Privacy Matters | Two more states pass comprehensive consumer privacy legislation, David Copeland offers an introduction to unstructured health data within the privacy preservation space, & more

April 20, 2023 | By

Privacy Matters

Privacy Hub's monthly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary

To subscribe to our newsletter, click here


The last few weeks in a flash:

  • Iowa and Indiana become the sixth and seventh states to pass comprehensive consumer privacy legislation—with Washington poised to follow with broad-based health data privacy law
  • Study finds that 99% of U.S. hospitals used online data trackers that shared visitors’ health data with a wide network of outside parties, including major technology companies
  • HHS and the Biden administration propose rule to amend HIPAA to protect reproductive health data 

Leading Stories

Iowa becomes sixth US state to enact comprehensive consumer privacy legislation
IAPP (March 29, 2023)
"On 29 March, Iowa became the sixth state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and California. The law will go into effect on 1 Jan. 2025, giving organizations 21 months to comply with the new requirements from this state with over 3 million residents." Keep reading 

  • Senate File 262 relates to consumer data protection, providing civil penalties, and including effective date provisions.


Indiana Legislature Passes Consumer Data Privacy Bill

Husch Blackwell LLP (April 14, 2023)

"The Indiana legislature is the seventh state legislature to pass consumer data privacy legislation. On April 13, 2023, the Indiana legislature passed SB 5. The bill largely tracks the Virginia Consumer Data Protection Act (VCDPA) with some limited variations." Keep reading

  • Senate Bill 5 establishes a new article in the Indiana Code concerning consumer data protection, and it is to take effect January 1, 2026.

Washington State Poised to Enact “My Health My Data Act”
WilmerHale (April 18, 2023) 
"On Monday, April 17, the Washington House passed an amended version of the My Health My Data Act (HB 1155) (the 'Act'), a bill that would impose sweeping new requirements on the collection, processing, and sale of consumer health data in the state. The Act had been passed by the Senate on April 5 and now moves to Governor Jay Inslee’s desk for signature. If enacted, the My Health My Data Act would constitute a major development in the U.S. privacy law landscape. While we have seen an increased interest in the regulation of health data by the Federal Trade Commission, the My Health My Data Act would represent a novel step towards regulating health data at the state legislative level. And the Act’s impact would be significant." Keep reading

Hospitals pledge to protect patient privacy. Almost all their websites leak visitor data like a sieve.
STAT News (April 3, 2023)
"A new study found that 99% of U.S. hospitals employed online data trackers in 2021 that transmitted visitors’ information to a broad network of outside parties, including major technology companies, data brokers, and private equity firms. . . The ubiquitous use of the tracking tools may clash with the privacy expectations — if not the legal protections — that consumers take for granted as they browse online in search of medical care and information." Keep reading

HHS proposes rule shoring up HIPAA to protect reproductive health data, including around abortions
Healthcare Dive (April 12, 2023)
"The Biden administration has proposed a new rule that would ban providers, health insurers and other entities covered by the HIPAA privacy law from sharing patient information that could be used to investigate abortions. The proposed regulation released Wednesday from the HHS Office for Civil Rights is meant to protect patient-provider confidentiality and prevent private medical records from being used against people seeking, obtaining or providing legal reproductive healthcare, including an abortion or miscarriage management, the HHS said." Keep reading 


Experts Expound

As this month's guest commentator, David Copeland, Ph.D., Senior Data Scientist & Privacy Expert at Datavant, offers an introduction to the challenges and opportunities behind unstructured health data within the privacy preservation space.

David Copeland Headshot


Unstructured health data—physician notes, patient histories, and free-form lab results, primarily—presents challenges to the clinical landscape that are equally profound as its opportunities.

Within this reservoir of fluid, undefined information are rich insights and learning potentials that are now beginning to be tapped through the power of large language models, medical training corpuses, and named entity recognition. This utility makes unstructured data an increasingly valuable clinical resource.

However, the absence of structure also risks personally identifying information as direct as patient names or social security numbers easily propagating in free-text records. In order to de-identify unstructured data under HIPAA, privacy experts must be able to quantify this risk. The most reliable approach would be to manually review every record in such a dataset; however, this becomes extremely expensive in time resources for datasets larger than tens of thousands of records. Rule-based interrogations of data—though quicker to execute—are insufficient to accurately detect high-risk information with limitless potential forms.

The same language model technologies developed for clinical utility extraction offer a potential solution path if they can be deployed to capture patient identifiers like names, addresses, and birth and death events. Several organizations have already trained models to provide this capture for select identifiers with encouraging results. To translate these successes to a robust framework for efficient evaluation of unstructured data, two key obstacles remain:

1. The HIPAA Privacy rule requires that the risk of re-identification must be very small for de-identified data. So, any automated tool would therefore have to achieve the steep challenge of finding all of the patient identifiers present in any given dataset with only a very small margin for missing any necessary redactions.

