Washington State House Bill 1155 – My Health My Data Act
Washington State is on track to pass a far-reaching new piece of legislation in the upcoming weeks. The “My Health My Data” Act (House Bill 1155), if signed into law, will take effect starting on March 31, 2024. The title of the law implies that it will only apply to health care related industries, when in fact the law applies to any entity that conducts business or targets customers in Washington State. As a result, many companies are racing to understand the implications of the new law. Here are the highlights.
At a high level, the law protects consumer health data collected by all entities and not only by health care providers that are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Consumers often mistakenly believe that HIPAA protects the privacy of their health data on any and all apps and websites when in fact the party collecting the data is not subject to the HIPAA rules.
The My Health My Data Act will require additional disclosures and consumer consent regarding the collection, sharing and use of consumer health information and will give consumers the right to have their health data deleted. Additionally, the law will prohibit the selling of consumer health data without valid authorization signed by the consumer and will make it unlawful to track a consumer’s location around a facility that provides health care services (the law refers to this practice as “geofencing”). Notably, the law extends to consumers the right to pursue a private right of action against companies who do not comply. This means that any individual whose data is not protected in compliance with the proposed My Health My Data Act may file a claim against any company not in compliance.
Who does My Health My Data apply to?
The law applies to any “regulated entity,” which it broadly defines as any entity that (a) conducts business in Washington or provides or produces products or services that are targeted to consumers in Washington, and (b) determines the purpose and means of collecting, processing, sharing or selling consumer health data. (For readers familiar with GDPR and similar legislation, this definition borrows from the “data controller” concept.) Excluded from the definition of “regulated entity” are government agencies, tribes, or services providers working on behalf of government agencies.
What Data is Covered?
The law defines “consumer health data” as any personal information linked to or reasonably linkable to a consumer that identifies a consumer’s past, present or future physical or mental health status. This expressly includes 12 categories of data:
- individual health conditions, treatment, diseases, or diagnoses;
- social, psychological, behavioral, and medical interventions;
- health-related surgeries or procedures;
- use or purchase of prescribed medication;
- diagnoses or diagnostic testing, treatment or medication;
- gender-affirming care information;
- reproductive or sexual health information;
- biometric data;
- genetic data;
- precise location data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- data that identifies a consumer seeking health services or supplies; or
- any information that a regulated entity or small business (or their processor) processes to associate or identify a consumer with the above-listed categories of data, even where derived or extrapolated from nonhealth information (such as data derived or inferred by any means, including algorithms or machine learning).
What are the Requirements?
- Consumer Health Data Privacy Policy
The first requirement is that companies maintain a “consumer health data privacy policy.” The policy must clearly and conspicuously disclose: (a) the categories or consumer health data collected and the purpose for which it is collected, including how it will be used; (b) the categories of sources from which the consumer health data is collected; (c) the categories of consumer health data that is shared; (d) a list of the categories or third parties and specific affiliates with whom the regulated entity shares the consumer health data; and (e) how a consumer can exercise its rights under the law.
Any consumer health data not covered in the privacy policy may not be collected, used or shared without first getting the applicable consumer’s affirmative consent. Similarly, an entity may not use the consumer health data for purposes not disclosed without getting the individual’s consent, nor may the entity contract with a third-party processor to collect, use or share the data in a manner inconsistent with the privacy policy.
- Consent to Collect; Consent to Share
In addition to maintaining a privacy policy, a regulated entity must obtain consent from the consumer prior to collection of consumer health data, except to the extent the collection of the data is necessary to provide a product or service that was requested by the consumer.
From there, the regulated entity must obtain consent from the consumer prior to sharing the consumer’s health data, except to the extent necessary to provide a product or service requested by the consumer. This consent must be separate and distinct from the consent required at time of collection.
In both cases, the request for consent must clearly and conspicuously disclose: (a) the categories of consumer health data collected or shared, (b) the purpose of the collection or sharing, including the specific ways it will be used, (c) the categories of entities with who the consumer health data is shared, and (d) how the consumer can withdraw consent from future collection of sharing of the consumer’s health data. Consent cannot be obtained by accepting or agreeing to general or broad terms of use that combine descriptions of processing of personal data along with other unrelated information. Similarly, the law prohibits using “dark patterns” to obtain consent, such as hovering over, muting, pausing or closing a piece of content or using deceptive designs.
- Opt-in Requirement for Sale of Consumer Health Data
One of the more unique aspects of the new law is the high bar the law requires for sales of consumer health data, making it unlawful to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. To qualify as “valid authorization,” a document must be written in plain language and must contain all of the following:
- specific consumer health data that the person intends to sell;
- the name and contact info of the person collecting and selling the consumer health data;
- name and contact information of the person purchasing the consumer health data;
- a description of the purpose of the sale, including how the info will be gathered and how it will be used by the purchaser;
- a statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
- a statement that the consumer has a right to revoke the valid authorization at any time (and a description of how to submit a revocation);
- a statement that the consumer health data sold per the valid authorization may be subject to redisclosure by the purchaser and no longer protected;
- a one-year expiration (meaning, the consent is only valid for one year); and
- the consumer’s signature and date.
Without all of the above, the authorization is not valid. The seller and purchaser must retain copies of all authorizations for six years.
- Access and Control
Following the path of many other states in the new patchwork of state privacy laws, the Washington law grants consumers broad rights to access and control their consumer health data collected by the regulated entity. This includes confirming whether the information is actually being collected, a list of all third parties it has been shared with, and an email address or other online mechanism that the consumer can use to contact these third parties. The consumer may withdraw his or her consent to the processing of the data anytime and can ask for the data to be deleted.
Consumers can exercise these rights by submitting a request, at any time, by a secure and reliable means established by the regulated entity and described in its consumer health data privacy policy. The method used to exercise consumer rights must take into account the ways in which consumers normally interact with the company, together with the need for secure and reliable communication of such requests and the ability of the company to authenticate the identity of the consumer making the request. The information requested by the consumer must be provided up to twice a year free of charge, and the company must respond to the request no later than 45 days from the request.
- Data Minimization; Appropriate Administrative, Technical and Physical Controls
Similar to other state privacy laws, the Washington law will require that access to the consumer health data be restricted within the company to only to those necessary to further the processes specified. The law further requires that the company establish, implement and maintain appropriate administrative, technical and physical data security practices.
- No Geofencing
As one of the first of its kind, the law prohibits “geofencing” when used to track, collect consumer health from or target ads at consumers. This requirement would go into effect within 90 days of the bill’s passage, whereas most of the remaining provisions will not take effect until March 31, 2024. Geofencing is defined as technology that uses GPS, cell tower connectivity, cellular data or Wi-Fi data or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary (2,000 feet or less from the perimeter of the physical location). A clear response to the Supreme Court’s Dobbs decision, this provision is intended to ensure an individual’s choice to access reproductive health in Washington State will remain private and not be shared.
Conclusions
As noted above, the bill contains a private right of action, permitting individual consumers with the right to pursue claims of violations. This, combined with the breadth of the definition of “consumer health data” and other definitions, leave open many questions around what kinds of companies the law will apply to in practice. Many companies may find themselves struggling to comply with the privacy policy notice and consent requirements even if they do not collect data they consider to be health-related personal data. Despite the law’s stated purpose of promoting consumer protection, there is a real risk of consumers becoming even more confused by the law’s requirements, especially when taken together with the patchwork of other state laws, making privacy compliance all but impossible for companies with a presence across multiple states. The call for uniform federal privacy legislation grows stronger.