Legislative activity in the U.S. state of Washington continues this year with numerous bills being considered. Businesses that process health data should follow the process of House bill 1155 (the My Health, My Data Act), which has been amended once and was approved in the House Committee on Civil Rights & Judiciary hearing on February 3, 2023.

Who and what data are protected?

The My Health, My Data Act protects as “consumers” Washington residents and natural persons whose consumer health data is collected in Washington. Consumers are those who act only in an individual or household context and excludes individuals acting in an employment context.

Consumers’ health data is protected and means personal information that is linked or reasonably linkable to a consumer and relating to health, as broadly understood. The definition includes a non-exhaustive list of examples including location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies and health data that is derived from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

The act includes an exemption for public or peer-reviewed research. The act also has exemptions for processing covered by existing health privacy laws including the Health Insurance Portability and Accountability Act (HIPAA).

Who must comply?

Certain obligations apply to “any person”. Person shall include, where applicable, natural persons, corporations, trusts, unincorporated associations, and partnerships. “Person” does not include government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of a government agency.

But most obligations apply to “regulated entities”, which means any legal entity that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington, and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Regulated entity does not mean government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of the government agency.

“Processors ” to regulated entities must assist the regulated entity with technical and organizational measures and only process consumer health data in a manner consistent with the binding instructions set forth in a contract with the regulated entity. Processor means a person that processes consumer health data on behalf of a regulated entity.

How to comply?

Obtain consent or document why collection or sharing of consumer health data is strictly necessary. Collecting and sharing consumer health data is prohibited unless (i) a consumer gives prior consent or (ii) collecting or sharing the data is necessary to provide a product or service the consumer has requested from the regulated entity. If relying on consent, the regulated entity must obtain one consent for collection and one consent for sharing. The request for consent must disclose the categories of data collected or shared, the purpose of the collection or sharing, the categories of entities with whom the data is shared and how the consumer can withdraw consent.

Include new disclosures in your website privacy policy or create a new dedicated policy. Regulated entities shall maintain a consumer health data privacy policy on its homepage that includes enumerated information such as the categories of consumer health data collected, processing purposes, the categories of consumer health data that is shared, how a consumer can exercise data subject rights, and a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data. Collecting, using, or sharing additional categories of consumer health data, not disclosed in the consumer health privacy policy, requires prior affirmative consumer consent.

Don’t sell consumer health data without signed authorization. It is unlawful for any person to sell, or offer to sell, consumer health data without first obtaining valid signed authorization, which must include prescribed information such as the purpose for the sale and a one year expiration date of the authorization, from the consumer[1]. Selling means sharing for monetary or other valuable consideration. Selling does not include sharing with a third party as an asset in a merger or other similar transaction, or by a regulated entity to a processor when such sharing is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.

Don’t implement a geofence around health care facilities. It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages to a consumer that enters any entity that provides in-person health care services.

Honor authenticated data subject requests. Consumers have a right to confirm if a regulated entity is collecting, sharing, or selling consumer health data concerning the consumer and to access such data including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties, the right to withdraw consent, and the right to have consumer health data concerning the consumer deleted. A regulated entity that receives a consumer’s request to delete shall without unreasonable delay and no more than 30 calendar days from authenticating the request delete the data and notify all affiliates, processors, contractors and other third parties of the request. All affiliates, processors, contractors and other third parties shall honor the deletion request. A regulated entity shall respond to the consumer without undue delay, but in all cases within 45 days of receipt. The period for a substantive response may be extended by an additional 45 days when reasonably necessary. A regulated entity shall establish an appeals process for consumers to appeal the entity’s refusal to take action on a request. Such appeals process must be conspicuously available. If the appeal is denied, the regulated entity shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.

Sign contracts with processors/service providers. Processors may process consumer health data only pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limit the actions the processor may take. If a processor fails to adhere to the regulated entity’s instructions or processes consumer health data in a manner that is outside the scope of the processor’s contract with the regulated entity, the processor is considered a regulated entity.

Implement security measures. Regulated entities shall implement technical and organizational measures that satisfy reasonable standard of care with the regulated entity’s industry and restrict access to consumer health data to those with a need to know.

Don’t discriminate. A regulated entity may not unlawfully discriminate against a consumer for exercising any rights under the act.

Outlook

If passed, the My Health, My Data Act will impose challenging compliance burdens on businesses that will need to determine if they can leverage compliance with existing privacy laws including the California Consumer Privacy Act in California.


[1] The prescriptive authorization requirements are similar, but not identical, to authorization requirements in California’s Confidentiality of Medical Information Act.