Sector & Emerging State Rules: Health, AI & Insurance

The newest state developments are exactly what the updated blueprint added, so this lecture is high-yield. Start with consumer health data. Remember from Domain two that HIPAA only covers data held by covered entities, leaving a huge gap: health-related data collected by apps, wearables, and websites is largely outside HIPAA.

States are closing that gap, and the leading example is Washington's My Health My Data Act. It defines consumer health data broadly, well beyond HIPAA's P-H-I, requires consent to collect or share it, bans certain geofencing around health facilities, and, notably, carries a private right of action. So when a scenario involves a period-tracking app or a health website that isn't a HIPAA covered entity, the answer is increasingly a state consumer-health-data law, not HIPAA.

A second emerging theme is automated decision-making and profiling. The state comprehensive laws already give consumers the right to opt out of profiling that produces legal or similarly significant effects, decisions about credit, housing, employment, insurance, made or substantially aided by automated processing. Newer rules and regulations are pushing further toward transparency about the logic involved and a right to meaningful information or even to contest a decision, concepts that echo the GDPR's restrictions on solely automated decisions.

The exam wants you to recognize that the U.S. is developing its own profiling-and-automated-decision rules at the state level, so when a scenario describes an algorithm making a consequential decision about a consumer, think state profiling opt-outs and the transparency duties forming around them.

Artificial intelligence governance is the frontier, and the blueprint specifically calls out the N-A-I-C guidance. At the state level, broad AI laws are appearing, Colorado's AI Act, for instance, targets algorithmic discrimination in high-risk systems and imposes duties on developers and deployers to guard against bias. In the insurance sector, the National Association of Insurance Commissioners, the N-A-I-C, issued guidance on the use of artificial-intelligence systems, sometimes called A-I-S governance, expecting insurers to maintain governance frameworks, test for unfair discrimination, and stay accountable for AI-driven decisions affecting consumers.

You don't need to memorize every provision, but recognize the pattern the exam tests: AI governance is moving from voluntary principles toward enforceable state rules and sector guidance built around fairness, transparency, and accountability.

One more named source to know is the N-A-I-C Insurance Data Security Model Law, which many states have adopted to govern data security in the insurance industry. It requires licensees to maintain a comprehensive written information-security program based on a risk assessment, with board or management oversight, controls over service providers, an incident-response plan, and notification of cybersecurity events to the insurance commissioner. If that sounds familiar, it should, it's the insurance sector's cousin of the GLBA Safeguards Rule and the HIPAA Security Rule, the same risk-based, written-program, oversight-and-notify structure you've seen repeatedly.

The exam likes that you can recognize this recurring security architecture across sectors rather than treating each as brand new.

A word about studying a moving target, because Domain five changes faster than any other part of the exam. New state comprehensive laws are enacted regularly, existing ones get amended, and effective dates roll out on staggered timelines, so the precise list of active states and the fine details shift from year to year. The IAPP updates the Body of Knowledge to keep pace, which is exactly why this domain was reweighted upward.

There's also a wildcard: Congress periodically debates a federal comprehensive privacy law, and if one passes it could preempt or reshape the state regime entirely. The exam-smart response is not to memorize a brittle list of states and dates that may be stale by exam day, but to master the pattern, the California model, the Virginia-style template, the consent tiers, the exemptions, the universal opt-out, so that whatever specific law a question names, you can reason about it from the structure. Learn the architecture, and the individual buildings become readable.

Let's set the reasoning and wrap Domain five. If health data sits outside HIPAA, an app, a wearable, a website, reach for a state consumer-health-data law like Washington's, not HIPAA. If an algorithm makes a consequential decision, think the state profiling opt-out and the emerging AI-governance rules.

If it's insurance, recall the N-A-I-C model security law and the A-I-S governance guidance. Now the domain arc, which holds the whole heavy block together: you started with the universal foundations, breach notification and biometrics like BIPA, then California as the founding comprehensive model, then the Virginia-style template the other states share, then the mechanics of rights and consent, and finally these emerging health, profiling, AI, and insurance rules. That's the most-weighted territory on the exam, and you've now mapped it.

Now go test yourself, then we finish with exam-day strategy.