Is Washington’s My Health My Data Act the Most Impactful Privacy Legislation Since CCPA?
On April 27, 2023, Washington Governor, Jay Inslee, signed into law the “My Health My Data Act” (the “Act”) providing expansive data rights and obligations associated with health-related data. The drafters of the Act intend for the Act to provide heightened protections for Washingtonian's Consumer Health Data by: (i) requiring additional disclosures and consumer consent regarding the collection, sharing, and use of such information; (ii) empowering consumers with the right to have their Consumer Health Data deleted; (iii) prohibiting the selling of Consumer Health Data without valid authorization signed by the consumer; (iv) and making it unlawful to utilize a Geofence around a facility that provides health care services.
The Act distinguishes itself from the comprehensive privacy laws being enacted throughout the United States in recent years, with a stated purpose to close the gap for Washingtonians in protections to Health Data as “HIPAA only covers Health Data collected by specific health care entities” and “Health Data collected by noncovered entities are not afforded the same protections.” However, the provisions of the Act capture a much broader scope, both expanding applications outside of the state of Washington and beyond traditional “Health Data.” This article explores the scope, obligations, and potential compliance concerns regarding the Act.
Who does the Act apply to?
The Act applies to any legal entity that: (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer Health Data (“Regulated Entities”). Unlike several other state privacy laws, the Act does not exempt businesses based on size or collection volume; instead, it postpones by three months the date by which small businesses must come into compliance. To qualify as a Small Business, a company must: (a) collect, process, sell, or share the consumer Health Data of fewer than 100,000 consumers in a calendar year; or (b) derive less than 50% of gross revenue from collecting, processing, selling, or sharing Consumer Health Data, and control, process, sell, or share the Consumer Health Data of fewer than 25,000 consumers.
Further expanding the scope of the Act, the terms “collect” and “consumers” are both broadly defined. The definition of “collect” includes to “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process Consumer Health Data in any manner.” This definition goes well beyond the traditional scope of collection and into the principles of any processing of any nature. To add to this expanded definition, the “consumer” is defined to include not just Washington residents but also any natural person whose consumer Health Data is collected (or as summarized above, processed) in Washington. While there is a carve out for business-to-business and employee data, these expanded definitions equivalate to protections for any consumers whose Health Data is processed in Washington. The implications of these expanded definitions are sizeable, especially when considering the numerous cloud service providers and other often used service providers based in Washington.
The Act includes a number of exceptions including data already regulated by HIPAA, the Gramm-Leach-Bliley Act, Title XI of the social security act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, Washington’s Health Benefit Exchange, and certain health data used by health care related facilities or for specific health-care reasons.
Who has enforcement and action rights?
Consistent with other U.S. privacy laws, the Act permits the state Attorney General to enforce violations of the Act. Consumers are also provided with a private right of action to seek damages for violations via Washington’s Consumer Protection Act. Consumers exercising their private right of action "must establish all required elements," and if so, they may receive up to treble damages with a predetermined cap per violation.
What is the timeline for compliance?
The Act requires Regulated Entities to comply starting March 31, 2024, and Small Businesses to comply by June 30, 2024. However, perhaps due to a drafting error, requirements around geofencing do not include an effective date. This means that Geofencing requirements could, under Washington law, be considered to go into effect July 22, 2023, which is 90 days from the end of the legislative session. This leaves limited time for businesses to get into compliance.
What is data is covered?
"Personal information" includes information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer. Personal information includes persistent unique identifiers (e.g., cookies and IP addresses), but it does not include publicly available or de-identified information. "Consumer Health Data" includes Personal Information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including individual health conditions, treatments, diseases, and diagnosis; social, psychological, behavioral, and medical interventions; health-related surgeries or procedures; use or purchase of prescribed medication; bodily functions, vital signs, symptoms, or measurements; diagnoses or diagnostic testing, treatment, or medication; gender-affirming care; reproductive or sexual health information; biometric data; genetic data; precise location to “reasonably indicate” seeking of health care services; or information derived or extrapolated from non-health information. This expansive definition begets questions regarding real world application to the breadth of applicable categories and how far beyond Consumer Health Data the Act can apply.
What is required?
Notice and opt-in Consent for collecting and sharing of Consumer Health Data.
Under the Act, Regulated Entities are required to provide a robust privacy notice related to the collection, use, and disclosure of Consumer Health Data. “Consent” must be obtained for any collection (i.e., processing) of Consumer Health Data except when collection is necessary to provide a product or service that the consumer requests. This privacy notice must be linked to the homepage of a website and is unclear if it can be combined with a traditional privacy notice. A business must obtain additional Consent for any collection, use, or sharing of additional categories of Consumer Health Data not disclosed in an originally provided privacy notice.
Written authorization for sale of Consumer Health Data.
The Act requires Regulated Entities to obtain a "valid authorization" from the consumer before selling or offering to sell Consumer Health Data. This "valid authorization" must be separate and distinct from the Consent obtained to collect or share the Consumer Health Data and must include:
The specific Consumer Health Data concerning the consumer that the person intends to sell;
The name and contact information of the person collecting and selling the Consumer Health Data;
The name and contact information of the person purchasing the Consumer Health Data from the seller;
A description of the purpose for the sale, including how the Consumer Health Data will be gathered and how it will be used by the purchaser;
A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization;
A statement that the Consumer Health Data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and
The signature of the consumer and date
Absolute right to deletion.
Along with the rights common with comprehensive privacy laws, such as access and transparency, the Act provides consumers the right to request deletion of the consumer’s Consumer Health Data not just from a business’s records, but also from all parts of a business’s network, including archived or backup systems.
Regulated Entities must restrict access to Consumer Health Data to only those employees, processors, and contractors for whom access is necessary to further the purposes for which the consumer provided Consent or when necessary to provide the product or service requested.
The Act prohibits any person from implementing a "Geofence" around an entity that provides in-person health care services if the Geofence is used to (i) identify or track consumers seeking such services; (ii) collect Consumer Health Data from consumers; or (iii) send notifications or ads to consumers related to Consumer Health Data or health care services. A Geofence is defined as technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary.
What are some additional concerns?
Is compliance with deletion a lose-lose decision for what legal obligation to break?
Unlike other U.S. privacy laws, if a consumer requests to have their Consumer Health Data deleted, the Act does not have a statutory exemption for a legal obligation to maintain that same data. Therefore, if Consumer Health Data is required by other laws to be maintained, compliance with this request will put businesses in a tricky risk-analysis situation. Additionally, it is unclear what ramifications could result from noncompliance with this deletion provision; however, we have seen noncompliance with other privacy laws lead to fines as well as mandated destruction of data and algorithms.
Is the result of violating a controller-processor agreement a minefield for processors?
The Act requires Regulated Entities to bind processor’s to process the Consumer Health Data only according to the Regulated Entity's instructions and to assist the Regulated Entity in fulfilling its obligations. However, if a processor fails to adhere to the scope of the obligations under the contract, the processor will be considered a Regulated Entity with regard to the Consumer Health Data and subject to the Act. This means that processors must carefully process data to stay in compliance with written contracts or risk violations related to privacy notices and Consent.
Is this the beginning of opt-in Consent for targeted advertisement?
The Act does not specifically address targeted advertising; however, as “sell” and “share” are defined similar to CCPA, it may be possible targeted advertising would similarly be interpreted under the Act as "sales" of such information. If this interpretation is made, the valid authorizations discussed above would be applicable.