On April 18, 2023, the Washington legislature passed the My Health My Data Act (the “Health Act”), a broad-sweeping data privacy and protection law governing individual personal health data. Although this bill is pending Governor Jay Inslee’s signature, the privacy community expects signature this year and braces itself for this novel law.
Per the Health Act, the Washington legislature views privacy as a “fundamental right” and noted the gap in privacy protections for an individual’s health data outside the coverage of the Health Insurance Portability and Accountability Act (“HIPAA”). Thus, the Health Act is styled similarly to other state comprehensive data privacy laws but with a singular focus on consumer health data. The salient provisions of the Health Act are as follows:
- Response to Dobbs and Other Sensitive Issues. Since Dobbs, both conservative and liberal jurisdictions have struggled with the treatment of abortion-related data; this law represents Washington’s response by offering protection to a broad category of information relating to reproductive or sexual health services.[1] The Health Act also addresses gender-affirming care through data privacy protections over related health care services.[2]
- Broad Definition. The Health Act covers all health data outside HIPAA and, as result, it includes a very broad definition of “consumer health data,” including healthcare and treatment information, information that identifies a consumer seeking health care services (or their effort to research such services), and precise location data that “could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”[3] It also calls out AI processing by covering any information that an entity processes to identify a consumer with this type of health data and derived from non-health information.[4] Additionally, “consumer” under this Health Act includes Washington residents or those whose data is collected in Washington.[5]
- Broad Application. The Health Act applies to organizations, including nonprofits, (a)(1) conducting business in Washington or (2) providing goods and services consumers in Washington, and (b), that “alone or jointly with others, determine the purpose and the means of collecting, processing, sharing, or selling consumer health data.”[6] The Health Act includes a volume/revenue threshold (i.e. a number of Washington residents whose health data is processed or amount of revenue generated from the sale or sharing of Washington consumer health data) to distinguish between regulated entities and small businesses.[7] Unlike other comprehensive laws, it only uses this distinction to determine effective dates on most of the provisions (for regulated entities March 31, 2024, and for small businesses June 30, 2024) as to opposed to determine the applicability of the Health Act on the differing type of entities.
- Consent Requirements. The Health Act requires consent before the collection or sharing of consumer health data except “to the extent necessary to provide” the product or service requested by the consumer.[8] Additionally, a regulated entity must receive a “valid authorization signed by the consumer” prior to selling or offering to sell consumer health data.[9] This authorization must be separate from the consent form for collecting or sharing and requires specific content outlined in the Health Act, for example, a disclosure of the one-year expiration of this authorization. [10]
- Restrictions on “Geofencing.” The Health Act prohibits the use of “geofencing” around an entity providing in-person health care services when used to “(1) identify or track these consumers seeking these healthcare services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.”[11].
- Unfettered Deletion Right. The Health Act allows consumers to access their information and delete their information.[12] Further, unlike other state data privacy laws, the Act does not identify any exceptions to a consumer’s right to delete information, specifically as to archived or backed-up data.[13]
- Indirect Private Right of Action. While the Health Act does not itself provide a private right of action, it does permit private rights of action under certain Washington consumer protection statutes.[14]
Takeaways:
- Data Inventory with Holistic View. In addition to compliance with other data privacy laws, businesses must conduct a data inventory to determine and categorize the type of data collected, stored and processed. But they must analyze such data in the context of the business to contextualize whether certain information constitutes consumer health data. For example, a device ID itself is not health information but can be when contextualized with a search for health care services.
- Examination of Online Websites or Platforms. Businesses must meticulously examine their online properties to know whether health information is disclosed to third parties, especially for advertisement purposes. In addition to this law, online tracking technologies have given rise to recent lawsuits and regulatory actions.
- Gender-Affirming and Abortion-Related Information. States continue to grapple with how businesses should treat this sensitive information, so businesses should pay significant attention to processing activities surrounding such information.
[1] HB 1155, §2(8)(viii).
[2] Id. at §2(8)(vii).
[3] Id. at §2(8).
[4] Id. at §2(8)(xiii).
[5] Id. at §2(7)(xiii).
[6] Id. at §2(23).
[7] Id. at §2(28).
[8] Id. at §5(1)(a) & (b).
[9] Id. at §9(1).
[10] Id. at §9(2).
[11] Id. at §10.
[12] Id. at §6.
[13] Id. at §6(c)(iii).
[14] Id. at §11.