Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). The Act, which is awaiting Governor Jay Inslee’s signature, was introduced partly in response to the United States Supreme Court case, Dobbs v. Jackson Women’s Health Organization, that overturned Roe v. Wade, in order to protect Washingtonians’ privacy over health decisions. It reflects a national trend towards higher scrutiny and regulations regarding health related data. When the Act goes into effect on March 31, 2024 (for large businesses) and June 30, 2024 (for small and medium businesses), it will dramatically increase compliance burdens related to notice, consent, and privacy rights for all entities in the Washington health and health-adjacent space.
The Act applies to any legal entity – including nonprofits – that conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington. The Act also applies to entities that alone or jointly with others, determine the purpose and means of collecting, processing, sharing, or selling “consumer health data” (defined below). Unlike other states’ comprehensive privacy laws, such as California’s CPRA, the Act does not have any revenue or number-of-user thresholds. Entities of any size that handle consumer health data must comply.
The only entity-level exemptions are for government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of a government agency.
The Act has data-based exemptions for Personal Health Information (“PHI”) governed by HIPAA, as well as data regulated by the federal Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Administrative Simplification provisions of the Social Security Act, Family Educational Rights and Privacy Act, the Washington health benefit exchange, and privacy rules adapted by the Washington Office of the Insurance Commissioner.
In addition, the Act does not apply to “deidentified data,” which is not considered to be “personal information.”
Scope – “Consumer Health Data”
The Act primarily regulates “consumer health data,” broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.” Consumer health data includes:
- Individual health conditions, treatment, diseases, or diagnoses;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements of the information expressly identified in the definition of consumer health data;
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric data;
- Genetic data;
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- Data that identifies a consumer seeking healthcare services; and
- Any information that a regulated entity, or its respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
Notably, the Act includes “cookie IDs” as a type of “personal information.” This appears to be a direct response to the FTC’s actions earlier this year against the prescriptions app, GoodRx, and the online counseling service, BetterHelp. Both companies were fined for selling to advertisers – including Facebook – cookie data related to consumers’ browsing for specific prescriptions and health conditions. Based on that data, Facebook and Instagram showed consumers targeted advertisements for things like STI testing and mental health services. Both companies argued that selling cookie data was not improper or remarkable, claiming – not unreasonably – that such personal information is routinely shared with advertisers. Now, at least in Washington, such activities will not take place without consumers’ consent.
Obligations for Regulated Entities
The Act introduces the following obligations for regulated entities:
- Categories of consumer health data collected;
- Purpose for which such data is collected, including how the data will be used;
- Categories of sources of consumer health data;
- Categories of consumer health data that is shared;
- A list of the categories of third parties and affiliates with which the regulated entity shares consumer health data; and
- Instructions for consumers to exercise their rights regarding their consumer health data (discussed below).
- Consent requirements. Regulated entities cannot collect or share consumer health data without obtaining consent, unless such collection or sharing is “necessary to provide a product or service that the consumer to whom such consumer health data relates has requested” from the regulated entity. Requests for consent must clearly and conspicuously disclose (i) the categories of consumer health data collected or shared; (ii) the purpose for collection or sharing, including the specific ways in which consumer health data will be used; (iii) the categories of entities with which the consumer health data is shared; and (iv) how the consumer can withdraw consent from future collection and sharing.
- Access restrictions. Regulated entities must restrict access to consumer health data only to those employees, processors, and contractors for which access is necessary.
- Security measures. Regulated entities must establish, implement, and maintain administrative, technical, and physical data security practices to protect consumer health data. Security practices must meet a reasonableness standard, taking into account the volume and nature of the data at issue.
- Data processing agreements. Regulated entities must enter into data processing agreements with processors that set forth processing instructions and limit the actions the processor can take with respect to the consumer health data it processes on the regulated entity’s behalf.
- Authorizations prior to consumer health data sales. Regulated entities are prohibited from selling or offering to sell consumer health data without first obtaining authorization from the consumer. Authorizations must:
- Be written in plain language;
- Specify the consumer health data to be sold;
- Contain the name and contact information of the buyer and seller;
- Describe the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser;
- State that the provision of goods or services may not be conditioned on the consumer’s authorization;
- State that the consumer has the right to revoke their authorization, and instructions for submitting such revocation;
- State that the consumer health data sold may be subject to redisclosure by the buyer and may no longer be protected by the Act; and
- Contain an expiration date for the authorization that expires one year from when the consumer signs the authorization.
- Authorizations must be signed by the consumer, and consumers must be provided a copy. Buyers and sellers must retain copies of authorizations for six years from the date of signature, or when the authorization was last in effect, whichever is longer.
- “Geofencing” restrictions. The Act prohibits anyone from implementing a “geofence” around an entity that provides in-person health care services where such geofence is used to: (i) identify or track consumers seeking health care services, (ii) collect consumer health data from consumers; or (iii) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. The Act defines “geofencing” as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, WiFi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location,” and “geofence” means “a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.”
Like other state privacy laws in California, Colorado, Connecticut, Utah, and Virginia, the Act establishes new privacy rights for consumers regarding their consumer health data. These include the right to:
- Confirm whether a regulated entity is collecting, sharing, or selling their consumer health data;
- Withdraw consent for the regulated entity’s collection and sharing of data;
- Request deletion of consumer health data, to be effected within 30 days, including deletion from backup systems (with some caveats). Regulated entities must notify their affiliates, processors, contractors, and other third parties that have received any consumer health data of the deletion request. These entities must also honor the deletion request.
The Act grants consumers a private right of action under the Washington Consumer Protection Act as an unfair or deceptive act in trade or commerce and an unfair method of competition. In addition, the Washington Attorney General has authority to enforce the Act.
The My Health My Data Act will dramatically change how nearly all companies – large, small, for-profit, and nonprofit – do business in Washington and communicate with their customers. All companies should conduct a thorough review of their data handling practices, privacy policies, vendor contracts, and corporate policies – and expect to make significant changes.
The private right of action further raises the stakes, signaling just how seriously regulators at the federal and state level are treating data regarding consumers’ health. Any type of data that is even tangentially related to consumer health or wellness should be considered sensitive and subject to the Act.