July 26, 2023

Recently Enacted Health Data Privacy Laws in Washington and Nevada Pose Challenges for Businesses

Austin Anderson, Heather Deixler, Clayton Northouse, Kathryn Parsons-Reponte, Kiara Vaughn

+ Follow Contact

Send

Embed

Latham & Watkins LLP

Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities.

Key Takeaways:

On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status.
On June 16, 2023, Nevada passed a similar law by enacting Senate Bill 370 (Nevada Health Privacy Law).
Both laws apply to consumer health information not covered under health data privacy laws like the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). However, while Nevada’s law shares similar terminology as Washington State’s law, it is narrower in scope and unlike the Washington State law, it does not include a private cause of action.
The requirements under both laws include publishing a consumer health data privacy policy, obtaining consent for the collection and sharing of consumers’ health data with prescriptive requirements, and establishing consumer health data rights.
While both laws will be enforced by the states Attorney General, the Washington State law also provides a private right of action, allowing individuals to directly bring an enforcement action against a business.
With certain exceptions (see small businesses and the geolocation restriction under My Health My Data), both laws will go into effect on March 31, 2024.

Washington State and Nevada have now passed health data privacy laws that impose obligations relating to the collection, processing, and sharing of “consumer health data.” Both laws (collectively, State Health Data Privacy Laws) go into effect on March 31, 2024, with some exceptions. The Washington State law’s ban on geofencing went into effect on July 23, 2023, and the law also includes a slight delay for small businesses, which are not subject to most of the law’s requirements until June 30, 2024.

With passage of these two new laws, states are stepping in to regulate companies that collect or process health-related information outside the scope of HIPAA. However, as detailed below, the Washington State law imposes very broad requirements that regulate many companies that operate beyond the healthcare industry, and it fails to include clear guidance for industry in many critical ways, including with respect to many of its defined terms. As a result, businesses that collect or process personal information in these states will need to carefully assess these new laws as they introduce novel requirements and pose significant compliance challenges.

Key Definitions

1. Regulated Entity

The State Health Data Privacy Laws apply to “Regulated Entities” defined as any person that:

conducts business in the applicable state or targets applicable state residents, and
alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling consumer health data.

Note that, according to the Frequently Asked Questions (FAQs) that the Washington State Attorney General distributed, if an entity’s processing is limited to storage, it will not be subject to the My Health My Data Act.

Washington’s My Health My Data Act delays the effective date for a “small business,” which is a Regulated Entity that:

collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
(1) derives less than 50% of gross revenue from the collection, processing, selling, or sharing of the consumer health data, and (2) controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Notably, the State Health Data Privacy Laws apply to for-profit and non-profit entities, departing from existing state privacy laws, with the exceptions of the Colorado Privacy Act and Oregon Consumer Privacy Act[1]. The State Health Data Privacy Laws, however, do not apply to employers or B2B business contacts with respect to health data they maintain about their employees, similar to other state laws, with the notable exception of California where all state residents are now in scope under the California Consumer Privacy Act, as amended (CCPA).

The My Health My Data Act also exempts data governed by HIPAA, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA). The Nevada Health Privacy Law takes a broader approach to such exemptions by including entity-level exemptions for any person or entity subject to HIPAA and any financial institution or affiliate subject to the GLBA. As a result, though entities subject to HIPAA and GLBA are exempt from Nevada’s law, they may still be subject to the My Health My Data Act to the extent they collect “consumer health data” that is outside the scope of such laws.

2. Consumer Health Data

The Health Data Privacy Laws adopt the same term of “consumer health data” but the definitions diverge significantly in scope. Under the My Health My Data Act, “consumer health data” is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” In contrast, the Nevada law specifically limits the definition to “personal information that is linked or reasonably linkable to a consumer and that a Regulated Entity uses to identify the past, present, or future health status of a consumer.” The inclusion of “uses to” notably narrows the definition so that the incidental collection of personal information that could be used (but is not actually used) to identify a consumer’s health status does not trigger the Nevada Health Data Privacy Law’s requirements.

