Washington state’s My Health, My Data Act (the Act), signed into law in April 2023, is a broad health data privacy law designed to protect consumer health data that falls outside the scope of HIPAA, such as health-related data collected by apps and websites.
The new law has significant implications for businesses and organizations located outside of Washington that collect or control the health-related data of Washington residents or anyone visiting Washington or process any health-related data in Washington. It also reflects a heightened focus on regulating the vast amount of health data that is not covered by HIPAA, and could serve as a model for other states seeking to enact similar protections.
Although the Act was initially introduced in response to judicial and legislative changes to reproductive rights and gender-affirming care in partnership with the Washington Attorney General, the Act applies much broader privacy rights with respect to individual health data.
The Act’s preamble summarizes the intended protections: “With this act, the legislature intends to provide heightened protections for Washingtonian’s health data by: Requiring additional disclosures and consumer consent regarding the collection, sharing, and use of such information; empowering consumers with the right to have their health data deleted; prohibiting the selling of consumer health data without valid authorization signed by the consumer; and making it unlawful to utilize a geofence around a facility that provides health care services.” The full text of the Act can be accessed here.
The Act is notable for its broad scope, especially its broad definition of “consumer health data,” as further discussed below. The Act will also apply to many entities that fall outside of the traditional healthcare context. In light of this, entities outside of Washington state, large and small, across a variety of industries, will need to analyze whether the Act impacts them.
The following is a high-level summary of the key provisions of the Act:
Who does the Act protect?
The Act protects “consumers,” defined as Washington residents and individuals “whose consumer health data is collected in Washington” outside of the employment context.
Notably, application to non-residents is a unique feature of the Act not common in other state privacy laws. For example, a consumer who happens to be visiting Washington from another state—or even country—could be afforded certain privacy rights in their health data such as the right to withdraw consent, restrict access, and request deletion of health data. These same privacy rights could be afforded to an individual located outside of Washington but whose data is processed in Washington.
Who must comply with the My Health, My Data Act?
The Act applies to “regulated entities,” which includes companies and other legal entities located within Washington and out-of-state entities that “produce or provide products or services that are targeted to consumers in Washington.”
For example, a Virginia business that pushes a targeted advertisement for health-related products or services to Washington residents could be subjected to compliance with the Act. In addition, an out-of-state business that has a website accessible by Washington residents could potentially fall under the law.
The only exclusions to the definition of “regulated entity” are government agencies, tribal nations, and government contracted service providers processing health data. Given the limited exclusions, the Act applies to entity types typically excluded from state privacy laws, such as nonprofits, and entities subject to industry-specific privacy regimes, such as HIPAA.
What data does the Act apply to?
The Act protects “consumer health data,” which is broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
The definition includes expected categories of health-related information, such as treatment information and diagnoses, but goes even further to include location information that could reasonably indicate a consumer’s attempt to receive health services.
The definition’s inclusion of precise location information gives rise to an explicit ban on geofencing any in-person health facility to identify or track consumers who go to a particular place seeking healthcare, collect health data from consumers, or send targeted advertisements to a consumer. Businesses that geofence anywhere near an in-person health facility in Washington must be aware of whether they are collecting consumer health data.
In addition, the Act includes other non-health data that identifies a consumer seeking health services. The inclusion of non-health information that could be used to associate or identify a consumer’s health data could implicate a wide swath of non-health data. Thus, any means used to associate non-health information to an individual, “such as such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning,” could subject a business to the Act.
The definition of “consumer health data” includes several exemptions, including data that is regulated by HIPAA and the Gramm-Leach-Bliley Act.
When does the Act go into effect?
As noted by the Future of Privacy Forum’s Legislation Policy Brief on the Act, the data privacy provisions become effective on March 31, 2024, for businesses and June 30, 2024, for small businesses, respectively. There is some ambiguity about the effective dates, but it appears the geofencing and enforcement protections may become effective on July 23, 2023.
What are the penalties for non-compliance?
The My Health, My Data Act grants a private right of action to individuals, categorizing violations as unfair or deceptive trade practices under Washington law. Individuals may seek remedies such as actual damages, attorneys’ fees, and treble damages. This private right of action is yet another standout aspect, further differentiating the Act from other state privacy laws.
The Washington Attorney General also has the power to bring enforcement actions against any covered entity believed to be in violation of the Act.
If you have concerns about your data collection and privacy practices, members of our Cybersecurity & Data Privacy team are ready to help you review your policies and procedures.
