Despite its misleading title, Washington’s My Health My Data Act will regulate many things most people would not think of as health-related data. It will also regulate non-Washington entities, mere processors of health-related data, and even those that collect data of non-Washington residents.
Individuals and companies nationwide should take a close look at this law and determine whether they are in scope.
Here are some key takeaways on who is covered by the law and what they can do to comply.
More Companies, Consumers, and Data Are in Scope Than You Would Think
The Act aims to address consumer data and entities not covered by HIPAA. Because of this, it regulates more than what most people think of as “health data.” The Act generally regulates “consumer health data,” which it defines broadly as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.
“Consumer” is also broadly defined as any Washington resident or any person whose Consumer Health Data is collected in Washington (but not including employees). And by “collected,” the Washington state legislature also means bought, rented, accessed, retained, received, acquired, inferred, derived, or otherwise processed.
This overbroad and never-before-seen definition of collected brings cloud providers storing this data into scope, whether located in (and there are many!) or out of Washington State.
The law specifically lists the following examples as identifying the consumer’s “physical or mental health conditions”:
- Bodily functions, vital signs, symptoms, or other measurements of covered information.
- This brings within scope developers, devices and businesses such as fitness and health trackers; gyms that use heart rate monitors, nutrition or diet applications; sleep tracking applications; processors or service providers used by first responders, any many other general health and fitness applications.
- Genetic data.
- This brings within scope consumer-facing genetic testing and genealogy websites.
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies.
- Notably, the Act also prohibits geofencing around health-care facilities where that geofence is used to: “(1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.”
- Biometric data.
- This brings within scope biometric authentication on phones, tablets, and other devices as well as voice recognition technology, among others (and potentially creating confusion with Washington’s existing biometrics law).
- Individual health conditions, treatment, diseases, or diagnosis.
- This arguably brings within scope things like elective massage therapy or elective dermatology treatments, as well as health information collected by companies not regulated by HIPAA, such as auto, home, or life insurance companies (who are already very heavily regulated in Washington State)
- Data that identifies a consumer seeking health care services.
- This arguably includes data collected through cookies, pixels, or other similar trackers when Washington residents search for health care services online. Note that this is similar to the HHS/OCR’s December 2022 guidance on technology trackers, which indicates that if an IP address is collected while visiting a covered entity’s website or mobile application, it is HIPAA-protected PHI.
And the list goes on. These are just some of the examples that companies might not realize are covered without doing a deep dive into this legislation. More obvious additional examples included by the legislation include, among others:
- Gender-affirming care information
- Reproductive or sexual health information
- Health-related surgeries, procedures, or medication (including abortions and the hotly debated abortion pill: Mifepristone)
The law does offer a few exceptions, which will ease some of the burden on companies:
- Employee data is excluded which should help ease the burden of compliance with the biometric obligations.
- Like other state privacy laws, there are exceptions for data subject to other existing regulations such as HIPAA, GLBA, FCRA, FERPA.
- B2B data is excluded because the definition of a consumer is limited to a natural person.
Compliance Will Be A Heavy Lift (Even for Non-Washington Entities)
The Act is unique, with new and different definitions of commonly accepted terms and a distinctive scope as compared to many existing state privacy laws. Accordingly, compliance with the Act cannot simply be tacked on to past state-specific privacy law compliance programs. Companies in Washington will need to adopt a fresh approach and develop a new compliance program specifically targeted to cover the many contours of the Act.
Crucial items include:
- Get consent from consumers prior to collecting consumer health data. Get an additional, separate consent prior to sharing consumer health data (and an additional and different kind of consent prior to selling it). Note that consent under the Act is GDPR-style consent (“a clear affirmative act that signifies a consumer's freely given . . . unambiguous agreement.”)
- Develop and implement a secure and reliable mechanism for receiving and processing consumer health data rights requests including.
- The right to know
- The right to deletion (including the requirement to flow down to processors and sub-processors)
- The right to appeal the regulated entity’s decision with respect to a consumer rights request
- Develop and implement compliant agreements with processors that set forth processing instructions consistent with the Act.
- Obtain consumer authorization prior to any sale of consumer health data (note that Authorization is not simply consent and likely implies having a signed informed consent form on file prior to sale—and each Authorization is only valid for one year from the date it was signed).
Litigation Exposure and Private Right of Action
Notably, the Act creates a private right of action for consumers with respect to the covered data and rights under the act. Unlike other private rights of action in state-specific privacy laws—which often give consumers a limited window of grievances for which they may sue, such as a breach of the consumer’s data—consumers in Washington may sue for any violation of the Act. This will undoubtedly lead to heightened exposure for companies handling data in Washington, particularly because it is in addition to the Washington State Attorney General’s the ability to independently enforce against violations of the Act.
Consumers may sue for damages, injunctive relief, and other remedies under the Washington State Consumer Protection Act. With the broad scope of this act, there are sure to be many creative lawsuits popping up under the Act after its enforcement date (which is unclear due to the poor drafting).
A New Wave Health Data Privacy Laws and Enforcement?
In addition to the Act in Washington, we are currently seeing a wave of additional protections for health care data. To name a few examples:
- The FTC has recently moved against Premom—a fertility tracking app—for failing to appropriately handle consumer health and fertility information. The FTC ultimately reached a settlement with Premom over allegations that it deceived users by sharing their sensitive personal information with third parties, including two China-based firms, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule (HBNR).
- The U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) designed to strengthen HIPAA Privacy Rule protections for protected health information regarding reproductive care. The proposed rule would prohibit use and disclosure of PHI to investigate or prosecute patients, health care providers, or who provide reproductive health care (including abortions).
- The State of Illinois has a proposed HB 3603. The Protect Health Data Privacy Act has passed the House committee and is currently on the House floor. This is notable because of its similarities to the Washington Ac, including the same unusual definition of “collect,” prohibitions against the sharing of health data without consent or selling of health data without separate written consent, and a very similar definition of health data (other than biometric information, which is already heavily regulated under BIPA) and the creation of a private right of action.
Additional states may also follow suit soon, and the Act could serve as a framework to be tweaked and adopted by other state governments.