Washington State “My Health, My Data Act” Signed Into Law
On April 27, 2023, the Washington State “My Health, My Data Act” (the “Act”) was signed into law. The Act, which takes effect on March 31, 2024, applies to legal entities conducting business in Washington or targeting products or services to Washington consumers that determine the purpose and means of collecting, processing, sharing, or selling consumer health data. The Act is intended to protect consumer health data by:
- Requiring regulated entities to make additional disclosures regarding the collection, sharing, and use of consumer health data;
- Prohibiting entities from collecting and sharing health data without the consumer’s consent;
- Providing consumers with the right to withdraw consent and have their health data deleted;
- Preventing the sale of consumer health data in the absence of valid authorization signed by the consumer; and
- Restricting geofencing around facilities that provide health care services.
The Act is focused on consumer health data that is not regulated under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Its reach extends beyond health care industry participants and their affiliates to data processors and other third parties that come into contact with the Act’s broadly defined set of “consumer health data.” Thus, the Act may have a significant impact on not only health care companies and their affiliates and processors, but also device manufacturers, web and mobile app developers, and advertisers that handle non-HIPAA-regulated health data.
Applicability and Scope
The Act’s protections apply to “consumers,” a term encompassing any natural person who is a resident of Washington or whose consumer health data is collected in Washington. As a result, the Act will theoretically protect the health data of any individual seeking health care services in the state. The term “consumers” includes only natural persons acting in an individual or household context; it does not include individuals acting in an employment context.
The restrictions of the Act apply to “regulated entities,” which are any legal entity that: (1) conducts business in Washington, or produces or provides products or services targeted at Washington consumers; and (2) alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling consumer health data. The term includes nonprofit entities and small businesses, but does not include government agencies, tribal nations, or contractors when processing consumer health data on behalf of the government agency.
For purposes of the Act, “consumer health data” means personal information (as defined by the Act, and which specifically includes cookie IDs, IP addresses, and device identifiers) that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. The term includes, but is not limited to:
- Individual health conditions, treatments, diseases, and diagnoses;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements of this information;
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information (as defined by the Act);
- Reproductive or sexual health information (as defined by the Act);
- Biometric data (as defined by the Act);
- Genetic data (as defined by the Act);
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive any health services or supplies;
- Data that identifies a consumer seeking any health care services; and
- Any information that a regulated entity, or its respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information, such as proxy, derivative, inferred or emergent data by any means, including algorithms or machine learning.
The term “health care services” is equally broad, encompassing any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health. As a result, any business that provides health care services or services ancillary to such services, or that facilitates connections between consumers and such service providers, could face liability under the Act.
The Act is specifically designed to protect consumer health information not afforded HIPAA protection. As a result, there are numerous data-type exemptions under the Act. For example, the Act does not afford protections to:
- Protected health information (“PHI”) regulated under HIPAA, as well as information originating from or intermingled with such PHI maintained by HIPAA-regulated entities;
- Health information governed or created pursuant to other health-related state and federal laws (e.g., patient identifying information collected, used or disclosed in accordance with 42 C.F.R. Part 2, federal policies regarding human research subjects, state public health reporting requirements, and patient safety and quality improvement activities); and
- Personal information governed by and collected, used, or disclosed in accordance with the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, state statutes and regulations applicable to the Washington Health Benefit Exchange, and certain privacy rules adopted by the Washington Office of the Insurance Commissioner.
The Act excludes “deidentified data” from its definition of “personal information.” Thus, deidentified data is not consumer health information afforded protection under the Act. Deidentified data is defined as data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such consumer, if the regulated entity that possesses the data: (1) takes reasonable measures to ensure the data cannot be associated with the consumer; (2) publicly commits to process the data only in a deidentified fashion and not attempt to reidentify the data; and (3) contractually obligates any recipients of the data to satisfy the same criteria.
Once in effect, the Act will require regulated entities to take additional steps to restrict the collection, sharing, and use of consumer health data. In sum, regulated entities must:
- Obtain affirmative consent from the consumer prior to collecting or sharing consumer health data with a third party or affiliate, except in limited circumstances (e.g., the disclosure is at the consumer’s request);
- Establish, implement, and maintain administrative, technical, and physical data security policies that restrict access to consumer health data to only those employees, processors, and contractors for which access is necessary to further the purpose of the collection; and
- Enter into binding contracts with processors setting forth process instructions and limitations related to the use of consumer health data.
The Act also imposes restrictions that will make it unlawful for any person or entity to:
- Sell or offer to sell consumer health data without first obtaining a signed authorization from the consumer that is written in plain language, contains the information specified by the Act, and is separate and distinct from any consent obtained to collect or share consumer health information; and
- Implement a geofence around an entity that provides in-person health care services if that geofence is used to: (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
For purposes of the Act, a “geofence” is any technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of spatial or location data to establish a virtual boundary around a specific physical location, or to locate consumer within a virtual boundary.
Consumers will receive a number a new privacy rights under the Act. For example, consumers will have the right to:
- Confirm whether a regulated entity is collecting, sharing, or selling consumer health data and access such data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold consumer health data;
- Withdraw consent from a regulated entity’s collection and sharing of consumer health data;
- Have consumer health data deleted from the records of the regulated entity and its affiliates, processors, contractors and other third parties; and
- Appeal a regulated entity’s refusal to take action on a consumer’s request to exercise any of the above rights.
When a regulated entity is in receipt of any request, it must notify all affiliates, processors, contractors, and other third parties, who must also honor the consumer’s request. The entity must comply with the consumer’s request without undue delay, but in all cases within 45 days of the receipt of the request. Note, however, that if the consumer requests the deletion of consumer health data that is stored on archived or backup systems, deletion may be delayed to enable restoration of the data, but such delay may not exceed six months from the date of the request.
The Act creates two avenues for enforcement. First, the Washington Attorney General may investigate violations of the Act and seek litigation under the state Consumer Protection Act (“CPA”) as an unfair or deceptive act in trade or commerce and as an unfair method of competition. The Act also provides consumers with a private right of action under the CPA. Civil action under the CPA may may result in civil monetary penalties of up to $7,500 per violation, with the addition of treble damages not exceed $25,000 in actions brought by consumers.
The Act is one of the most comprehensive pieces of consumer health data privacy legislation passed by any state in the nation, to date. It differs from other state privacy laws, in that it aims to regulate the collection and sale of consumer health data specifically. Washington lawmakers intend for the Act to close existing gaps in health data privacy protections, provide citizens with greater control over their health data, and protect individuals traveling to the state to access health services. Due to the Act’s broad scope, it is likely to impact the data collection activities of a variety of businesses.