy law. The elephant in the room, of course, is the massive ad tech industry (aka the surveillance capitalism industry) of which Google and Meta are the two powerhouses. They, along with much of the rest of the tech industry, have been gaslighting the public for over two decades with the myth that privacy is dead (remember this 1999 quote from Sun Microsystems’ Scott McNealy?) So lobbying from that industry is presumably still part of the story.

So what does the Nevada law cover? First of all, the Nevada law appears to be modelled on a similar law in Washington (State, not DC, unfortunately). In contrast to HIPAA, which explicitly covers medical records, Nevada’s and Washington’s laws cover *any* personal health information, including information inferred by AI or other algorithms. And these laws also cover any organization in possession of personal health data (of a resident of the applicable state). This goes way beyond HIPAA’s “covered entities” that basically just include healthcare organizations, health insurers, and their workers. Nevada and Washington will require affirmative, voluntary consent from an individual before a company can share or sell their data. And they spell out process protections for consumers, such as the right to obtain information about their data, and not be subject to discrimination if they don’t consent to data sharing.

Nevada’s law does have a couple interesting carve-outs. One is gambling companies, not surprising given the geography, and you could imagine how casinos wouldn’t want to be restricted from tracking comprehensive data on their customers. The other is “shopping habits” which is a bit more problematic since shopping patterns are a prime source for inferring medical conditions (Buying prenatal vitamins? How about a cane/walker? Adult diapers?).

Where do things go from here on a national level? My personal opinion is that these laws are way overdue and will be enthusiastically welcomed by the general population. Which hopefully will raise political barriers to industry lobbyists trying to de-fang the laws down the road. As pointed out above, it’s a big and expensive hassle for businesses to comply with variable state laws. So it’s likely that in the short run, online businesses will simply comply with whatever state laws happen to be the strictest, regardless of where a customer might live. But at some point, particularly if these laws are seen as burdensome, there could be corporate pressure to pre-empt them all with a national privacy law. How restrictive or permissive might that be? With the current political situation, no one knows; stay tuned!

Here’s a link to my KevinMD essay on the limitations of HIPAA, along with the video of my interview with Dr. Kevin Pho.