WilmerHale lawyer Ali Jessani recently authored the article “Health Privacy in 2025 and Beyond,” published by the American Bar Association.
Data Protection law in the United States has evolved rapidly over the past few years. The changes relating to health privacy have been particularly noteworthy. Gone are the days where companies only needed to worry about whether they fall under the purview of HIPAA. Now, almost all health data (as well as data that could potentially be associated with health data) is subject to laws on privacy or generally applicable consumer protection laws that are applied to privacy.
States, in particular, have been filling in various privacy gaps existing at the federal level as a result of the limited applicability of HIPAA and the lack of omnibus federal privacy law. A number of states have passed comprehensive state consumer privacy laws, some of which regulate health data as sensitive data. Some states have also passed laws specifically aimed at regulating health privacy concerns, such as Washington’s My Health My Data Act.
At the same time, the Federal Trade Commission (FTC) has paid more attention to health data than ever before and has used enforcement actions involving health data to expand its potential enforcement authority. The Office of Civil Rights at the Department of Health and Human Services (OCR) has also been especially active in bringing new enforcement actions and proposing modifications to the HIPAA rules.
The future for health privacy promises both meaningful changes and more of the same. Changes in leadership at the FTC and HHS made by the new administration likely mean that the enforcement priorities will shift at these agencies. At the same time, state legislatures are likely to continue to focus on this area as an enforcement priority (especially as new laws pass and other go into effect). This article analyzes how these issues are likely to play out in the next year and beyond.