Washington State is on track to pass a far-reaching new piece of legislation in the upcoming weeks. The “My Health My Data” Act (House Bill 1155), if signed into law, will take effect starting on March 31, 2024. The title of the law implies that it will only apply to health care related industries, when in fact the law applies to any entity that conducts business or targets customers in Washington State. As a result, many companies are racing to understand the implications of the new law. Here are the highlights.
At a high level, the law protects consumer health data collected by all entities and not only by health care providers that are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Consumers often mistakenly believe that HIPAA protects the privacy of their health data on any and all apps and websites when in fact the party collecting the data is not subject to the HIPAA rules.
The My Health My Data Act will require additional disclosures and consumer consent regarding the collection, sharing and use of consumer health information and will give consumers the right to have their health data deleted. Additionally, the law will prohibit the selling of consumer health data without valid authorization signed by the consumer and will make it unlawful to track a consumer’s location around a facility that provides health care services (the law refers to this practice as “geofencing”). Notably, the law extends to consumers the right to pursue a private right of action against companies who do not comply. This means that any individual whose data is not protected in compliance with the proposed My Health My Data Act may file a claim against any company not in compliance.
Who does My Health My Data apply to?
The law applies to any “regulated entity,” which it broadly defines as any entity that (a) conducts business in Washington or provides or produces products or services that are targeted to consumers in Washington, and (b) determines the purpose and means of collecting, processing, sharing or selling consumer health data. (For readers familiar with GDPR and similar legislation, this definition borrows from the “data controller” concept.) Excluded from the definition of “regulated entity” are government agencies, tribes, or services providers working on behalf of government agencies.
What Data is Covered?
The law defines “consumer health data” as any personal information linked to or reasonably linkable to a consumer that identifies a consumer’s past, present or future physical or mental health status. This expressly includes 12 categories of data:
- individual health conditions, treatment, diseases, or diagnoses;
- social, psychological, behavioral, and medical interventions;
- health-related surgeries or procedures;
- use or purchase of prescribed medication;
- diagnoses or diagnostic testing, treatment or medication;
- gender-affirming care information;
- reproductive or sexual health information;
- biometric data;
- genetic data;
- precise location data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- data that identifies a consumer seeking health services or supplies; or
- any information that a regulated entity or small business (or their processor) processes to associate or identify a consumer with the above-listed categories of data, even where derived or extrapolated from nonhealth information (such as data derived or inferred by any means, including algorithms or machine learning).
What are the Requirements?
- Consent to Collect; Consent to Share
From there, the regulated entity must obtain consent from the consumer prior to sharing the consumer’s health data, except to the extent necessary to provide a product or service requested by the consumer. This consent must be separate and distinct from the consent required at time of collection.
- Opt-in Requirement for Sale of Consumer Health Data
One of the more unique aspects of the new law is the high bar the law requires for sales of consumer health data, making it unlawful to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. To qualify as “valid authorization,” a document must be written in plain language and must contain all of the following:
- specific consumer health data that the person intends to sell;
- the name and contact info of the person collecting and selling the consumer health data;
- name and contact information of the person purchasing the consumer health data;
- a description of the purpose of the sale, including how the info will be gathered and how it will be used by the purchaser;
- a statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
- a statement that the consumer has a right to revoke the valid authorization at any time (and a description of how to submit a revocation);
- a statement that the consumer health data sold per the valid authorization may be subject to redisclosure by the purchaser and no longer protected;
- a one-year expiration (meaning, the consent is only valid for one year); and
- the consumer’s signature and date.
Without all of the above, the authorization is not valid. The seller and purchaser must retain copies of all authorizations for six years.
- Access and Control
Following the path of many other states in the new patchwork of state privacy laws, the Washington law grants consumers broad rights to access and control their consumer health data collected by the regulated entity. This includes confirming whether the information is actually being collected, a list of all third parties it has been shared with, and an email address or other online mechanism that the consumer can use to contact these third parties. The consumer may withdraw his or her consent to the processing of the data anytime and can ask for the data to be deleted.
- Data Minimization; Appropriate Administrative, Technical and Physical Controls
Similar to other state privacy laws, the Washington law will require that access to the consumer health data be restricted within the company to only to those necessary to further the processes specified. The law further requires that the company establish, implement and maintain appropriate administrative, technical and physical data security practices.
- No Geofencing
As one of the first of its kind, the law prohibits “geofencing” when used to track, collect consumer health from or target ads at consumers. This requirement would go into effect within 90 days of the bill’s passage, whereas most of the remaining provisions will not take effect until March 31, 2024. Geofencing is defined as technology that uses GPS, cell tower connectivity, cellular data or Wi-Fi data or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary (2,000 feet or less from the perimeter of the physical location). A clear response to the Supreme Court’s Dobbs decision, this provision is intended to ensure an individual’s choice to access reproductive health in Washington State will remain private and not be shared.