Assessing 'necessity' under state health privacy laws

By Felicity Slater and Kate Black in partnership with Future of Privacy Forum’s Jordan Wrigley, and Niharika Vattikonda

Washington state's My Health My Data Act and Nevada's Senate Bill 370 took effect 31 March, prompting entities that collect "consumer health data," as broadly defined by these laws, to assess their data collection, use and sharing through a novel lens. A unique requirement born out of these laws requires that entities analyze which elements of their health data collection, use and sharing are "necessary" to provide products or services requested by their consumers.

Under both MHMDA and SB 370, entities of all sizes, including for-profit and nonprofit organizations, may collect — defined to include "process in any manner" — and share consumer health data for purposes "necessary" to meet consumer requests without their explicit consent. Neither law defines what it means for data collection or use to be "necessary" to meet a consumer request. Organizations must appraise when their collection and sharing of health data is necessary to meet a consumer request and seek consent where it is not.

Learn more about MHMDA’s consent requirements in Part 5 of Hintze Law’s MHMDA Blog Series on here.

To do so, organizations should: establish which data sets constitute consumer health data under the law, and which systems process that data; implement a standard decision-making framework or assessment process to evaluate "necessity" across their business activities; minimize data collection and inferences of consumer health data; and remain flexible as guidance and enforcement activity that reveals attorney general and court interpretations of this exception develop.

Considerations for assessing necessity

In evaluating necessity, entities should establish a consistent decision-making framework or assessment process to evaluate whether a particular collection or processing activity is essential to their operations and to providing their service, and/or is one the average user would reasonably anticipate as necessary based on their knowledge and experience with the service.

This good faith fact- and circumstance-specific inquiry should consider data collection and use that is strictly necessary to provide a service — data activities your organization could not function without, such as data processed for financial auditing, product delivery or account authentication — as well as reasonably necessary — data activities your organization conducts to provide the products consumers are seeking, like data processed for product improvement or to provide expected personalization of a website.

Below are some factors such an inquiry should address. Note that while this guidance is based on a commonsense approach of what a court or regulator may consider, it is not directly derived from statute, and is not absolute.

1. Is the consumer health data core to the product or service?

Organizations should evaluate whether a particular use or transfer of consumer health data is core to operating, maintaining and delivering the service the individual is seeking and/or purchasing. If nonconsumer health data could be used to achieve the same product or service goal, it is unlikely that using consumer health data is necessary and entities should consider what other data, if any, could achieve the same purpose.

2. Would a reasonable person assume or expect that their data would be used when they explored, signed up for or purchased the service?

Entities should review and assess consumer feedback and branding to identify, as accurately as possible, what products or services the average consumer is seeking when visiting their website or using their app. If applicable, organizations should consider any consumer feedback related to "surprising" data use, as well as any internal research about which products and services are the most popular and document this analysis. Organizations can use the learnings from their review to assess what a reasonable consumer may expect when interacting with the brand, website or product.

Consumers may reasonably expect a broader use of their data — like greater or different types of personalization — the more they use and engage with the service. The expectations of a consumer upon first landing on a website differ from those of a customer who has used a service for several years or who is logged into an account when they engage with the service. Similarly, fewer consumer expectations can be assessed from multiservice webpages and/or services than from pages and/or services that focus on a particular service or condition. Likewise, it is more difficult to assess consumer intention or which services a consumer is seeking on a website or page with several different service and information offerings.

3. What is the risk of harm for collecting or sharing the consumer health data at issue?

Entities should be mindful that data related to sexual activity, gender identity, reproductive health, mental health or other health conditions that are widely considered highly sensitive is more likely to subject people to discrimination, stigma, mental anguish or other serious harms. The MHMDA and SB 370 were explicitly drafted and passed to address such harms, and entities should collect and share such data conservatively.

No one-size-fits-all approach for purpose-based data minimization

Limiting collection of data to that necessary to meet consumer requests creates a specific and contextual data minimization paradigm that will vary depending on the purpose and promise of a consumer health technology. A one-size-fits-all approach to data minimization may be ineffective as what data is "necessary" will likely vary depending on the functionality and aims of different technologies and business tactics. Companies should consider the following approaches to data minimization:

  1. Data point diversity and data volume. In evaluating their data processing, entities should consider both their data collection from data points — height and weight, for example — and the volume of data collected from data points — many height-weight entries over time. Under the laws, each data point processed without consent must be necessary to meet a consumer request, as must be the overall volume of data collected. Shortening data retention schedules can be particularly useful where data is collected consistently over time — menstruation data or heart rate related to activity level, for example — but its utility for website or service use may wane or vary.

  2. Inferences and subsequent data. Both MHMDA and SB 370 define "collect" to include "infer." Entities may create inferences of health from calculated fields, like body-mass index calculated from height and weight, as well as through combining two or more datasets. Complex systems often auto-generate such inferences at a large volume and scale. One way to reduce use of consumer health data is to take a critical view of those inferences when possible. Entities should evaluate the inferences they are making with the same gravity as originally collected data and should be mindful that inferences of consumer health data may be drawn from nonhealth data.

Conclusion

The MHMDA and SB 370 require entities to carefully evaluate how they collect and share consumer health data and whether that collection and sharing is "necessary." We recommend organizations develop a standard decision-making framework to assess whether an instance of data collection or sharing is likely to qualify as "necessary" under these laws. A purpose that does not directly serve the user, such as for advertising, is unlikely to be considered necessary. Purposes such as product development or improvement may fall in a gray area that would require robust user-centered reasoning for data collection without consent. Likewise, as noted, regulators and courts are likely to regard certain categories of consumer health data with greater scrutiny when evaluating whether the collection and use of that data is necessary to fulfill consumer requests against privacy risks. Therefore, entities should use caution in managing user inputs related to these categories, collecting data that may reveal status in these categories, and making inferences that reveal information about these categories that can be "linked or reasonably linkable to a consumer," if they choose to obtain or infer such consumer health data at all.

As attorney general and court interpretations of the MHMDA and SB 370 develop, additional factors in determining if data collection is "necessary" may be illuminated by specific use cases. Furthermore, organizations should remain alert to further guidance and enforcement activity and continue to carefully review collection of consumer health data, particularly data related to sexual and reproductive health, gender identity, mental health and other sensitive health conditions that were priorities in the development of the MHMDA and SB 370.

For more information on the MHMDA, check out our MHMDA series here.

The authors would like to thank Taylor Widawski, CIPP/E, CIPP/US, Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, and Amie Stepanovich for their valuable input on the thinking that went into this piece.

This article was originally published by the International Association of Privacy Professionals (IAPP) and can be found here.

Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Kate Black is a Partner at Hintze Law PLLC and is Co-Chair of the firm’s Health and Biotech Privacy Group. Kate also heads Hintze Law’s Miami office. She counsels U.S. and global companies on comprehensive strategies for complying with regulatory obligations while achieving business objectives, growing and maintaining customer and public trust, and advancing revolutionary and innovative technology and research.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.