Since the privacy and security regulations were issued under the federal Health Insurance Portability and Accountability Act (HIPAA), critics pointed to the limitations on the reach of those rules. A critical limitation advanced by privacy advocates is that the popular health data privacy rule extends only to certain covered entities and their business associates, not to health data generally. On April 17, 2022, Washington’s legislature passed House Bill 1155, also known as the My Health, My Data Act. The bill aims to address health data collected by entities not covered by HIPAA, including certain apps and websites.
If signed by the governor, most sections of the law would take effect on March 31, 2024, though certain parts of the legislation may take effect sooner.
When would the law apply?
A “regulated entity” for purposes of the law is defined as:
-
Conducts business in the State of Washington, or produces or provides products or services that are targeted to consumers in Washington, and
-
Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.
The legislation creates a subgroup of regulated entities, known as “small businesses,” largely to provide a few more months to comply. Small businesses are regulated entities that satisfy one or both of the following thresholds:
-
Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or,
-
Derives less than 50 percent of gross revenue from the collection, processing, selling, or shares of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
Who is protected by the law?
Under the legislation, a protected consumer is defined as a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington.
A consumer is only protected for actions taken as an individual or on behalf of a household and does not include actions taken by an individual acting in an employment context.
What data is protected by the law?
The law would protect “consumer health data,” defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Health status includes but is not limited to the following:
-
Individual health conditions, treatment, diseases, or diagnosis
-
Social, psychological, behavioral, and medical interventions
-
Health-related surgeries or procedures
-
Use or purchase of prescribed medications
-
Bodily functions, vital signs, symptoms, or measurements of health-related functions
-
Diagnoses or diagnostic testing, treatment, or medication
-
Gender-affirming care information
-
Reproductive or sexual health information
-
Biometric data
-
Genetic data
-
Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies
-
Data that identifies a consumer seeking health care services.
What are the rights of consumers?
Under HIPAA, individuals have several rights with respect to their protected health information (PHI). These rights include the right to authorize disclosures in certain contexts (and revoke those authorizations), to request an amendment, to request an accounting of disclosures, to request a restriction on use and disclosure, and to be notified of a breach. The Washington legislation would provide consumers with the right to:
-
Confirm whether their consumer health data is being collected, shared, or sold, including a list of all third parties and their affiliates to whom the data has been shared and their contact information.
-
Consent to or deny collection or sharing of health data.
-
Withdraw consent from a regulated entity or small business to collect or share health data.
-
Delete health data collected by a regulated entity or small business, including on archived or backup systems.
-
Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data.
The provisions concerning the administration of these rights look a lot like the provisions in the California Consumer Privacy Act (CCPA) and other recently enacted state comprehensive data privacy laws.
What obligations do businesses have?
The Washington law would add to the growing compliance burden on company websites as it would require regulated entities and small businesses to maintain a consumer health data privacy policy prominently on their homepages. That policy must that clearly and conspicuously disclose:
-
Categories of consumer health data collected and the purpose for which the data is collected.
-
Categories of sources from which the consumer health data is collected
-
Categories of consumer health data that are shared.
-
A list of the categories of third parties and specific affiliates with whom consumer health data is shared.
-
How a consumer can exercise the rights provided under the law.
This too is very similar to obligations under the CCPA. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They also must respond to requests from consumers to withdraw consent to collect or share health data. Moreover, they must respond to requests from consumers to delete their consumer health data. The law also would mandate contracts be in place with processors of consumer health data and codify specific data security obligations for regulated entities and small businesses, including specific access management requirements.
Additionally, the law would make it unlawful for “any person” (apparently not just regulated entities or small businesses) to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
How is the law enforced?
Under the new legislation, violations of the requirements for health care data would be enforceable either by the prosecution by the State’s Attorney General’s Office or by private actions brought by affected consumers.