Growing trend holds more businesses accountable for health data: Washington’s new privacy law, ‘My Health My Data Act’
Washington is raising the bar by heightening the privacy protections offered at the state-level to individuals when it comes to the collection of health data. Businesses collecting such data will be required to provide additional notifications to consumers and provide mechanisms for consumers to exercise various rights over their health data.
On April 27, 2023, Washington enacted the “My Health My Data Act,” a law that governs the collection, sharing, and selling of consumer health data. The act is touted as one of the first data privacy protection laws in the country to protect the health data of individuals that falls outside of the Health Insurance Portability and Accountability Act (HIPAA). With similar amendments to California and New York laws, the trend of expanding protections will surely build steam.
Key provisions of Washington’s ‘My Health My Data Act’
The state of Washington provides specific requirements with broad application in this act. The law applies beyond the healthcare industry and particularly aims to protect personal health information that falls outside of the realm of HIPAA. (Data under the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA) are specifically excluded from Washington’s law.)
Washington defines "consumer health data" to mean “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.” A “consumer” includes not only Washington residents but also any natural person whose consumer health data is collected in Washington.
Under this law, consumers have a right to:
- Access their consumer health data.
- Confirm whether an entity is collecting, sharing, or selling their data.
- Receive a list of all third parties and affiliates who may receive their individual data.
- Request that their data be deleted.
- Withdraw their consent from an entity collecting and sharing their health data.
Required Entity Standards
- Entities must restrict access to consumer health data to only individuals who require access to further the purposes for which the consumer provided consent or, where necessary, to provide a product or service that the consumer requested.
- Entities must maintain administrative, technical, and physical safeguards that reasonably protect the confidentiality, integrity, and accessibility of consumer health data in relation to the entity’s industry as well as the volume and nature of the consumer health data at issue.
- Entities have 45 days to respond to consumer requests and a total of 90 days to respond if the consumer request is particularly numerous or complex in nature so long as the entity advises the consumer of the extension within the initial 45-day period.
- Entities must set up an appeal process for consumers in the event they do not take action on a consumer request including, if the appeal is denied, providing information to the consumer on how to contact the attorney general to submit a complaint.
- Entities have up to six months to comply with deletion requests if the regulated entity needs to access back ups or restore archived files to comply with the request.
- Entities cannot collect consumer health data without consent from the consumer unless the collection is necessary to provide a product or service that the consumer has requested.
- Entities cannot share consumer health data without separate consent from the consumer unless sharing the data is necessary to provide a product or service that the consumer has requested.
- No entity or nor any person may sell or offer to sell consumer health data without first obtaining a signed authorization document that clearly and concisely explains, among other things, the specific consumer health data to be sold, the purpose of the sale, how the consumer can revoke authorization, and the name and contact information of the entities purchasing, collecting, and selling the data.
- Data processors, that “perform any operation or set of operations on consumer health data on behalf of a regulated entity or a small business[,]” must be contractually bound to these instructions and limitations.
The law also prohibits “geofences” which are defined as “technology that uses GPS coordinates, cell tower data, Wi-Fi data, or other forms of spatial or location detection” from being used to collect consumer health data or identify, track, notify or advertise to consumers seeking health services.
With the exception of Section 10 of the law, the prohibition of geofencing, which is already in effect, the law’s general mandates go into effect beginning on March 31, 2024. However, entities that qualify as small businesses will have until June 30, 2024 to comply. A “small business” is a regulated entity that either (1) collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year or (2) derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
Under the law, a violation qualifies as an unfair or deceptive act in trade or commerce and an unfair method of competition pursuant to Washington’s Consumer Protection Act. The Washington Consumer Protection Act authorizes the state Attorney General to enforce violations and it also affords consumers a private right of action to seek damages.
If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkin’s national data privacy and cybersecurity team. You can also find additional legislative updates by going to McDonald Hopkins Legal Insights.