Washington state governor Jay Inslee signed the My Health, My Data Act (the Act) into law on April 27, 2023. Regulated entities are required to comply with most obligations from March 31, 2024 with small businesses being required to comply from June 30, 2024. Prohibitions on geofencing are operative already on July 23, 2023. The Act will be enforceable both by the Washington Attorney General’s Office and through a private right of action.
Who is protected by the Act and what data is protected?
The Act protects as “consumers” Washington residents and also natural persons whose consumer health data is collected in Washington. Consumers are those who act only in an individual or household context and excludes individuals acting in an employment context.
“Consumer health data” is protected. While this seems to limit the scope of this sectoral law, consumer health data means personal information that is linked or reasonably linkable to a consumer and reasonably linkable to past, present, or future health status. The definition includes a non-exhaustive list of examples including notably any information that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). Personal information does not include publicly available information. Publicly available information does not include any biometric data collected about a consumer by a business without the consumer’s consent. Biometric data includes imagery of the face from which an identifier template can be extracted.
The Act has both data and entity level exclusions. Similarly to the California Consumer Privacy Act (CCPA), the Act includes an exemption for deidentified data that only applies if a regulated entity or small business that possesses such data takes reasonable measures to ensure that such data cannot be associated with a consumer, publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data and contractually obligates any recipient to do the same. Other exemptions include an exemption for public or peer-reviewed research and exemptions for processing covered by existing health privacy laws including the Health Insurance Portability and Accountability Act (HIPAA).
Who is required to comply with the Act?
Notably, certain obligations apply to “any person”. Person shall include, where applicable, natural persons, corporations, trusts, unincorporated associations, and partnerships. “Person” does not include government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of a government agency.
But most obligations apply to “regulated entities” and “small businesses”. A small business is a particular kind of regulated entity that gets 3 more months go get into compliance. A regulated entity means any legal entity that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington, and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Regulated entity does not mean government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of the government agency. A “small business” means a regulated entity that satisfies one or both of the following thresholds: (a) collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers. In the below, “regulated entities” refers also to small businesses.
“Processors ” to regulated entities must assist the regulated entity with technical and organizational measures, only process consumer health data in a manner consistent with the binding instructions set forth in a contract with the regulated entity, and honor deletion requests. Processor means a person that processes consumer health data on behalf of a regulated entity. Because processor is defined as a type of “person”, if an organization stays within the bounds of a processor role for a particular data processing activity it should not be required to separately comply with the obligations under the Act that apply to “any person” for such activity.
Data deletion obligations apply directly also to affiliates, contractors, and other third parties.
What should persons, regulated entities, processors, affiliates, contractors and third parties do to comply?
No person should implement a geofence around health care facilities. It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages or advertisements related to a consumer’s health data to, a consumer that enters any entity that provides in-person health care services. Geofence means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location. Because the geofence prohibition section in the Act does not include an effective date, it goes into effect 90 days after the end of the session in which it was passed, per Washington state’s default time frame, on July 23, 2023.
No person should sell consumer health data without signed authorization. It is unlawful for any person to sell, or offer to sell, consumer health data without first obtaining valid signed authorization, which must include prescribed information such as the purpose for the sale and a one year expiration date of the authorization, from the consumer1. The authorization to sell must be separate and distinct from the consent obtained by a regulated entity to collect or share consumer health data. Selling means for the exchange of consumer health data for monetary or other valuable consideration. Selling does not include an exchange with a third party as an asset in a merger or other similar transaction, or by a regulated entity to a processor when such exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.
Regulated entities should obtain consent or document why collection or sharing of consumer health data is necessary. Regulated entities are prohibited from collecting and sharing consumer health data unless (i) a consumer gives prior consent or (ii) collecting or sharing the data is necessary to provide a product or service the consumer has requested from the regulated entity. If relying on consent, the regulated entity must obtain one consent for collection and one consent for sharing. The request for consent must disclose the categories of data collected or shared, the purpose of the collection or sharing, the categories of entities with whom the data is shared and how the consumer can withdraw consent.
Regulated entities should include new disclosures in their website privacy policy/notice or create a new dedicated policy. Regulated entities shall maintain a consumer health data privacy policy on its homepage that includes enumerated information such as the categories of consumer health data collected, processing purposes, the categories of consumer health data that is shared, how a consumer can exercise data subject rights, and a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data. Collecting, using, or sharing additional categories of consumer health data, not disclosed in the consumer health privacy policy, requires prior affirmative consumer consent.
Regulated entities, processors, affiliates, contractors and third parties should honor authenticated data subject requests. Consumers have a right to confirm if a regulated entity is collecting, sharing, or selling consumer health data concerning the consumer and to access such data including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties, the right to withdraw consent, and the right to have consumer health data concerning the consumer deleted. A regulated entity that receives a consumer’s request to delete shall delete the data and notify all affiliates, processors, contractors and other third parties of the request. All affiliates, processors, contractors and other third parties are required to honor the deletion request. A regulated entity shall respond to the consumer without undue delay, but in all cases within 45 days of receipt. The period for a substantive response may be extended by an additional 45 days when reasonably necessary. A regulated entity shall establish an appeals process for consumers to appeal the entity’s refusal to take action on a request. Such appeals process must be conspicuously available. The website privacy policy/notice could be considered as the place to make it available, especially if a regulated entity is also required to comply with other U.S. state laws with a similar requirement, such as the Virginia Consumer Data Protection Act. If the appeal is denied, the regulated entity shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.
Regulated entities and processors should sign contracts. Processors may process consumer health data only pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limit the actions the processor may take. These requirements are not as prescriptive as some other laws and organizations should be able to leverage their existing contract(s). If a processor fails to adhere to the regulated entity’s instructions or processes consumer health data in a manner that is outside the scope of the processor’s contract with the regulated entity, the processor is considered a regulated entity. Contracting with a processor to process consumer health data in a manner that is inconsistent with the regulated entity’s privacy policy is a separate violation under the Act.
Regulated entities (and all organizations regardless of role) should implement security measures. Regulated entities shall implement technical and organizational measures that satisfy reasonable standard of care with the regulated entity’s industry and restrict access to consumer health data to those with a need to know.
Regulated entities (and other organizations too) should not discriminate. A regulated entity may not unlawfully discriminate against a consumer for exercising any rights under the Act.
Outlook
The My Health, My Data Act imposes challenging compliance burdens on businesses that need to determine if they can leverage compliance with existing privacy laws. The broad definition of consumer that goes beyond Washington state residents, the broad definition of consumer health data, and certain obligations applying to any person may impose burdens on organizations that do not consider themselves as doing business in the state of Washington or processing health data as more narrowly understood.
1The prescriptive authorization requirements are similar, but not identical, to authorization requirements in California’s Confidentiality of Medical Information Act.
