Organizations subject to the Washington State My Health My Data Act (generally any organization with physical premises in Washington, and many organizations without it) are preparing for compliance by March 31, 2024. And should, in addition to the overall compliance requirements and immediate action items, be aware that the Washington Attorney General updated its guidance on the requirements for a consumer health privacy policy. Section 4(1)(b) of the My Health My Data Act explicitly provides…
If your organization does business across the U.S. and collects consumer health data (broadly defined, health inferences generated from non-health data count), compliance with U.S. state consumer health privacy laws is just around the corner. Consumer health privacy laws in Nevada (Senate Bill 370) and Washington (the My Health My Data Act) become fully operative for regulated entities on March 31, 2024. Requirements specific to consumer health data are already operative in Connecticut. Here are…
In brief On October 8, 2023, California Governor Gavin Newsom signed two bills into law amending the California Consumer Privacy Act (CCPA). AB 947 classifies citizenship and immigration status as “sensitive personal information” subject to special protections under the CCPA, while AB 1194 strengthens reproductive privacy rights. Both bills carried the unanimous endorsement of the California Privacy Protection Agency. Details for each bill are described below followed by actionable guidance businesses can take to prepare…
Beyond the statutory text of the new Washington state My Health My Data Act, the Washington Attorney General has published Frequently Asked Questions (FAQs) and will update such FAQs periodically. Some of the FAQs provide insight into possible interpretations of the law’s provisions that are summarized below. For a broader overview of the My Health My Data Act, see here. 1. Businesses located outside of the state of Washington that only store data in Washington…
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies. Most companies that do business in California are subject to CMIA,…
With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization (for an overview of the law, see here). As a reminder, the definition of consumer health data is broad: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status” (the definition includes as an enumerated example any information…
The Connecticut Data Privacy Act (CTDPA) is operative since July 1, 2023, and so are certain amendments that were signed into law as recently as June 26th, 2023. The amendments focus on protecting consumer health data and protecting minors, with additional consumer health data protections already operative but with some obligations related to minors becoming operative mid to late 2024. Additional Obligations for Processing Consumer Health Data As other omnibus US state privacy laws, the…
Washington state governor Jay Inslee signed the My Health, My Data Act (the Act) into law on April 27, 2023. Regulated entities are required to comply with most obligations from March 31, 2024 with small businesses being required to comply from June 30, 2024. Prohibitions on geofencing are operative already on July 23, 2023. The Act will be enforceable both by the Washington Attorney General’s Office and through a private right of action. Who is…
Legislative activity in the U.S. state of Washington continues this year with numerous bills being considered. Businesses that process health data should follow the process of House bill 1155 (the My Health, My Data Act), which has been amended once and was approved in the House Committee on Civil Rights & Judiciary hearing on February 3, 2023. Who and what data are protected? The My Health, My Data Act protects as “consumers” Washington residents and…
The UK’s Health Research Authority (HRA) has unveiled new guidance which signposts the three essential steps to access health and care data for research purposes. The guidance delves into a point that researchers often miss: the common law duty of confidentiality runs in parallel to data privacy laws, and each regime needs to be considered separately to ensure data access requests can stand up to regulatory scrutiny. Step 1: Scoping – What are the data…