While neither law defines “health status,” both laws provide the following categories of information that qualify as consumer health data:

information relating to health condition or diagnosis; social, psychological, behavioral, or medical interventions; the use and acquisition of prescribed medications; surgical or other health-related procedures;
gender-affirming care information (including efforts to research or obtain gender-affirming care services or products; e.g., social or physical interventions, cosmetics, psychological interventions, etc.);
biometric data (which is itself defined to include iris and retina scans; fingerprints; hand, face, and palm images; voice recordings; keystroke patterns; gait patterns; and rhythms that contain identifying information);
reproductive or sexual health information (including efforts to research or obtain);
precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and
any data that is derived or extrapolated from non-health information (including through machine learning and algorithms) that is used to associate or identify a consumer with the data described above.

Nevada’s Health Data Privacy Law also provides an express carve-out of consumer health data for information that: (i) is used to provide access or enable gameplay on a video platform, and (ii) information that can identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present, or future health status of the consumer, further narrowing the definition.

In comparison, the My Health My Data Act’s broad definition of “consumer health data” may impact both small and large businesses in all industries, regardless of their knowledge or intent of collecting such data. The Washington State Attorney General FAQs provide some limiting parameters around what may be considered consumer health data. They clarify that information does not constitute health data if it does not identify a consumer’s physical or mental health status. For example, the FAQs note that purchases of toilet paper are not consumer health data but an app that tracks the consumer’s digestion would be. The FAQs also clarify that information derived from non-health data to identify the consumer’s mental or health status would be considered consumer health data. As an example, the FAQs cite reports that a retailer had been assigning a “pregnancy prediction score” to consumers based on the purchase of certain products. While the purchase of the underlying products would not be considered health data, the “pregnancy prediction score” derived from those purchases would be.

Though nonbinding and merely of persuasive authority, the FAQs, in combination with the broad definition of consumer health data, will likely provide flexibility to Washington State courts interpreting what is and what is not consumer health data on a case-by-case basis. For example, companies that collect precise location data may become subject to the law if such location data can be used to infer that someone visited a particular healthcare facility. Additionally, companies that collect unique identifiers from website cookies, pixels, or other tracking tools could now find themselves within the scope of the law if they track activities such as an individual searching for a recommendation for a specific type of doctor, researching an article on methods for handling anxiety or depression, or purchasing a book for expecting mothers.

Obligations and Restrictions

Both laws impose numerous requirements on Regulated Entities. Unless stated otherwise, both laws share the same requirements. We highlight some of the notable requirements below.

Regulated entities must:

Implement Health Data Privacy Policy and Security Measures: Regulated entities are required to maintain a “health data privacy policy” with a link from the homepage of their website that species, among other things: (i) categories of health data collected; (ii) categories of sources from which consumer health data is collected; (iii) categories of consumer health data shared; (iv) categories of third parties and specific affiliates with which the entity shares consumer health data; (v) how the consumer can exercise their rights; and (vi) unique to the Nevada Health Data Privacy Law, a disclosure stating whether third parties “may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity.” This likely means that Regulated Entities will need to create and post a separate “health data privacy policy” and link to it from their homepage. The Health Data Privacy Laws also require entities to implement and maintain administrative, technical, and physical data security measures (including restricting access to Consumer Health Data to employees for which access is necessary).
Obtain Affirmative Opt-In Consent for Collection and Sharing: Unless necessary to provide products or services, a Regulated Entity is not allowed to collect (which is defined to include processing activities) or share (including with affiliates) consumer health data without first obtaining a consumer’s affirmative, specific, and voluntary opt-in consent that is “separate and distinct” from other agreements or consents.
Provide Consumer Health Data Rights: Regulated Entities are required to provide consumers with the following rights related to their consumer health data:
- Right to confirm whether a Regulated Entity is collecting, sharing, or selling a consumer’s health data;
- Right to access such data, including a list of third parties with whom the consumer’s health data has been shared or sold to;
- Right to withdraw consent/cease a Regulated Entity’s collection, sharing, or selling of the consumer’s health data; and
- The right to delete consumer health data.

