The My Health My Data Act (“Act”) was approved by the Washington State House on April 17, 2023. The Act is now with Governor Jay Inslee for signature and is expected to be signed into law in its current form, which is broad enough to warrant anyone with any activity in Washington to consider its scope and implications for operations. Because the Act will be enforceable through a private right of action, it has the potential to create substantial legal exposure for violations.
The Act creates new and unique consumer rights and obligations for business relating to the collection, sharing, and use of “Consumer Health Data” (“CHD”). It expressly aims to “close the gap between consumer knowledge and industry practice” by expanding obligations related to processing of CHD to entities not covered by HIPAA. However, it is significantly broader in potential scope, including, in part, due to the gaping definition of CHD (which expressly includes data that identifies past, present, or future physical or mental health status, for example, “bodily functions” and “precise location information that could reasonably indicate an attempt to receive health services or supplies”). The Act will impact a range of business, including advertisers, mobile app providers like health and wellness trackers, wearable device manufacturers and, of course, healthcare and wellness industry companies and their data processors handling non-HIPAA-regulated CHD. Notably, the Act expressly addresses abortion/reproductive health services and gender-affirming care services (including by making it unlawful for any person to use a “geofence” (or virtual boundary) around a facility that provides health care services) for the purposes of identifying or tracking consumers seeking such services; collecting CHD from consumers; or sending them notifications, messages, or advertisements related to their CHD or health care services. This restriction applies regardless of consent or opt-in.
Many of the Act’s definitions appear to be significantly broader than definitions within other privacy laws, meaning the Act might apply to companies that do not currently consider themselves to be collecting or processing health data (e.g., a cosmetics retailer where one completes a “skin analysis” and purchases foundation for “acne prone” skin, for instance).
The Act specifies effective dates on a provision-by-provision basis throughout. Most sections of the Act should come into effect on March 31, 2024, and three months later on June 30, 2024, for small businesses. The legislature did not include an effective date in the provision that prohibits geofencing, which could cause the prohibition to be effective as early as July 22, 2023, because under Washington law, bills signed into law take effect 90 days after the end of the session in which they were passed, unless they specify otherwise.
Who gets the new rights and protections under the Act?
The Act protects only “consumers” acting in an individual or household context and who are either Washington residents or natural persons whose CHD is collected in Washington state, regardless of their residency or location. This could have significant implications for companies physically situated in Washington but processing data of individuals located elsewhere.
Notably, in contrast to California’s amended CCPA, this Act expressly excludes in the definition of “consumer” an individual acting in an employment context; however, it is not clear whether this means relief only for the employer or others (including benefits providers) and whether all processing by such entities would be “in the employment context.”
Who must comply with the Act’s requirements?
The Act’s obligations apply to a “regulated entity,” defined as any legal entity that: (1) conducts business in Washington or produces or provides products or services that are “targeted” to consumers in Washington and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of CHD. The Act does not apply to government agencies, tribal nations, or contracted service providers processing CHD on behalf of a government agency. However, a regulated entity does not have to be a for profit entity. The Act also defines the term “small business” as another type of entity subject to the Act. However, the term “small business” is essentially subsumed in the term “regulated entity,” and all obligations under the Act generally also apply to small businesses, but with a short delay to the effective date for certain provisions. What is a “small business” is determined by certain data processing volume thresholds.
For the purposes of this article, we refer only to “regulated entities.”
What data is CHD?
“CHD” under the Act is personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, and specifically includes:
Individual health conditions, treatment, diseases, or diagnoses;
Social, psychological, behavioral, and medical interventions;
Health-related surgeries or procedures;
Use or purchase of prescribed medication;
Bodily functions, vital signs, symptoms, or measurements of the information expressly identified in the definition of CHD;
Diagnoses or diagnostic testing, treatment, or medication;
Gender-affirming care information (as defined by the Act);
Reproductive or sexual health information (as defined by the Act);
Biometric data (as defined by the Act);
Genetic data (as defined by the Act);
Precise location information (as defined by the Act) that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
Data that identifies a consumer seeking “health care services,” which is defined broadly as any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health; and
Any information that a regulated entity, or its respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
There are several data category exemptions. For example, the Act will not apply to: (A) Protected Health Information (PHI) governed by HIPAA, information intermingled with PHI maintained by HIPAA-regulated entities, and health records governed by or created pursuant to other healthcare-related state and federal laws; (B) Data regulated by the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Administrative Simplification provisions of the Social Security Act, Family Educational Rights and Privacy Act, statutes and regulations applicable to the Washington Health Benefit Exchange, and certain privacy rules adopted by the Washington Office of the Insurance Commissioner; or (C) Deidentified data (data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such a consumer, so long as certain requirements are met).
