United States: Washington State's Sweeping "My Health My Data Act" Poised To Upend Health Data Compliance

Background:

On April 17, 2023, Washington's state legislature passed the "My Health My Data Act," (the "Act") a sweeping health privacy bill that will have an outsized impact on how businesses collect and use non-HIPAA covered health data. The law is expected to be signed by Governor Inslee, and would take effect on March 31, 2024.

Key Takeaways: Once signed, the Act will be the most significant privacy law since California enacted the CCPA in 2018. The law purports to address health data not covered by HIPAA, but its application is likely to be far broader due to several vague provisions and broadly defined terms. The Act's sweeping breadth, along with a private right of action, will raise significant compliance challenges and litigation risk for covered entities.

Broad Scope of the Act

Consumer Health Data

The Act purports to apply only to "consumer health data," but the term is defined so broadly that it may apply to virtually any category of personal information. The Act defines this term as "personal information that is linked or reasonably linked to a consumer and that identifies the consumer's past, present, or future physical or mental health status." The Act covers most data reasonably related to health, wellness, nutrition, fitness, and other health-adjacent topics.

It includes the following nonexclusive list of covered categories:

1. Individual health conditions, treatment, diseases, or diagnosis;

2. Social, psychological, behavioral, and medical interventions;

3. Health-related surgeries or procedures;

4. Use or purchase of prescribed medication;

5. Bodily functions, vital signs, symptoms, or measurements of the information described in these covered categories of information;

6. Diagnoses or diagnostic testing, treatment, or medication;

7. Gender-affirming care information;

8. Reproductive or sexual health information;

9. Biometric data;

10. Genetic data;

11. Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;

12. Data that identifies a consumer seeking health care services; or

13. Any information that a regulated entity, or their respective processor, processes to associate or identify a consumer with the data described in the previously listed categories that is derived or extrapolated from non-health information.

Some of these terms are subject to very broad definitions. For example, "health care services" includes "any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health," which could cover a vast array of data from search engines, social media platforms, or retailers that sell products that might "improve" a person's health. The law also extends to information derived or inferred from non-health information by any means, including through machine learning or artificial intelligence.

There are a few narrow exemptions, such as for peer-reviewed research in the public interest, publicly available data, and data covered by certain enumerated privacy laws, like HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Education Rights and Privacy Act.

Covered Entities

The Act applies to a broad range businesses and consumers, including many that have little or no connection to Washington. It applies to any legal entity that: (a) conducts business in Washington, or produces or provides products or services that are "targeted" to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Government agencies, tribal nations, and contracted service providers that process consumer health data on behalf of a government agency are excluded. The Act does not define what it means to "target" products or services to consumers in Washington and it is possible courts will construe it broadly to include any online service accessible in Washington state.

Consumers are also defined more broadly than in most other privacy laws. The Act defines "Consumer" as (a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is "collected in Washington." The term "collected" is defined broadly to include most processing activities, which means it may cover consumers with no Washington connection but whose data was processed there. Importantly, the term "consumer" means a natural person who acts only in an individual or household context, so it does not include B2B or employment data.

Enforcement & Right of Action

Unlike most other recent privacy laws, the Act includes a private right of action in addition to enforcement by the Washington Attorney General's office. Violations under the Act are enforceable under the Washington Consumer Protection Act, which allows the Washington Attorney General to seek civil penalties up to $7,500 per violation. Private plaintiffs may seek actual damages, which may be trebled up to a maximum of $25,000 at the court's discretion, along with costs and attorneys' fees.

The Act provides a 45-day cure period following receipt of a consumer request; regulated entities may extend that period once by an additional 45 days when reasonably necessary depending on the complexity of the request and after notifying the consumer.

Consumer Rights

The Act provides consumers with strong individual rights. Controllers have 45 days to respond to consumer requests and may extend that period once by an additional 45 days when reasonably necessary depending on the complexity of the request and after notifying the consumer. These rights include:

1. The Right to Know: Consumers have the right to confirm whether a covered entity is collecting, selling, or sharing their health data (and if so, a list of all third parties and affiliates with whom the entity has sold or shared data).

2. The Right to Access: Consumers have the right to access that data.

3. The Right to Delete: Consumers have the right to request the deletion of any personal data that they provided to regulated entities. Notably, there are few exceptions to the deletion right, including no right to refuse deletion to comply with legal obligations that may require retention. This provision is likely to raise significant compliance challenges.

4. The Right to Withdraw: Consumers have the right to withdraw their consent to have their health data sold or processed.

Obligations on Covered Entities

The Act also imposes numerous obligations on covered entities who process consumer health data, including several new substantive requirements. These obligations include:

• Health Data Privacy Policy. Covered entities must provide consumers with a Consumer Health Data Privacy Policy via a website link on the entity's homepage that includes: (a) the categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (b) the categories of sources from which the consumer health data is collected; (c) the categories of consumer health data that is sold or shared; (d) a list of the categories of third parties and specific affiliates with whom the business shares the consumer health data; and (e) how a consumer can exercise the rights provided for them in the Act. This notice appears to be required in addition to any other privacy policy required by other laws.
• Opt-in consent. Covered entities must obtain opt-in consent to collect or share consumer health data unless the collection or sharing is necessary to provide a product or service that the consumer has requested. Regulated entities must also obtain consent to sell consumer health data, and sale is defined broadly (as it is in California). Sale is prohibited without obtaining a "valid authorization" from the consumer containing specific disclosures and therefore is likely to effectively prohibit third-party targeted advertising on services that process consumer health data. This consent cannot be obtained via acceptance of terms of use or through deceptive designs.
• Geofencing Prohibition. The Act prohibits any "person" (defined more broadly than covered entities) from "geofencing" (i.e., using technology to create a geographic boundary) any facility that provides in-person health care services if the geofence is used to identify or track consumers seeking health care services, collect consumer health data, or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. As described above, "consumer health data" and "health care services" are both defined broadly enough to cover many data uses that are not directly related to the provision of health care as commonly understood.
• Limit access. Covered entities must restrict access to consumer health data by their employees, processors, and contractors to only those for which access is necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service that the consumer to whom such consumer health data relates has requested.
• Data security. Covered entities must establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy a reasonable standard of care within the regulated entity's industry to protect the confidentiality, integrity and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.

The Act's broad scope and private right of action will require organizations to carefully consider their compliance obligations before the law goes into effect in March 2024. If you have questions about this law or any other privacy or security concerns, our team is ready to help.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.