With the rising popularity of health apps, wearable technology, and direct-to-consumer genetic testing, the need to protect consumer health information is becoming more apparent. Around this time last year, Washington state became a national leader in protecting consumer health information by enacting the My Health My Data Act (MHMDA). This groundbreaking privacy law protects personal health data that falls outside the Health Insurance Portability and Accountability Act (HIPAA), which primarily safeguards patient health information in a healthcare setting. With MHMDA, new protections extend into the commercial sphere, prohibiting businesses from collecting, sharing, or selling consumers’ sensitive health data without consent.
Following the lead of Washington, Nevada passed a law in 2023 with very similar requirements to the MHMDA, it recently took effect in March 2024. Both state laws apply to entities who conduct business or provide products or services targeted to consumers in the respective state, and offer robust protections regarding consent and stringent requirements for breach notification.
The Illinois Genetic Information Privacy Act (GIPA) is another longstanding example of efforts to protect health-related consumer data. Enacted in 1998, GIPA regulates the confidentiality and use of genetic testing and genetic information by employers and insurers. While this law has been in effect for some time, the General Assembly has continued expanding the scope of GIPA. For example, in 2019, the law was revised to prohibit commercial genetic testing companies from sharing test information with life insurance companies. According to Law360.com, the number of GIPA class action lawsuits is trending upward with over 50 complaints filed in 2023 and new suits already filed in the beginning of 2024.
As consumer health data becomes more intertwined with everyday technology, the need for health data privacy laws becomes more apparent. Washington and Nevada have set significant precedents with their respective laws, and Illinois continues to strengthen its protections. This all indicates a growing recognition of the importance of safeguarding personal health information. Data privacy experts at Quandary Peak anticipate that more states will act on this matter.

What Is Consumer Health Data
Consumer health data is most broadly defined under Washington’s My Health My Data Act, which includes personal information that is linked or reasonably linkable to a consumer and identifies their post, present, or future physical or mental health status. Physical and mental health status is further defined as:
- health conditions, treatment, diseases or diagnoses; social, psychological, behavioral, and medical interventions; gender-affirming care information; and reproductive or sexual health information, among others.
Most notably, the law also covers any information processed to associate or identify a consumer with the data that is derived from non-health information. In other words, businesses cannot process health information derived or inferred from non-health data. For example, a business cannot draw inferences about a consumer’s health status from purchases of products such as the purchase of toiletries.
Public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws, however, are not protected as consumer health data.
Get Expert Analysis For Fast-Changing Data Privacy Regulations
Quandary Peak’s data privacy experts have a proven track record of helping to achieve favorable outcomes in numerous class actions and lawsuits alleging violations of consumer privacy law. Contact us today to recruit a software expert who is experienced in providing research and analysis for fast-changing data privacy regulations.