Keypoint: In the aftermath of the Supreme Court’s Dobbs decision, Washington legislators introduced legislation to enhance privacy protections for consumer health data.

In early March, lawmakers in Washington state’s House passed an amended version of the My Health My Data Act (HB 1155). The Act seeks to implement sweeping changes to how companies treat the consumer health data of Washington residents. The Act is supported by the Attorney General’s office and was filed in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade. The Act is currently scheduled for a March 14 public hearing in the Senate Committee on Law & Justice.

In the below post, we provide a brief summary of the Act as it passed the House on March 4. The Act underwent significant amendments prior to passing the House and could undergo further amendments in the Senate. Consequently, this post is intended only to provide a point-in-time analysis.

What is the purpose of the Act?

The Act creates protections for personal information relating to an individual’s health conditions or attempt to obtain health care services. According to the Act, “Washingtonians expect that their health data is protected under laws like the health information portability and accountability act (HIPAA). However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data.”

What entities are covered by the Act?

The Act generally applies to “regulated entities” which is defined as “any legal entity that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” The definition excludes government agencies, tribal nations, and contracted service providers when processing consumer health data on behalf of the government agency.

The Act does not contain applicability thresholds based on revenue or number of consumers that are found in laws like the California Consumer Privacy Act, Colorado Privacy Act, and Connecticut Data Privacy Act. The Act contains a number of exclusions and exemptions, some of which we discuss below.

“Consumer” is defined as a natural person who is a Washington resident or whose consumer health data is collected in Washington. The definition extends only to a person acting in an individual or household context (i.e., not employment); however, it specifically states that it includes persons identified through unique identifiers. The Act does not currently define unique identifier, but it does reference persistent unique identifiers in its definition of personal information and states that persistent unique identifiers include a cookie ID, an IP address, and a device identifier. The inclusion of this type of information in conjunction with the Act’s prohibition on the sale of consumer health data will require close analysis by regulated entities especially in the wake of recent FTC enforcement activity.

As discussed further below, some of the Act’s provisions (i.e., the sale of consumer health data and geofencing) apply to “persons.” The Act defines “person” as “natural persons, corporations, trusts, unincorporated associations, and partnerships.” “Person” does not include government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of a government agency.

What information is covered by the Act?

The Act applies to “consumer health data,” which is defined broadly as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.” The Act provides a list of twelve categories that qualify as consumer health data. Some of the more notable categories are gender-affirming care information, reproductive or sexual health information, certain types of biometric and genetic data, and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health service or supplies. The definition also includes “any information described [in the definition] that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).”

The definition of consumer health data excludes personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest subject to certain conditions. Through its definition of personal information, the Act also excludes publicly available information.

Although outside the scope of this summary article, the Act contains definitions for many terms, including biometric data, gender-affirming care, precise location information, and genetic data. In fact, the Act’s definitions section is approximately 40% of the Act’s total text.

What obligations does the Act create?

The Act requires regulated entities (or sometimes persons) to (1) maintain a consumer health data privacy policy, (2) restrict their collection and sharing of consumer health data, (3) provide consumers with rights regarding their consumer health data, (4) restrict access to consumer health data and institute data security measures, (5) implement data processing agreements with processors, (6) not sell consumer health data without the consumer’s valid authorization, and (7) not implement geofencing in certain situations. We briefly explain those provisions below.

Privacy Policy Requirements

The Act requires regulated entities to maintain a link to a consumer health data privacy policy on their homepages. The policy must clearly and conspicuously disclose (1) the categories of consumer health data collected and the purpose of collection, including how the data will be used, (2) the categories of sources of the consumer health data, (3) the categories of consumer health data that is shared, (4) a list of the categories of third parties and specific affiliates with whom the regulated entity shares consumer health data, and (5) how consumers can exercise their rights.

A regulated entity cannot collect, use, or share additional categories of consumer health data not listed in its privacy policy unless it discloses those additional categories and obtains the consumer’s affirmative consent. Similarly, a regulated entity cannot collect, use, or share consumer health data for undisclosed purposes without affirmative consumer consent.

As originally introduced, the Act would have required regulated entities to disclose more detailed information (e.g., a list of third parties instead of a list of categories of third parties); however, the requirements were amended to be more business friendly.

Restrictions on the Collection and Sharing of Consumer Health Data

Regulated entities cannot collect or share consumer health data without consumer consent or to the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity. Consent to collect and consent to share must be obtained separately. The Act identifies specific information that regulated entities must provide when requesting consent, which information is similar to the information required to be provided in privacy policies. 

Subject to certain exceptions, the Act defines “share” to mean “to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity to a third party or affiliate.”

Consumer Rights

Consumers have the right to (1) confirm whether the regulated entity collects, shares, or sells the consumer’s health data and access that data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism that the consumer can use to contact the third parties, (2) withdraw consent, and (3) request that their consumer health data be deleted. Regulated entities have thirty days to respond to an authenticated deletion request. It appears that other requests must be responded to within 45 days. A consumer has a right to appeal a regulated entity’s refusal to act on a request.

Access Restrictions

Regulated entities must ensure that access to consumer health data is limited only to those employees, processors and contractors for which access is necessary.

Information Security Requirements

Regulated entities must establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy the “reasonable standard of care within the regulated entity’s industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the personal data at issue.”

Data Processing Agreements

Regulated entities must execute agreements with processors that set forth the processing instructions and limit the actions the processor may take with respect to the consumer health data they process.

Restriction on the Sale of Consumer Health Data

The Act makes it unlawful for any person to sell or offer to sell consumer health data without a valid authorization signed by the consumer. A valid authorization must be written in plain language and state (1) what specific consumer health data is being sold, (2) the contact information of the seller, (3) the name and contact information of the purchaser, (4) the purpose of the sale including how the sold data will gathered and used by the purchaser, (5) the fact that goods and services cannot be conditioned on the signing of the authorization, (6) the consumer’s right to revoke the authorization, (7) the fact that the consumer’s information may be redisclosed by the purchaser and no longer be protected by the Act, and (8) an expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization.

Prohibition on Geofencing

The Act makes it unlawful for any person to implement geofencing around any entity that provides in-person health care services when the geofence is used to identify or track consumers seeking health care services; collect consumer health data from consumers; or send notifications, messages, or advertisements to the consumers related to their consumer health data or health care services.  

Geofence is defined as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location. For purposes of this definition, ‘geofence’ means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.”

How does the Act address HIPAA?

The Act exempts protection health information for purposes of HIPAA and related regulations. It also exempts information originating from, and intermingled to be indistinguishable with, personal health information maintained by a covered entity or business associate. The Act contains a number of other healthcare-related exemptions such as health care information collected, used, or disclosed in accordance with Washington’s medical records statutes. If the Act passes, healthcare entities will need to carefully review all of the exemptions.

What other exemptions does the Act provide?

The Act provides data level exemptions for personal information subject to the GLBA, the FCRA, FERPA, the Washington health benefit exchange and applicable statutes and regulations, and the privacy rules adopted by the Office of the Insurance Commissioner. The Act also does not restrict a regulatory entity or processor’s ability “to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.”

How would the Act be enforced?

Violations are enforceable by the Attorney General under the Washington Consumer Protection Act. Consumers injured by violations also can bring a claim under the Consumer Protection Act.