Last week, the Governor of Washington signed a package of legislation aimed at protecting the health care of women in response to the United States Supreme Court’s reversal of Roe vs. Wade. One of the new laws, the Washington My Health, My Data Act, seeks to protect consumers’ health care data that is currently not protected by the Health Information Portability and Accountability Act (HIPAA). The new Washington law, unlike HIPAA, applies to health data collected by non-covered entities, including certain apps and websites like tele-health websites and period-tracking apps, and broadly defines health data.
The Washington My Health, My Data Act requires regulated entities to obtain consumer consent regarding the collection, sharing, and use of certain health information. The Act also gives consumers the right to have their health data deleted by the regulated companies, prohibits the companies from selling consumer health data without valid authorization signed by the consumer, requires entities that collect health data to provide consumers with a privacy policy disclosing the use of health data, and makes it unlawful to utilize a geofence around a facility that provides health care services.
If a company violates the Act, the Act empowers Washington’s Attorney General to bring an enforcement action. In addition, individual consumers may bring a civil lawsuit through a private right of action for a violation of the Act, a right typically not available to consumers.
Covered entities must comply with the Act by March 31, 2024 while small businesses were given additional time and must comply by June 30, 2024.
Washington’s extension of privacy rights to health data is unique. In light of the current furor over abortion rights, however, we may see more such statutes enacted in other states.