As the world increasingly steps into the digital age, the Vermont Legislature is deliberating a new bill, S.173, which aims to protect an area often overlooked: non-HIPAA health data. With a clear focus on bridging the gap in privacy protections for health information not covered by federal laws, the proposed legislation recognizes privacy as a fundamental right for Vermont residents.

Protecting Consumer Health Data

With the proposed law, Vermont draws inspiration from Washington's 'My Health My Data Act.' If passed, it will come into effect on January 1, 2025, presenting a new paradigm in the privacy landscape. The bill details stringent requirements for entities to disclose and obtain consent before collecting, using, or disclosing consumer health data. One of the significant provisions includes a prohibition on the use of geofences to track health care activities, reinforcing the commitment to privacy.

Implications for Business Entities

Organizations that conduct business in Vermont or provide services aimed at Vermont residents will need to align with these new regulations. These regulations impose obligations for data access, deletion, and revocable consent, among other things. However, small businesses and Vermont state agencies, including their contracted service providers, may find themselves subject to fewer obligations or exemptions.

The Broader Impact of S.173

Notably, the bill's influence could extend beyond the borders of Vermont. The legislation includes a private right of action, which is expected to result in litigation that may shape privacy law interpretations across the United States. S.173 aims to protect a vast array of health-related personal information, with exceptions for data already governed by federal or Vermont laws. This decisive step towards enhancing privacy protections mirrors the global trend of reinforcing individual rights in health data protection.