April 19, 2021

Volume XI, Number 109

Advertisement

April 16, 2021

Subscribe to Latest Legal News and Analysis

What Virginia’s New Privacy Law Means for Organizations in the Healthcare Industry

Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), i.e., the California Privacy Rights Act (“CPRA”)). While CDPA has fairly broad exemptions for entities regulated by other laws, such as HIPAA, there is also a new “opt-in” requirement for collecting “sensitive data.”

Our sister blog goes into a more detailed discussion of the requirements under Virginia’s law. Here, we cover highlights of the law relevant to companies operating in the healthcare space.

Requirements for Collecting “Sensitive Data”

The CDPA requires “freely given, specific, informed, and unambiguous” consent (i.e., an opt-in requirement) in order for any entity or person to collect or process “sensitive data.” Among other itemized examples, “sensitive data” includes information revealing a mental or physical health diagnosis, as well as genetic or biometric data processed for the purpose of uniquely identifying a natural person. The CDPA’s definition generally aligns with the definition of sensitive data in the CPRA, which will create an “opt-out” requirement for sensitive data uses when it comes into effect in 2023.

In addition, the CDPA calls for the documentation of data protection assessments, similar to the European Union’s General Data Protection Regulation (“GDPR”). Such requirements do not exist under CCPA. Assessments are required in a number of situations, including where sensitive data is processed. These assessments should identify and weigh the benefits from the data processing to the company, the consumer, other stakeholders, and the public against the potential risks to the consumer, as mitigated by safeguards to reduce such risks. The assessments are to apply to processing activities created or generated after January 1, 2023, and are not retroactive. Assessments would be required to be made available to the Attorney General upon request, pursuant to an investigative civil demand.

Exemptions

While both the CDPA and the CCPA include multiple exemptions,  the CDPA’s exemptions are broader than those in the CCPA. The CCPA largely exempts types of information governed by other regulated laws, but not the entities subject to those other laws altogether. In contrast, the CDPA’s exemptions cover all types of information held by enumerated categories of exempt entities including “covered entities” and “business associates” subject to HIPAA, as well as nonprofit entities.

In addition to exemptions at the entity level, CDPA also provides several exemptions for types of information. Relevant to organizations in the healthcare space, CDPA also exempts:

  • identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46;

  • identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;

  • the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law; and

  • information derived from any of the health care-related information listed that is de-identified in accordance with HIPAA’s requirements for de-identification.

Enforcement and Penalties

Virginia’s law has no private right of action. The Attorney General has exclusive enforcement authority over CDPA. Moreover, the AG is required to provide a 30-day written notice to companies it believes are in violation of the law and an opportunity to cure prior to initiating any action. If after time the violation remains, the AG may initiate an action and seek up to $7,500 in damages for each violation.

Practical Considerations

Entities subject to HIPAA may breath a sigh of relief based on CDPA’s broader exemptions. However, entities not regulated by HIPAA but nonetheless collecting “sensitive data” such as mental or physical health diagnosis information should begin to evaluate what steps should be taken to comply with new requirements introduced by Virginia’s law. Namely, the requirement to obtain opt-in consent for collecting “sensitive data” and the need to conduct a data protection assessment.

Advertisement
Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 67
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Matthew Shatzkes Attorney New York Sheppard Mullin
Partner

Matthew Shatzkes is a partner in the Corporate Practice Group in the New York office of Sheppard Mullin and is a member of the firm’s healthcare practice team.

Areas of Practice

Matthew provides strategic, regulatory, compliance, and transactional advice to all manner of health care clients, including health systems, hospitals, academic medical centers, long-term care providers, ambulatory surgery centers, diagnostic and treatment centers, physician practices, digital health companies and investors....

212-634-3062

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement