On Monday, April 17, the Washington House passed an amended version of the My Health My Data Act (HB 1155) (the "Act"), a bill that would impose sweeping new requirements on the collection, processing, and sale of consumer health data in the state. The Act had been passed by the Senate on April 5 and now moves to Governor Jay Inslee's desk for signature.

If enacted, the My Health My Data Act would constitute a major development in the U.S. privacy law landscape. While we have seen an increased interest in the regulation of health data by the Federal Trade Commission, the My Health My Data Act would represent a novel step towards regulating health data at the state legislative level. And the Act's impact would be significant. The bill applies broadly in terms of the consumers that it protects, the entities that it regulates, and the types of health data and health data transactions within its scope. Further, the bill offers not just breadth, but also depth, imposing robust requirements on the collection, sharing, and sale of consumer health data, including separate affirmative opt-in consent requirements for collection and sharing, as well as a distinct requirement for "valid authorization" of sale. Most importantly, the law would be enforceable through a private right of action — potentially exposing regulated businesses to substantial legal exposure for violations.

In this post, we identify notable takeaways from the My Health My Data Act and summarize the bill's key provisions. We are happy to answer any questions you have about the My Health My Data Act and its potential implications for your data privacy compliance program.

KEY TAKEAWAYS

Expanding on the HIPAA Framework: The Act explicitly describes itself as supplementing the limited protections for health data offered by HIPAA. As the statute points out in its statement of legislative findings — and as we have previously observed on this blog — though many people "expect that their health data is protected under laws like [HIPAA]," the reality is that HIPAA only applies to health data collected by certain types of health care entities, such as health care providers. Notably excluded from the HIPAA framework, for example, is health data collected by many health-related apps and websites. The Act, then, "works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections" for consumer health data.

KEY PROVISIONS

Key provisions of the My Health My Data Act include:

Scope and Applicability

Consumer Health Data: Defines "consumer health data" as "personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health." Enumerates a non-exhaustive list of types of consumer health data, including health conditions, procedure histories, and medication purchases, as well as gender-affirming care information, reproductive and sexual health information, biometric and genetic data, "[p]recise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies," and health information "derived or extrapolated from nonhealth information."

Protected Consumers: "Consumers" protected by the statute include Washington residents and any person "whose consumer health data is collected in Washington."

"Consumers" protected by the statute include Washington residents and any person "whose consumer health data is collected in Washington." Regulated Entities: Regulated entities include any entity that (1) conducts business in Washington or targets products or services to Washington consumers and (2) determines the purpose and means of collecting, processing, sharing, or selling consumer health data.

Substantive Provisions

Consumer Health Data Privacy Policies: Requires that regulated entities maintain and publish consumer health data privacy policies that disclose: (1) categories of consumer health data collected and the purpose for which such data is collected (including how the data will be used); (2) categories of sources from which the consumer health data is collected; (3) categories of consumer health data shared; (4) categories of third parties and affiliates with whom the entity shares consumer health data; and (5) how a consumer can exercise relevant rights under the Act.

Enforcement