2. HIPAA requires that information is assessed directly. This means that either the output of a tool would have to be explicitly reviewed to determine if it was de-identified or that the input data would have to be shown to be sufficiently statistically similar to data that had previously undergone this testing.

While these challenges are far from trivial from technical and compliance standpoints, the rapid evolution of large language models and their application to unstructured health data points is extremely promising both for extracting clinical value and mitigating the risk of patient re-identification that accompanies it..


Government Watcher

Biden-⁠Harris Administration's Actions to Protect Patient Privacy at the Third Meeting of the Task Force on Reproductive Healthcare Access

  • Background & Latest Developments: On April 12, the Biden-Harris Administration announced new actions to safeguard patient privacy at the third meeting of the Task Force on Reproductive Healthcare Access with Vice President Harris. These announcements build on actions that the Administration has taken to protect privacy and access to accurate information in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, as the President directed in his first Executive Order to protect access to reproductive health care, including abortion. 

American Data Privacy and Protection Act

  • Background: The ADPPA was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. In July 2022, the bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.
  • Latest Developments: 
    Revised American Data Privacy and Protection Act Due to be Released
    The HIPAA Journal (April 14, 2023)
    "Last month, the U.S. House of Representatives’ Committee on Energy and Commerce held the third of three scheduled meetings ahead of a release of a new draft of the American Data Privacy and Protection Act (ADPPA), which is edging closer to being the first, comprehensive federal privacy legislation to be signed into law in the United States." Keep reading

California Consumer Privacy Act

  • Background: The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill, which established a foundation for consumer privacy regulations, was passed by the California State Legislature and signed into law in 2018. In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amends and expands the CCPA.
  • Latest Developments: 
    CCPA Regulations Approved
    K&L Gates LLP (April 5, 2023)
    "On 29 March 2023 the California Office of Administrative Law approved the first final rulemaking package proposed by the California Privacy Protection Agency (CPPA or the Agency), which is the implementing and enforcement agency created under the California Consumer Privacy Act (CCPA). The package consists of (1) the CPPA’s proposed regulations (Regulations), and (2) the CPPA’s final statement of reasons. The Regulations, which are now a part of the CCPA, took effect 29 March 2023. The CPPA is expected to publish the final rulemaking documents on its website the week of 3 April 2023." Keep reading

Food for Thought

HIPAA reform should protect patients, scale back silos around medical data
Healthcare Dive (March 24, 2023)
"Lifespark chief executive Joel Theisen argues for an update of HIPAA that acknowledges an advanced technology landscape and gives providers a fuller picture of patient health." Keep reading 

Automated De-Identification For Personal Health Data Privacy
Forbes (April 11, 2023)
"People create data. Every interaction we humans make with our apps, machines, devices, services and computing platforms inititiates computing ‘events’ which in turn create log files and ultimately form some part of the planet’s ever-growing data mountain. As we now increasingly digitize our lives, more and more of that ‘people data’ is individually-specific to ourselves and therefore sensitive from a privacy and security perspective." Keep reading

Treating Healthcare Data Responsibly
Forbes (April 11, 2023)
"Gathering and analyzing various datasets about the different points in the customer journey and putting them together compliantly is critical to delivering high-quality, personalized care to patients. By analyzing data to identify patterns and trends, healthcare providers can deliver faster care, bespoke treatments and lower costs. Compliance with regulations is critical to building trust with patients and ensuring that data is used in a responsible and ethical manner." Keep reading

Best of the Rest

How Synthetic Data Can Help Train AI and Maintain Privacy
Information Week (April 17, 2023)
"It is not always feasible, or ethical, to use live data to train AI or test out software platforms -- making a case for synthetic and augmented data to solve certain development needs. Stakeholders such as IBM, Gartner, and Datavant share some insights on benefits synthetic data can offer." Keep reading

Feedback or questions? We'd love to hear from you!
Reach us at

Related Newsletters

Privacy Matters | Congress turns its attention to federal privacy legislation, Kristen Rosati advocates for a national standard for de-identification, & more

Privacy Matters | Congress turns its attention to federal privacy legislation, Kristen Rosati advocates for a national standard for de-identification, & more

Privacy Matters | Data breach compromises Congress members' health information, Vera Mucaj on the privacy implications of linking RWD to clinical trial data, & more

Privacy Matters | Data breach compromises Congress members' health information, Vera Mucaj on the privacy implications of linking RWD to clinical trial data, & more

Privacy Matters | Several states introduce new privacy bills, Ofer Mendelevitch reflects on synthetic data's privacy capabilities, & more

Privacy Matters | Several states introduce new privacy bills, Ofer Mendelevitch reflects on synthetic data's privacy capabilities, & more