Almost one year ago, Washington State passed the “My Health, My Data” Act (the Act), which aims to protect Washington consumer health data, particularly data related to reproductive healthcare. The Act is the first law in the country aimed at protecting the vast amount of health data that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA), encompassing data collected by wearables, certain retail purchases, and non-HIPAA telehealth services. The Act takes effect at the end of this month.
In preparation for the effective date of 31 March 2024, one of the most burdensome proactive compliance requirements is that a regulated entity must publish a link to its consumer health data privacy policy on its homepage, which the Washington State Office of the Attorney General has clarified “must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under” the Act. This means that simply adding a provision to an existing privacy policy is not enough to comply with the Act; regulated entities and small businesses need a new, stand-alone consumer health data privacy policy. Small businesses under the Act have three additional months and must comply with this same requirement by 30 June 2024.
The consumer health data privacy policy must be published via a link on the website homepage and “clearly and conspicuously” disclose the following:
- The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used by the regulated entity or small business;
- The categories of sources from which the consumer health data is collected;
- The categories of consumer health data that is shared;
- A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
- How a consumer can exercise their rights provided under the Act, including revocation of consent and requests for deletion.
Importantly, the Act states that a regulated entity or a small business cannot collect, use, or share consumer health data for any other purposes not specifically disclosed in the consumer health data privacy policy unless the regulated entity or small business first: (1) discloses those additional purposes; and (2) obtains the consumers’ affirmative consent for such collection, use, and disclosure.
A violation of the Act is deemed a per se violation of the Washington Consumer Protection Act, subject to enforcement by the Washington Attorney General. The Act also permits enforcement through a private right action, with multiple questions as to the scope of such enforcement yet to be determined. Given that the Act is a landmark law with increased scrutiny over consumer data protection—as demonstrated by recent FTC enforcement actions and data privacy class actions—we anticipate active enforcement of the Act by the Washington Attorney General and plaintiffs’ class action bar.