Under the My Health, My Data Act, the definition of “consumer health data” is similar to the HIPAA definition of “protected health information.” The similarity of these definitions is important because the Act exempts protected health information under HIPAA from the Act’s requirements.
It is unlikely that a HIPAA covered entity provider would maintain a large amount of health data of patients that does not meet the definition of protected health information. However, providers should still review the health data that they collect, share, and use to determine if any such data is subject to the Act.
For example, under the Act, “consumer health data” includes data associated with a persistent unique identifier, such as a cookie ID, an IP address, or a device identifier. Therefore, any tracking information that a health care provider collects from visitors to the provider’s website could potentially constitute “consumer health data” under the Act. Recent guidance from the Office of Civil Rights states that tracking information collected from webpages that provide only general information about the provider does not necessarily constitute protected health information. However, this guidance does not apply to the My Health, My Data Act.
Therefore, HIPAA covered entities should review how they use online tracking technologies to gain insights from the usage patterns of website visitors. Information collected from such technologies could constitute consumer health data that is subject to the My Health, My Data Act.