The My Health My Data Act, signed by the governor of Washington State, is expected to have an impact on the privacy practices of a wide range of digital health businesses—potentially reaching beyond the state’s borders. While the Act takes effect on March 31, 2024 for regulated entities and on June 30, 2024 for small businesses, the Act's geofencing provision will become effective on July 23, 2023.
Washington State Governor Jay Inslee signed the My Health My Data Act (the Act) into law on April 27, 2023. The legislature described the Act as a “gap-filler,” intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Washington’s Uniform Health Care Information Act (UHCIA), and 42 CFR Part 2 (regulating patient substance use disorder records).
It should be noted that the Act does not specifically identify when its geofencing provision commences. Washington laws without a designated effective date go into effect 90 days after the conclusion of the legislative session. [1] Consequently, although the Act is not set to take effect until next year for both regulated entities and small businesses, the geofencing provision will become effective July 23, 2023.
Despite significant carveouts, the Act has wide-reaching privacy implications for Washington and non-Washington consumers and businesses and will likely spur numerous class action and similar legal challenges for regulated entities.
The Act protects consumers in Washington State, which includes both Washington residents and individuals whose consumer health data is collected in Washington.
The Act restricts how entities collect, use, and process “consumer health data,” which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.”
In turn, “physical or mental health status” is broadly defined to include the following:
The Act covers “regulated entities” and “small business” entities.
Covered entities must maintain a “consumer health data privacy policy” on their homepage (in addition to other privacy policies the entity may be obligated to have) and they must disclose the following:
Covered entities must secure express affirmative consent (also known as opt-in consent) by way of a “clear affirmative act” from each consumer before collecting or sharing the data (e.g., clicking acceptance of a privacy policy).
To sell consumer data, the entity must obtain a valid authorization. A valid authorization is a plain language document that specifies (1) the specific data being sold; (2) the name and contact information of the collector, seller, and purchaser of the data; (3) the purpose of the sale, and (4) several other mandatory disclosures. An authorization to sell must be signed and dated by the consumer.
Consumers have a right to withdraw consent and a right to have their data deleted. Entities have 45 days to respond to a consumer’s request, though entities are permitted one 45-day extension “when reasonably necessary.”
Entities must implement and maintain administrative, technical, and physical security safeguards to protect the confidentiality, accessibility, and integrity of data.
Generally speaking, geofencing uses certain data (GPS or RFID) to create a virtual boundary around a geographical area, and when a device enters or exits the defined boundary, it can trigger an action on the device, such as pushing an alert, notification, advertisement, or security measure.
The Act makes it unlawful to implement a geofence around an entity providing in-person healthcare services where the geofence is used to:
Absent an unusual situation, the majority of HIPAA-covered entities are likely exempt from this provision (but separately governed by HIPAA). Other regulated entities and small businesses subject to the Act, however, should pay particular attention to whether their practices are compliant. This is an area that will likely be tested by plaintiffs’ attorneys and the Washington State Office of the Attorney General (AGO).
Significantly, given its breadth, the Act may impact a number of industries that are not typically considered as processors of consumer health data, including the below:
Entities subject to the Act should anticipate that plaintiffs’ attorneys will be looking for test cases to bring under the new law.
Unlike many state privacy laws, the Act permits private causes of action—including class action lawsuits—by way of the Washington Consumer Protection Act (CPA). Litigants may recover attorneys’ fees and treble damages up to $25,000.
The Washington State AGO may investigate potential violations of the Act under Ch. 19.86 RCW. Complaints against a company for alleged violations of the Act will be logged by the AGO.
To mitigate potential actions, entities are encouraged to examine all sources of data they handle and manage for potential applicability to the My Health My Data Act.
Morgan Lewis’s privacy team can advise on compliance issues with the Act. Contact the authors of this LawFlash with any compliance questions:
[1] Wash. Const. Art. II(c).
[2] “Biometric data” includes data “generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics” that individually, or in combination with other data, identifies a consumer. This definition captures a wide set of data, and, among other things, may include data collected at a gym, face identification information, keystroke patterns, and voice recordings.