The Washington My Health My Data Act was passed in April 2023 to expand privacy protections for personal health data. Thus far, only the Act’s geofencing requirements have been enforceable. On March 31, 2024, the Act’s remaining stringent requirements will come into full force for all organizations subject to the law, save for small businesses who have until June 30, 2024 to comply. Unlike other privacy laws, the Act sets no minimum number of data subjects or revenue threshold.
What is the Act?
The Act gives consumers certain privacy rights and protections with respect to their health data. It was intended to cover consumer health data outside the scope of the Health Information Portability and Accountability Act (HIPAA) and prevent the collection and sharing of such data without consent. The Act defines consumer health data broadly as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
The Washington Attorney General may enforce the Act under the state’s Consumer Protection Act, which also grants a private right of action for consumers to seek damages for suspected violations.
Who is subject to the Act?
As described on the Washington State Attorney General’s website:
“Generally, all persons and businesses that conduct business in Washington (or provide services or products to Washington), and that collect, process, share, or sell consumer health data are impacted by the Act.”
There are a number of key exceptions. For example, government agencies, tribal nations, and their contracted service providers are not subject to the law. Employee data, B2B data, and certain health information covered by existing laws and regulations also fall outside its scope. Note, however, that HIPAA-covered entities and business associates may be subject to the law and should take care to understand how the Act might apply.
What are the Act’s requirements?
At a high level, those subject to the law must:
- Maintain a conspicuous, accessible consumer health data privacy policy that includes various disclosures regarding the consumer’s rights, and describes the organization’s collection, use, and sharing of consumer health data.
- Obtain a consumer’s opt-in consent prior to collecting, sharing, or use of consumer health data, unless such processing is “necessary.” Such consent must be freely given, specific, informed, voluntary, and unambiguous; which means, for example, separate consents must be obtained for the collection of consumer health data and for the sharing of that consumer health data.
- Obtain a consumer’s valid authorization to sell, or offer to sell, consumer health data, and carry out such activities strictly in accordance with the Act.
- Honor the consumer’s privacy rights, including rights to access and delete data and withdraw consent, without undue delay and in accordance with the Act.
- Implement and maintain administrative, technical, and physical data security practices, which include restricting access to consumer health data to essential employees and third parties.
- Enter into and adhere to detailed and specific data processing agreements to, (1) in the case of those directly regulated by the Act, lawfully transfer consumer health data to a processor (or service provider); and (2) in the case of a processor, lawfully process consumer health data under the Act. A deviation in performance may change a person or organization’s obligations under the Act.
- Set geofencing limitations to prevent the tracking of individuals, sending of communications, and collection of consumer health data at locations where consumers receive in-person health care services.
How should businesses respond?
For those subject to the Act, now is the time to assess your readiness. Review the Act’s requirements to identify compliance gaps that should be addressed. For those who are unsure of the Act’s applicability or desire more information, please visit the Washington Attorney General’s website or speak with an attorney. We’ll be tracking developments related to the Act, as well as other changes in the legal landscape that may affect the healthcare industry at large.
This article summarizes aspects of the law and does not constitute legal advice. For legal advice for your situation, you should contact an attorney.
Sign up