How Telehealth Companies Can Prepare for 2023 State Privacy Laws

Disclaimer: The information contained in this blog post is provided for informational purposes only and should not be construed as legal advice. You should not act or refrain from acting on the basis of any content included in this blog without seeking legal or other professional advice.

2023 will bring with it new (or amended) comprehensive privacy laws in five states: California, Colorado, Connecticut, Utah, and Virginia. It’s no surprise, because when California signed the California Consumer Privacy Act (“CCPA”) into law in 2018, most industry projections indicated that other states would soon follow suit.

Now, those projections are coming to fruition as the momentum for privacy legislation is at an all-time high. The result has been a patchwork of privacy regulations around the country, with more on the horizon.

With so many different laws, it may seem overwhelming to develop a plan for regulatory compliance if your telehealth company operates across multiple states, but now is the time for your company to prepare if it hasn’t yet begun.

How to prepare for new privacy laws

First, your company should analyze whether any of these state laws will apply to your virtual care business and its operations. To the extent one or more of these laws apply to your company, it is important to evaluate your company’s existing privacy compliance measures to find any gaps and assess the core steps your company may need to take to fill those gaps.

  1. Update existing privacy policies
  2. Review contract templates to assess how data is shared with third parties such as vendors
  3. Analyze your company’s marketing practices to determine whether any existing practices amount to targeted advertising

These are great starting points for your company no matter the type of data, but below are quick tips for how your company can plan for compliance for two specific categories of data that may be impacted by these laws.

Employment data changes in 2023

Each state has a different approach to employment data. For example, the Colorado Privacy Act and Virginia Consumer Data Protection Act both exclude employment data from the definition of consumer data.

However, beginning on January 1, 2023 all California Privacy Rights Act (which clarifies existing provisions of the CCPA) obligations will apply to employees. Whatever the state-specific approach, employees may have certain rights when it comes to employment data. Specifically, employees may have the right to restrict uses of sensitive personal information, the right to opt out of the sale of personal information, or other rights regarding their data.

Tips for telehealth companies

  • Telehealth companies must fully understand what data is classified as employment data (e.g., data about employees, job applicants, data collected in the context of employment, etc.).

  • Understand what rights employees (prospective, current, and former) have when it comes to their employment data.

  • Clearly identify the department that will be responsible for responding to any requests for consumers to exercise their rights regarding their employment data (e.g., right to deletion, etc.). Will it be your people team, your privacy team, your legal team, or will it be a combination of teams?

Protected Health Information (PHI) in 2023

In general, Health Insurance Portability Accountability Act (“HIPAA”)-regulated entities enjoy broad exemptions under each state’s privacy laws. However, HIPAA-regulated entities might still collect information that falls within the scope of these laws depending on the state.

For example, your company might collect data on your website’s homepage via a “Connect With Us” form. This information is not PHI, and may not be exempt in certain states.

Tips for telehealth companies

  • Categorize the data that your company collects to understand your obligations for each subset of data.

  • Consider a data bifurcation plan for PHI and other data collected.

  • If your organization is a covered entity (as defined under HIPAA), avoid developing internal policies indicating that all data collected as a covered entity is exempt under these state laws as your company may still collect data that is not exempt.

Protecting data now and in the future

Now is the time to prepare your company for compliance with state privacy laws. It is extremely important to review your current compliance framework and build upon that framework as needed.

Telehealth companies should also understand which set of rules to pay attention to and when data is included or excluded. Because of this need, data mapping will be extremely important. Specifically, companies must know and categorize the data it collects, know the permissions and controls associated with that data, know where the data is going, and know the applicable obligations for that data.

Finally, telehealth companies must designate responsible departments and continue to review their approach to protecting data — understanding that the consumer data privacy world is not a static environment as more states continue to prioritize data privacy laws.

Read more from Wheel’s in-house team of telehealth regulation experts.