Washington State's My Health My Data Act (the Act), which is working its way through the reconciliation process after the Washington Senate and House passed different versions of the Act, is ultimately expected to be signed into law by Governor Jay Inslee this year. This privacy law differs from other recent state privacy legislation in that it is singularly focused on non-Health Insurance Portability and Accountability Act (HIPAA)-regulated consumer health data. Moreover, the bill contains provisions applicable to processors and even third parties who may come into contact with a broadly defined set of "consumer health data," not just those companies operating healthcare-adjacent businesses. The Act could have a significant impact on advertisers, mobile app providers, wearable device manufacturers and, of course, healthcare companies and their data processors handling non-HIPAA-regulated health information. Below, we examine several key aspects of the Act that are similar in both the House and Senate versions of the bill.
The Act will apply to any entity, including nonprofits, that conducts business in Washington, or that provides products and services to consumers in Washington, and alone or jointly with others determines the purpose and means of collecting, processing, sharing or selling consumer health data. For purposes of the Act, a "consumer" does not include an individual acting in an employment or business-to-business context.
WHAT IS "CONSUMER HEALTH DATA"?
The Act defines "consumer health data" as personal information (as defined by the Act, and which expressly includes "Cookie ID," picking up on recent Office for Civil Rights guidance and Federal Trade Commission (FTC) enforcement actions regarding the use of ad tech by healthcare entities and digital health services) that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Consumer health data specifically includes:
- Individual health conditions, treatment, diseases or diagnoses;
- Social, psychological, behavioral and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms or measurements of the information expressly identified in the definition of consumer health data;
- Diagnoses or diagnostic testing, treatment or medication;
- Gender-affirming care information (as defined by the Act);
- Reproductive or sexual health information (as defined by the Act);
- Biometric data (as defined by the Act);
- Genetic data (as defined by the Act);
- Precise location information (as defined by the Act) that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
- Data that identifies a consumer seeking healthcare services (as defined by the Act); and
- Any information that a regulated entity, or its respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred or emergent data by any means, including algorithms or machine learning).
Importantly, the Act defines healthcare services broadly to mean any service provided to a person to assess, measure, improve or learn about a person's mental or physical health. As a result, businesses providing services ancillary to clinical care, such as nutrition programs or social care services, or facilitating connections between consumers and such service providers, could have responsibilities under the Act.
EXEMPTIONS AND CARVE-OUTS
As with other state consumer privacy laws, the Act has several entity-type and data-type exemptions. For example, the Act will not apply to:
- Government agencies, tribal nations or contracted service providers when processing consumer health data of a governmental agency;
- Protected Health Information (PHI) governed by HIPAA, information intermingled with PHI maintained by HIPAA-regulated entities, and health records governed by or created pursuant to other healthcare-related state and federal laws (e.g., 42 CFR part 2, UHCIA, federal regulations regarding human subjects research, and federal and state peer review laws, public health reporting requirements, patient safety and other healthcare quality improvement activities); and
- Data regulated by the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Administrative Simplification provisions of the Social Security Act (42 U.S.C. 1320d et seq.), Family Educational Rights and Privacy Act, statutes and regulations applicable to the Washington Health Benefit Exchange and certain privacy rules adopted by the Washington Office of the Insurance Commissioner.
The Act does not apply to "deidentified data," which is defined as data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such a consumer, so long as the regulated entity or the small business that possesses such data (1) takes reasonable measures to ensure that such data cannot be associated with a consumer, (2) publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data and (3) contractually obligates recipients of such data to satisfy criteria described in (1) – (3).
DATA CONTROLLER OBLIGATIONS
The Act will require regulated companies—even those already subject to other state consumer privacy laws—to add still more privacy disclosures to their website, and take additional steps to, for example, obtain consent from customers when handling their consumer data. Specifically, the Act will require regulated companies to:
- Except for limited circumstances, obtain a consumer's consent before collecting or sharing consumer health data. "Sharing" as used in the Act means the disclosure of any health data to a third party or to a corporate affiliate, with certain limited exceptions to, for example, fulfill the request of a consumer;
- Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect consumer health data, including internal enterprise-wide access controls designed to restrict access to consumer health data only to those employees, processors or contractors that need access to further the purposes of the collection; and
- Enter into a written contract with data processors related to their use of consumer health data.
OTHER KEY RESTRICTIONS
In addition to the obligations imposed on regulated entities, the Act also contains provisions that make it unlawful for any person or entity to:
- Sell consumer health data without first obtaining authorization that is written in plain language, contains the information specified by the Act, and is separate from consent obtained to collect or share consumer health data in the first place; and
- Implement a geofence around an entity that provides in-person healthcare services, if the geofence is used to (1) identify or track consumers seeking healthcare services; (2) collect consumer health data from consumers; or (3) send notifications, messages or advertisements to consumers related to their consumer health data or healthcare services.
Consumers have a number of privacy rights under the Act, including:
- Confirm whether a regulated entity is collecting, sharing or selling consumer health data;
- Access consumer health data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data;
- Withdraw consent from the regulated entity's collection and sharing of consumer health data;
- Have consumer health data deleted; and
- Appeal a regulated entity's refusal to act on one of the consumer's rights above.
New in the Act is a requirement that data on archived or backup systems must be deleted within six months of the deletion request, without any exceptions. This will likely cause operational headaches and potentially be commercially or technically infeasible for many companies. For all other requests and consumer appeals, regulated entities must act on a request without undue delay and within 45 days (and subject to a one-time 45-day extension). And any verified consumer request must also be pushed downstream to all service providers, contractors, third parties and affiliates.
AG ENFORCEMENT AND PRIVATE RIGHT OF ACTION
Violations of the Act are enforceable under the Washington Consumer Protection Act (CPA) as unfair or deceptive acts in trade or commerce and unfair methods of competition. The CPA may be enforced by the Washington Attorney General. However, the Act also permits a private right of action for aggrieved consumers. Civil penalties for unfair or deceptive trade acts and unfair competition under the CPA can rise to $7,500 per violation but can also include treble damages, capped at $25,000, in civil actions brought by consumers.
ISSUES TO BE RESOLVED
While the House and Senate versions of the bill are substantially similar, a few key issues still need to be resolved through reconciliation.
- The House version would take effect 90 days after the current legislative session expires, which would be late July 2023, while the Senate version would take effect on March 31, 2024.
- The Senate bill includes a limited small business exemption while the House bill does not. Under the Senate version, entities that (1) collect, process, sell or share consumer health data of fewer than 100,000 consumers (defined as either Washington residents or an individual whose health data is collected in Washington) during a calendar year, or (2) control, process, sell or share consumer health data of fewer than 25,000 consumers and derive less than 50% of gross revenue from the collection, processing, selling or sharing of consumer health data, are considered "small businesses" and would not be required to comply with the Act until June 30, 2024.
Given the Act's broad scope and applicability, many businesses may for the first time need to implement compliance activities regarding the collection, use and disclosure of consumer health data and responding to consumer rights requests. This will include posting another privacy disclosure on websites, creating new consent and authorization forms, implementing internal firewalls to limit access to data and evaluating the feasibility of compliance with, e.g., the Act's onerous deletion requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.