Washington state governor Jay Inslee signed the My Health, My Data Act (the Act) into law on April 27, 2023. Regulated entities are required to comply with most obligations from March 31, 2024 with small businesses being required to comply from June 30, 2024. Prohibitions on geofencing are operative already on July 23, 2023. The Act will be enforceable both by the Washington Attorney General’s Office and through a private right of action.
- Who is protected by the Act and what data is protected?
- Who is required to comply with the Act?
- What should persons, regulated entities, processors, affiliates, contractors and third parties do to comply?
Who is protected by the Act and what data is protected?
The Act protects as “consumers” Washington residents and also natural persons whose consumer health data is collected in Washington. Consumers are those who act only in an individual or household context and excludes individuals acting in an employment context.
“Consumer health data” is protected. While this seems to limit the scope of this sectoral law, consumer health data means personal information that is linked or reasonably linkable to a consumer and reasonably linkable to past, present, or future health status. The definition includes a non-exhaustive list of examples including notably any information that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). Personal information does not include publicly available information. Publicly available information does not include any biometric data collected about a consumer by a business without the consumer’s consent. Biometric data includes imagery of the face from which an identifier template can be extracted.
The Act has both data and entity level exclusions. Similarly to the California Consumer Privacy Act (CCPA), the Act includes an exemption for deidentified data that only applies if a regulated entity or small business that possesses such data takes reasonable measures to ensure that such data cannot be associated with a consumer, publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data and contractually obligates any recipient to do the same. Other exemptions include an exemption for public or peer-reviewed research and exemptions for processing covered by existing health privacy laws including the Health Insurance Portability and Accountability Act (HIPAA).
Who is required to comply with the Act?
Notably, certain obligations apply to “any person”. Person shall include, where applicable, natural persons, corporations, trusts, unincorporated associations, and partnerships. “Person” does not include government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of a government agency.
But most obligations apply to “regulated entities” and “small businesses”. A small business is a particular kind of regulated entity that gets 3 more months go get into compliance. A regulated entity means any legal entity that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington, and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Regulated entity does not mean government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of the government agency. A “small business” means a regulated entity that satisfies one or both of the following thresholds: (a) collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers. In the below, “regulated entities” refers also to small businesses.
“Processors” to regulated entities must assist the regulated entity with technical and organizational measures, only process consumer health data in a manner consistent with the binding instructions set forth in a contract with the regulated entity, and honor deletion requests. Processor means a person that processes consumer health data on behalf of a regulated entity. Because processor is defined as a type of “person”, if an organization stays within the bounds of a processor role for a particular data processing activity it should not be required to separately comply with the obligations under the Act that apply to “any person” for such activity.
Data deletion obligations apply directly also to affiliates, contractors, and other third parties.
What should persons, regulated entities, processors, affiliates, contractors and third parties do to comply?
No person should implement a geofence around health care facilities. It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages or advertisements related to a consumer’s health data to, a consumer that enters any entity that provides in-person health care services. Geofence means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location. Because the geofence prohibition section in the Act does not include an effective date, it goes into effect 90 days after the end of the session in which it was passed, per Washington state’s default time frame, on July 23, 2023.
No person should sell consumer health data without signed authorization. It is unlawful for any person to sell, or offer to sell, consumer health data without first obtaining valid signed authorization, which must include prescribed information such as the purpose for the sale and a one year expiration date of the authorization, from the consumer1. The authorization to sell must be separate and distinct from the consent obtained by a regulated entity to collect or share consumer health data. Selling means for the exchange of consumer health data for monetary or other valuable consideration. Selling does not include an exchange with a third party as an asset in a merger or other similar transaction, or by a regulated entity to a processor when such exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.
Regulated entities should obtain consent or document why collection or sharing of consumer health data is necessary. Regulated entities are prohibited from collecting and sharing consumer health data unless (i) a consumer gives prior consent or (ii) collecting or sharing the data is necessary to provide a product or service the consumer has requested from the regulated entity. If relying on consent, the regulated entity must obtain one consent for collection and one consent for sharing. The request for consent must disclose the categories of data collected or shared, the purpose of the collection or sharing, the categories of entities with whom the data is shared and how the consumer can withdraw consent.
Regulated entities (and all organizations regardless of role) should implement security measures. Regulated entities shall implement technical and organizational measures that satisfy reasonable standard of care with the regulated entity’s industry and restrict access to consumer health data to those with a need to know.
Regulated entities (and other organizations too) should not discriminate. A regulated entity may not unlawfully discriminate against a consumer for exercising any rights under the Act.
The My Health, My Data Act imposes challenging compliance burdens on businesses that need to determine if they can leverage compliance with existing privacy laws. The broad definition of consumer that goes beyond Washington state residents, the broad definition of consumer health data, and certain obligations applying to any person may impose burdens on organizations that do not consider themselves as doing business in the state of Washington or processing health data as more narrowly understood.
1 The prescriptive authorization requirements are similar, but not identical, to authorization requirements in California’s Confidentiality of Medical Information Act.