On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. This law, named the “My Health My Data Act,” covers a very wide range of entities, consumers, and data. It also contains a private right of action. Companies should soon begin evaluating the scope of this law and its requirements before it comes into effect March 31, 2024 (for “small businesses,” June 30, 2024).
There are many nuances and complexities to this law that go beyond HIPAA or any other existing state “comprehensive” privacy law. We highlight some of the key elements below:
-
Applicability. Unlike other state consumer privacy laws, this law contains no revenue or volume of processing thresholds. The law applies to “regulated entities” collecting “consumer health data” from “consumers.” Each of these key terms is defined broadly. Non-governmental entities, including non-profits, that conduct business in Washington or produce or provide products or services targeted to Washington consumers, and alone or jointly with others, determines the purposes and meanings of collecting, processing, sharing, or selling consumer health data are in scope.
“Consumers” encompass Washington residents as well as any person whose health data is “collected” in Washington (and “collect” does not mean “collect” in the traditional sense of the word). The law does not apply to individuals in an employment context or to employee data. The broad definition of “consumer health data” includes even data derived from non-health information that may indicate a consumer’s attempt to receive health services or supplies. There are exceptions for data that is subject to certain enumerated privacy laws such as HIPAA, GLBA, FCRA, FERPA, and existing Washington state laws related to health care and insurance. For more details on these key definitions and the scope of the law read our post here.
-
Notice. Like other privacy laws, the law requires entities subject to the law to have a privacy policy with certain content requirements. It remains to be seen whether existing website privacy policies can be used, or whether a separate notice will be required.
-
Rights. While the types of rights and procedural requirements will be generally familiar to companies subject to other consumer privacy laws, there are certain aspects that go further than existing US privacy laws. For example, the details that must be provided in an access request, and the lack of typical exceptions to consumers’ right to delete will create burdensome operational challenges. For more details on consumer rights requests, read our post here.
-
Consent. The law requires opt-in consent for any collection, use, disclosure, or other processing of data beyond what is necessary to provide a consumer-requested product or service. There are also requirements for “sharing” (though the definition does not track CCPA’s definition). In addition, there is an onerous authorization requirement for any “sale” of consumer health data. The broad definition of “sale,” coupled with the requirement to have a written and signed authorization for any “sales” may impact how companies engage in targeted advertising activities. For more details on the consent requirements, read our post here.
-
Geo-fencing ban. Geo-fencing is to create a virtual perimeter for a specific geographic area. The law prohibits companies from using a geofence to identify consumers, collect consumer health data, or send ads or notifications based a consumer’s proximity to in-person health care services facilities.
The law may be enforced through a private right of action, in addition to enforcement by the Washington Attorney General. This law fits a growing trend towards increased scrutiny and protections for health data not covered by HIPAA. (See here for a discussion on the FTC’s focus).