This is Part Eight in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”) where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.

Last week we fired up the grill and cooked up a better understanding of WMHMDA’s regulation of biometric data. Today, while we sit down to enjoy our hotdog and listen to our Summer Hits of the 80’s playlist, we discuss data subject rights under WMHMDA, including how the Act does not require consumers to ♫ Fight for Your Right to consumer health data.

Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:

• Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
• Part One: What Regulated Entities are Subject to WMHMDA
• Part Two: Consumers Covered by WMHMDA
• Part Three: Broad Scope of Consumer Health Data
• Part Four: Geofencing Requirements
• Part Five: Consent and Authorization Requirements
• Part Six: Consumer Health Data Privacy Policy
• Part Seven: Biometric Data

• Part Eight: Individual Rights (this is what you are reading now)
• Part Nine: Enforcement and Private Right of Action
• Part Ten: Operational Realities and Next Steps
• Part Eleven: HIPAA vs. WMHMDA (for table lovers)
• Part Twelve: Washington AG Guidance

Individual rights are not new to U.S. privacy laws, but WMHMDA grants broad data subject rights. Get ready to ♫ Walk this Way for a primer on WMHMDA’s data subject rights.

WMHMDA Consumer Rights

The WMHMDA expressly grants to consumers a variety of rights, all of which should be analyzed in the context of the broad scope of consumer health data.

1. Right to Know – The right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data, including a list of third parties with whom the regulated entity has shared that consumer’s health data.
2. Right of Access – The right to access that consumer health data collected, shared, or sold by a regulated entity and relevant third parties.
3. Right to Withdraw Consent – The right to withdraw consent for the collection and sharing of consumer health data by a regulated entity.
4. Right to Delete – The right to have consumer health data deleted by the regulated entity and all third parties with whom the regulated entity has shared the consumer health data.
5. Non-Discrimination Right – The right to not face discrimination for exercising rights under WMHMDA.

♫ Take me down to the paradise city
Where the grass is green and the girls are pretty

Right to Know & Right of Access

Like other U.S. consumer privacy laws, WMHMDA grants consumers the right to confirm whether a regulated entity is collecting, sharing, or selling the individuals’ consumer health data and access such data.

What differs from – and goes further than – other U.S. consumer privacy laws is that WMHMDA gives consumers the right to receive a list of all third parties and affiliates with whom the regulated entity has shared or sold consumer health data. Consumers have a right to receive an active email address or other online mechanism that the individual can use to contact relevant third parties and affiliates.

Compliance with this right necessitates a clear understanding of the third parties and affiliates with access rights as well as more organized tracking mechanisms for data sharing and contact information.

♫ Sweet dreams are made of this
Who am I to disagree
I travel the world and the seven seas
Everybody's looking for something

Right to Withdraw Consent

As a natural consequence of the requirement that regulated entities obtain opt-in consent for the collection and sharing of consumer health data, consumers have the right to withdraw that opt-in consent at any time. As discussed in Part Five of our series, the definitions of “collect” and “share” are quite broad under WMHMDA. Because these definitions cover a wide array of use and processing functions, a consumer’s withdrawal of consent to “collect” and/or “share” consumer health data may effectively bar any collection, use, processing, or disclosure by the regulated entity.

Unlike other privacy schemes (e.g., the Health Insurance Portability and Accountability Act (HIPAA)), WMHMDA is not expressly clear whether a consumer’s withdrawal of consent will be effective prospectively upon receipt and not to processing underway based on reasonable reliance on consumer consent. For certain processing, withdrawal midway through may require restarting that processing activity because a consumer’s data cannot be removed from a data set. Operationalizing this right will likely require new technical processes to stop certain types of data processing that are not subject to a consent withdrawal right under other consumer privacy laws.

♫ I've gotta take a little time
A little time to think things over
I better read between the lines
In case I need it when I'm older
… I wanna know what love is
I want you to show me

Right to Deletion

The right to delete is not a new concept in U.S. privacy law (though it does not exist in HIPAA). However, WMHMDA’s deletion right goes significantly beyond what we see in other privacy laws, and three components of the deletion right will lead to significant ramifications for regulated entities and vendors.

♫ Don't. Don't you want me?
You know I don't believe you when you say that you don't need me

• Absolute Right to Deletion?

WHMDA requires regulated entities to delete consumer health within 30 days of authenticating a deletion request. Compliance requires deletion of data from all parts of the regulated entity’s network, including archived or backup systems. A regulated entity has an additional six months to comply with a consumer’s deletion request for consumer health data stored on archived or backup systems to presumably restore the archived or backup system to ensure complete deletion has occurred. However, the explicit inclusion of archive/backups within the right sets up an operationally infeasible obligation and betrays the drafters’ misunderstanding or indifference to technical realities.

Other comprehensive state privacy laws have traditionally included exceptions to deletion rights. Typically, those exceptions permit entities to deny deletion requests and retain data where it is necessary to defend against legal claims, comply with the entity’s legal obligations, or enforce the entity’s agreements. Under WMHMDA, the only exception to the consumer’s absolute right of deletion is when the regulated entity needs to collect, use, or disclose consumer health data to: (1) prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity under Washington or federal law, (2) preserve the integrity or security of the regulated entity’s systems, or (3) investigate, report, or prosecute those responsible for any such action that is illegal under Washington or federal law.