The obligations imposed by the Act do not restrict collection, use, or disclosure of CHD to prevent, detect, protect against, or respond and prosecute in relation to security incidents, theft, fraud, harassment, malicious or deceptive activities, or any illegal activity under WA or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under WA or federal law. This is important for business to consider as many data processing activities could potentially fall into this category.
What obligations are imposed by the Act?
Regulated entities (including small businesses):
may not collect any CHD except with affirmative consent for a specified purpose; or to the extent necessary to provide a product or service requested by the consumer. Under the Act the term “collecting” includes “buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing CHD in any manner.”
may not share CHD except with affirmative consent that is “separate and distinct” from the consent to collect; or to the extent necessary to provide a product or service requested by the consumer. Importantly, the definition of “share” includes disclosures to affiliates (something that could create significant operating hurdles for group companies if they cannot squarely fit their internal sharing within the exceptions above). However, “sharing” excludes disclosure to (1) a processor in order to provide goods or services in a manner consistent with the purpose for collection disclosed to the consumer; (2) a third party with whom the consumer has a direct relationship, if certain conditions are satisfied. It also excludes disclosures of data as an asset in the M&A context, if the recipient complies with the Act.
Regulated entities must restrict access to CHD by employees, processors, and contractors to that which is necessary to provide the consumer-requested product or service or for the purposes for which the consumer provided consent.
Regulated entities must establish and maintain administrative, technical, and physical data security practices satisfying a reasonable industry standard to protect CHD appropriate for the volume and nature of the data.
The Act makes it unlawful for any person to implement a “geofence” around an entity that provides in-person health care services where such geofence is used to: (1) identify or track consumers seeking health care services, (2) collect CHD, or (3) send notifications, messages, or advertisements to consumers related to their CHD or health care services. Geofence is defined as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location. For purposes of this definition, ‘geofence’ means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.” Because of the broad definition of “CHD,” which covers an expansive scope of personal data, and “health care services,” which includes any services “to access, measure, improve, or learn about a person’s mental or physical health” (e.g., a book store could arguably fall into the definition by offering a service that a person can use to “learn about” or “improve” their mental or physical health), the prohibition on geofencing could apply to a broad range of businesses and business activities. For example, a fitness club’s app that checks you in when entering the club could be seen as violating this prohibition. More broadly, a retailer that uses geofencing to push coupons or ads to consumers that visit a supermarket, which often have a pharmacy inside, could be seen as violating this geofencing prohibition.
Any person must obtain a consumer’s separate authorization to sell or offer to sell specific CHD, which may not be a condition on the provision of goods or services. This must be done by providing the consumer with specific plain language disclosures, including on the purpose of the sale and the buyer’s name and contract information. Authorization is only valid for one year and may be revoked sooner. A copy of the signed authorization must be provided to the consumer, and both the seller and the buyer of the data must retain a copy of the authorization for 6 years.
Specific requirements apply to use of processors.
Consumers have a number of privacy rights under the Act, including the right to:
confirm whether a regulated entity is collecting, sharing, or selling the consumer’s health data;
access CHD, including a list of all third parties and affiliates with whom the regulated entity has shared or to whom it has sold the CHD and an active email address or other online mechanism to contact such parties;
withdraw consent from the regulated entity’s collection and sharing of CHD;
delete CHD concerning the consumer; and
appeal a regulated entity’s refusal to take action on a request.
The Act’s deletion right is apparently nearly unfettered. A regulated entity must delete a consumer’s health data from its records, including from all parts of its network, including archived or backup systems, and will not be able to decline, or delay, deletion requests for the common exceptions found in other data privacy laws, including the CCPA. Regulated entities will have just 45 days to comply with a consumer’s request. The major exception is inability to authenticate such request using commercially reasonable efforts.
The Act includes a prohibition against discrimination in relation to exercising the consumer rights.
AG enforcement and private right of action
Violations of the Act are “an unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act. The Act is enforceable both by the Attorney General’s office and through a full private right of action for aggrieved consumers.
Under the Washington Consumer Protection Act, the Washington Attorney General may bring an action on behalf of the people of the state to restrain and prevent prohibited or unlawful acts (RCW 19.86.080(1)), and any person injury by deceptive acts or practices may bring a civil act to: (1) enjoin further deceptive acts or practices; (2) recover the actual damages sustained; (3) recover reasonable attorneys' fees and costs (RCW 19.86.090). Courts have discretion to increase awards of damages up to the lesser of: $25,000 or an amount of up to three times the actual damages (RCW 19.86.090).
Given its expansiveness and broad reach, this Act significantly impacts entities in and out of Washington that collect and process Washington residents’ personal information or that process personal information in Washington state. This is especially noteworthy for the global privacy community, given that Washington is home to some of the largest technology companies and cloud service providers in the world.
Entities doing business in and/or collecting or processing personal information in Washington should review their data inventory, collection, and sharing practices to determine if this Act applies. Such entities should be thinking about how to integrate compliance with it into their existing data privacy compliance programs.