Washington state legislators have approved a far-reaching data protection bill that could change how businesses collect, use, and disclose consumer health data, including information that is only inferentially related to health and wellness. If signed by the governor, House Bill 1155, styled as the My Health, My Data Act (the “MHMD”), would establish significant new restrictions around consumer health data that extend beyond the traditional reach of the federal Health Information Portability and Accountability Act (HIPAA) by regulating not just health care providers and health plans but any business that collects health-related information or information that can lead to an inference about an individual’s physical or mental health condition.
The My Health, My Data Act arrives at a time when privacy interests surrounding commercial uses of health and health-adjacent consumer data is at an all-time high. Recent enforcement actions by the Federal Trade Commission (FTC) and attempted class actions focused on website tracking technologies have underscored the use and sharing of these datasets, and these practices are subject to particular scrutiny where they prompt privacy and reproductive rights concerns in the wake of the Supreme Court’s June 2022 decision in Dobbs v. Jackson Women’s Health Organization.
Here are some important things to know about the MHMD:
1. It is sweeping in scope
The MHMD is notable for its far-reaching definition of “consumer health data” as well as the broad scope of consumers and entities to which it applies.
The MHMD defines “consumer health data” as any information linkable to a Washington resident or person whose data was gathered in Washington and that identifies a consumer’s past, present, or future physical or mental health, or further-ranging attributes like their “bodily functions.” The definition includes instances in which traditional attributes such as health conditions and treatments might be “derived or extrapolated” from non-health information. In other words, the MHMD covers inferences derived from any information whatsoever if the inference might reveal something about the consumer’s physical or mental health condition, such as, hypothetically, when a consumer browses a news article about diabetes treatments or purchases baby formula.
As such, the definition potentially encompasses not only data on specific medical conditions and diagnoses but also biometric and location data that can be used to make inferences concerning health when associated with a health or wellness product or service. In effect, consumer products (such as wearable devices), websites, and apps that collect (whether automatically or by manual input) and share consumer health data on body temperature, heart rate, menstrual cycles, online health searches, and geolocation data for health-related visits would be subject to the bill.
Also sweeping is the bill’s potential reach to any legal entity that conducts business in Washington state or targets its products or services to Washington residents and determines the purpose or methods for collecting consumer health data. Unlike many of the current generation of U.S. state privacy laws, the MHMD does not contain any applicability thresholds for coverage, such as revenue or volume of data collection.
2. It requires opt-in consent
The MHMD requires opt-in consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. Regulated entities must make clear to the consumer in easy-to-understand, non-ambiguous language what they are consenting to, and consent must be obtained voluntarily.
This new requirement is the latest in a recent trend of requiring affirmative and informed consent before any data is collected. In January, the Virginia Consumer Data Protection Act (VCDPA) went into effect and requires affirmative and informed consent for the collection of mental or physical health diagnoses, among other things. In recent months, the FTC has also required affirmative express consent before sharing health information as a condition of settlement.
The MHMD also prohibits implementing a geofence around a business that provides in-person health services when the geofence is used to collect or track data from consumers or to send advertisements related to consumer health data. This blanket prohibition means that covered businesses cannot obtain consumer consent for such activities.
3. It imposes potentially insurmountable restrictions on most third-party sharing
The MHMD places significant restrictions on the sale of data, which is defined broadly to encompass most instances of data sharing with third parties. Businesses looking to sell consumer health data to third parties must first obtain written authorization from the consumer, which includes specifying the purpose of the sale and providing contact information for the entity purchasing the data. As with the recent generation of state privacy laws such as the California Consumer Privacy Act (CCPA), the MHMD defines “sell” or “sale” as “the sharing of consumer health data for monetary or other valuable consideration.” In a major departure from those laws, however, the MHMD would require opt-in rather than opt-out consent.
4. It grants additional privacy rights, familiar and unfamiliar
Like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the My Health, My Data Act provides broad privacy rights, including the right to access data and the ability to opt out or revoke consent. Unlike the GDPR and CCPA, the MHMD promises what is arguably a nearly limitless right to deletion – notably absent are exceptions allowing covered entities to decline or delay deletion requests for purposes such as meeting legal recordkeeping and retention requirements.
Regulated entities must also implement reasonable security measures, set strict internal access controls, and include certain data protection–related provisions in their contracts with processors, akin to the requirements for data processors or service provider contracts under the GDPR, CCPA and other data protection laws.
5. It welcomes private lawsuits
The MHMD provides robust enforcement mechanisms, including the ability for private citizens to sue violators. In addition to attorney general enforcement, regulated entities will be subject to civil lawsuits by individuals claiming violations of the MHMD under Washington’s Consumer Protection Act.
* * *
If passed, the bill is set to take effect March 31, 2024, for most regulated entities and June 30, 2024, for small businesses. Businesses that know they will be subject to the MHMD are now faced with more stringent consent obligations as well as a de facto prohibition on most sharing of consumer health data with third parties. Work should begin immediately to evaluate the compatibility of current or planned business practices that involve the collection or sharing of information even tangentially related to a consumer’s health, and companies should create a plan to implement compliance measures over the next 12 months.