The Broad Reach of Washington State’s My Health My Data Act

The My Health My Data Act, signed by the governor of Washington State, is expected to have an impact on the privacy practices of a wide range of digital health businesses—potentially reaching beyond the state’s borders. While the Act takes effect on March 31, 2024 for regulated entities and on June 30, 2024 for small businesses, the Act's geofencing provision will become effective on July 23, 2023.

Washington State Governor Jay Inslee signed the My Health My Data Act (the Act) into law on April 27, 2023. The legislature described the Act as a “gap-filler,” intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Washington’s Uniform Health Care Information Act (UHCIA), and 42 CFR Part 2 (regulating patient substance use disorder records).

It should be noted that the Act does not specifically identify when its geofencing provision commences. Washington laws without a designated effective date go into effect 90 days after the conclusion of the legislative session. [1] Consequently, although the Act is not set to take effect until next year for both regulated entities and small businesses, the geofencing provision will become effective July 23, 2023.

Despite significant carveouts, the Act has wide-reaching privacy implications for Washington and non-Washington consumers and businesses and will likely spur numerous class action and similar legal challenges for regulated entities.

WHO IS PROTECTED?

The Act protects consumers in Washington State, which includes both Washington residents and individuals whose consumer health data is collected in Washington.

• “Collect” is defined as “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.”
• “Process” is relatedly defined as “any operation or set of operations performed on consumer health data.”

WHAT INFORMATION IS PROTECTED?

The Act restricts how entities collect, use, and process “consumer health data,” which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.”

In turn, “physical or mental health status” is broadly defined to include the following:

• Individual health conditions, treatment, diseases, or diagnosis
• Social, psychological, behavioral, and medical interventions
• Health-related surgeries or procedures
• Use or purchase of prescribed medication
• Bodily functions, vital signs, symptoms, or measurements of the information
• Diagnoses or diagnostic testing, treatment, or medication
• Gender-affirming care information
• Reproductive or sexual health information
• Biometric data [2]
• Genetic data
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies
• Data that identifies a consumer seeking healthcare services
• Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer from non-health data

WHICH ENTITIES ARE COVERED BY THE ACT?

The Act covers “regulated entities” and “small business” entities.

• Regulated entities are those that conduct business in Washington or target Washington consumers.
• Small businesses are entities that collect data of fewer than 100,000 consumers a year, or that derive less than 50% of their gross revenue from consumer data (with data pulled from no more than 25,000 consumers).

IF THE ACT APPLIES, WHAT ARE THE REQUIREMENTS?

Covered entities must maintain a “consumer health data privacy policy” on their homepage (in addition to other privacy policies the entity may be obligated to have) and they must disclose the following:

• Categories of data collected and the purpose for the collection
• How data will be used
• Categories of sources from which data is collected
• Categories of data shared
• A list of the third parties and affiliates with whom data is shared
• How a consumer can exercise their rights

Covered entities must secure express affirmative consent (also known as opt-in consent) by way of a “clear affirmative act” from each consumer before collecting or sharing the data (e.g., clicking acceptance of a privacy policy).

To sell consumer data, the entity must obtain a valid authorization. A valid authorization is a plain language document that specifies (1) the specific data being sold; (2) the name and contact information of the collector, seller, and purchaser of the data; (3) the purpose of the sale, and (4) several other mandatory disclosures. An authorization to sell must be signed and dated by the consumer.

Consumers have a right to withdraw consent and a right to have their data deleted. Entities have 45 days to respond to a consumer’s request, though entities are permitted one 45-day extension “when reasonably necessary.”

Entities must implement and maintain administrative, technical, and physical security safeguards to protect the confidentiality, accessibility, and integrity of data.

THE ACT LIMITS THE PERMISSIBLE USE OF GEOFENCES

Generally speaking, geofencing uses certain data (GPS or RFID) to create a virtual boundary around a geographical area, and when a device enters or exits the defined boundary, it can trigger an action on the device, such as pushing an alert, notification, advertisement, or security measure.

The Act makes it unlawful to implement a geofence around an entity providing in-person healthcare services where the geofence is used to:

• identify or track consumers seeking healthcare services;
• collect consumer health data from consumers; or
• send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.

Absent an unusual situation, the majority of HIPAA-covered entities are likely exempt from this provision (but separately governed by HIPAA). Other regulated entities and small businesses subject to the Act, however, should pay particular attention to whether their practices are compliant. This is an area that will likely be tested by plaintiffs’ attorneys and the Washington State Office of the Attorney General (AGO).

THE ACT MAY HAVE UNINTENDED CONSEQUENCES

Significantly, given its breadth, the Act may impact a number of industries that are not typically considered as processors of consumer health data, including the below:

• Auto companies that utilize facial detection technology for vehicle safety features may need to secure consumer consent to process data.
• Technology companies that host, store, and process data in Washington State will need to review the law to confirm they are compliant.
• The Act could preclude collecting data when a consumer is at the gym, going to a health spa, or even looking up what medications can help relieve cold symptoms while at a grocery store.

WHAT ARE THE CONSEQUENCES OF A VIOLATION?

Entities subject to the Act should anticipate that plaintiffs’ attorneys will be looking for test cases to bring under the new law.

Unlike many state privacy laws, the Act permits private causes of action—including class action lawsuits—by way of the Washington Consumer Protection Act (CPA). Litigants may recover attorneys’ fees and treble damages up to $25,000.

The Washington State AGO may investigate potential violations of the Act under Ch. 19.86 RCW. Complaints against a company for alleged violations of the Act will be logged by the AGO.

WHAT’S NEXT?

To mitigate potential actions, entities are encouraged to examine all sources of data they handle and manage for potential applicability to the My Health My Data Act.