Query whether “preserving the integrity” of a regulated entity’s systems would involve keeping archive/backup systems from editing. While courts may be left to sort out the scope of the deletion right, regulated entities will be left between a rock and a hard place in deciding whether to violate statutory requirements or the WMHMDA deletion right.

♫ We didn't start the fire
It was always burning, since the world's been turning
We didn't start the fire
No, we didn't light it, but we tried to fight it

• Managing HIPAA and WMHMDA

Because WMHMDA exempts protected health information (PHI) subject to HIPAA, HIPAA covered entities do not have to comply with a consumer’s deletion request for PHI. For health care providers that are not subject to HIPAA, this permissive right to deletion may jeopardize discovery efforts when defending against a negligence claim. Without the cover of HIPAA’s reasonable denial opportunities, a health care provider that is not a HIPAA covered entity may be required to delete patient medical records upon request. Additionally, Washington law only stipulates that hospitals must retain medical records for 10 years following a patient’s most recent discharge. The law contains no medical record retention rules for other types of health care entities.

Once WMHMDA becomes effective, Washington courts may grapple with balancing evidentiary issues and the deletion right. Hybrid health care entities will need to think through technical and administrative processes to manage PHI and consumer health data under separate regulatory schemes (including educating consumers about requests for and application of their rights).

♫ I don't know where I'm going
But I sure know where I've been
Hanging on the promises in songs of yesterday
And I've made up my mind
I ain't wasting no more time
Here I go again, here I go again

• Downstream Notice & Action Required

Regulated entities must notify affiliates, processors, contractors, and other third parties with whom the regulated entity has shared consumer health data of deletion requests. Once notified, those entities must honor the consumer’s deletion request (including consumer health data stored on archived or backup systems.)

Regulated entities will need to consider tools not currently deployed in their privacy programs to identify consumer health data subject to a deletion request, validate the request, track recipients of the data at issue, and send downstream notifications to third parties that received the data at issue. Effectuating the flow down deletion requirements will create operational challenges on top of technical limitations.

♫ It's gonna take a lot to drag me away from you
There's nothing that a hundred men or more could ever do

Non-Discrimination Right

Like other privacy laws (e.g., the California Consumer Privacy Act (CCPA), HIPAA), WMHMDA prohibits regulated entities from unlawfully discriminating against consumers for exercising their rights. It is not clear what type of discrimination would be lawful, and the Act includes no examples of unlawful discrimination.

CCPA prohibits a business from denying or providing different services and charging different prices or offering different discounts based on a consumer’s choice to exercise their rights. While WMHMDA does not include such an illustration, it is likely that the Washington legislature intended a similar ban on retaliatory behavior.

♫ I'm still standin' (yeah, yeah, yeah)
I'm still standin' (yeah, yeah, yeah)

How do Consumers Exercise their Rights?

Consumers may exercise their rights once WMHMDA is in effect by submitting their request at any time. Requests may be made by secure, reliable means established by the regulated entity in its consumer health data privacy policy. The method must take into account the ways in which consumers normally interact with the entity, the need for security and reliable communication of requests, and the entity’s authentication abilities.

Information provided in response to a consumer request must be provided free of charge up to twice annually per consumer. Time to authenticate a consumer request does not delay the timeframe for response. With limited exceptions, each regulated entity must comply with consumer requests within 45 days of receipt of the request. If necessary, the regulated entity may extend its response time for an additional 45 days when reasonably necessary considering the complexity and number of consumer requests so long as the regulated entity informs the consumer of the reason for the extension.

WMHMDA empowers consumers to appeal a regulated entity’s refusal to take action on a consumer request. To ensure that this right is honored, regulated entities must implement a conspicuously available (i.e., obvious) process for the consumer to submit a request. Within 45 days of a regulated entity’s receipt of a consumer’s appeal, the regulated entity must inform the consumer in writing of the reason for any action taken or not taken in response to the appeal. If the regulated entity denies the consumer’s appeal, the regulated entity must provide the consumer with a method for contacting the Washington Attorney General to make a complaint.

♫ We're not gonna take it
No, we ain't gonna take it
We're not gonna take it anymore

How Will Washington Enforce Individual Rights?

Unlike similar state privacy laws, WMHMDA does not include an enforcement regime specific to the Act. Instead, WMHMDA establishes violations of the Act as “unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act. The Washington Attorney General enforces the Consumer Protection Act, and the statute includes civil penalties of up to $2,000 per violation of the law’s prohibition on unfair or deceptive acts or practices.

In addition, consumers may bring a private cause of action under the Consumer Protection Act if the consumer is injured by a regulated entity’s violation of WMHMDA.

♫ Here I am
Rock you like a hurricane
(Are you ready baby?)

In Part Nine we will keep the summer dance party moving by discussing enforcement of WMHMDA and the private right of action in more detail. Until next time…turn up your yacht rock playlist (unless your HOA restricts that kind of thing) and keep singing along. ♫ I can tell you, my love for you will still be strong after the boys of summer have gone.

♫ Don’t you, forget about me
Don't, don't, don't, don't
Don’t you, forget about me
As you walk on by
Will you call my name?