Notably, the Nevada Health Data Privacy Law right to access does not include the right to access the consumer’s health data. Rather, Regulated Entities are only required to respond to a right to access request with the list of third parties with whom the consumer’s health data has been shared or sold.

Establish Appeals Process: Regulated entities are required to establish a process through which a consumer may appeal the Regulated Entity’s refusal to act on a request within a reasonable period of time after the consumer’s receipt of the decision. Upon receipt of an appeal request, the Regulated Entity must provide a response of the appeal’s determination and reason for such action within 45 days of receipt. If the appeal is denied, the Regulated Entity shall also provide the consumer with an online mechanism or other method through which the consumer may contact the state Attorney General to submit a complaint.
Retain Authorization Records: Regulated entities are required to retain a record of a consumer’s written authorization for at least six years after the date on which the written authorization expired.

Regulated entities must not:

Sell Without Specific Authorization: To sell consumer health data (defined as “the exchange of consumer health data for monetary or other valuable consideration”), a Regulated Entity must obtain prior written authorization (separate from any other consent or terms). This authorization must include the: (i) data elements that will be sold; (ii) name and contact information for the selling and purchasing entities; (iii) purpose of the sale; and (iv) disclaimers that the provision of goods or services are not conditioned on the authorization. Significantly, the authorization can be revoked at any time and has an expiration date of one year, meaning entities will need to obtain consent annually. A Regulated Entity that sells consumer health data shall also provide a copy of the written authorization to the consumer who signed the written authorization and the purchaser of the consumer health data.

Implement a Geofence Around Healthcare Facilities: Regulated entities are prohibited from implementing a geofence within 1,750 feet around any facility that provides in-person healthcare services if the geofence is used to identify, track, market to, or otherwise profile consumers. Note that, in Washington State, this provision came into effect on July 23, 2023, for all Regulated Entities.

Enforcement

The My Health My Data Act is the first state data privacy law to provide consumers with a private right of action for alleged violations related specifically to their consumer health data. In addition to the private right of action, the Washington State Attorney General may also bring an action against the company for alleged violations. Violations of the law are considered an “unfair or deceptive act in trade or commerce and an unfair method of competition” under the Washington Consumer Protection Act, which imposes civil penalties of up to $7,500 per violation, up to $25,000 in treble damages at the sole discretion of the court, and injunctive relief. For consumers who bring a direct action against a company, the law permits private litigants to recover (i) actual damages sustained by the consumer, (ii) treble damages, which are capped at $25,000 for violations of RCW Chapter 19.86; and (iii) recovery of reasonable attorney’s fees.

By contrast, Nevada’s Health Data Privacy Law will be exclusively enforced by the Nevada Attorney General, similar to other state data privacy laws. Violations of the law similarly constitute a deceptive trade practice which can result in up to $10,000 civil penalties per violation and injunctive relief.

Takeaways

One of the primary drivers of the My Health My Data law was to address a common critique of HIPAA — its limited applicability to certain entities. Indeed, the Washington State legislature notes that HIPAA “only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.” As a result, the expansive definition of “consumer health data” seeks to bridge the gap by imposing requirements on the collection, use, and sale of consumer health data on businesses not subject to traditional healthcare regulation.

Moreover, with the passage of Nevada’s Health Data Privacy Law, we are beginning to see a new privacy patchwork developing with other states considering similar legislation for protecting their residents’ consumer health data. For example, Connecticut recently passed an amendment to its existing state privacy law that also seeks to regulate consumer health data. Companies that conduct business in Washington State, Nevada, and other states with similar laws should closely evaluate whether they are subject to these laws and, if so, assess their privacy compliance programs to determine which additional steps may be needed to comply.

Endnote

[1] Oregon’s privacy law provides non-profits with an additional year to comply. Delaware’s privacy law, HB 164, also does not exempt non-profits, with some limited exceptions. At the time of writing, HB 164 has been passed by the Delaware legislature and is awaiting action by the governor.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.