Washington State has enacted wide reaching privacy rules in its My Health, My Data Act (House Bill 1155), signed into law on April 27, 2023, by Governor Jay Inslee.
Most of the rules described in the Act will be effective in 2024, though applied at different times for covered entities:
- March 31, 2024 – large businesses; and
- June 30, 2024 – small-to-medium businesses.
The Act was explicitly introduced to give Washingtonians greater protections of their personal health information and more control over personal data usage than those provided by the federal Health Insurance Portability and Accountability Act (HIPAA).
It’s also widely known that the My Health, My Data Act was an implicit and rapid response to the Supreme Court decision on June 24, 2022, in Dobbs v. Jackson Women’s Health Organization. The Dobbs decision removed the federal right for US citizens to access abortions and other reproductive services by overturning Roe v. Wade (1973) and Planned Parenthood v. Casey (1992).
By design, My Health, My Data protects Washingtonians’ confidentiality when making decisions about their health and accessing healthcare services. It also offers protections for people who seek access to healthcare services for reproductive and gender-affirming care at clinics in Washington.
My Health, My Data: Summary of Consumer Privacy Rights
Washingtonians’ privacy rights were asserted in a new section (Sec. 2) to the text of House Bill 1155 (My Health, My Data), when it was sent for vote by the legislature in April 2023:
- The people of Washington regard their privacy as a fundamental right and an essential element of their individual freedom
- Washington’s Constitution explicitly provides the right to privacy
- Information related to an individual’s health conditions or attempts to obtain healthcare services is among the most personal and sensitive categories of data collected.
Health information privacy rights were spelled out in a new section (Sec. 3), which sets out the intent of the Act to “provide heightened protections for Washingtonian’s health data”:
- Right to opt-in or withdraw consent and right to know – “requiring additional disclosures and consumer consent regarding the collection, sharing, and use of such information”
- Right to delete – “empowering consumers with the right to have their health data deleted”
- Right to opt-out of sale – “prohibiting the selling of consumer health data without valid authorization signed by the consumer”
- Right not to be located or identified/tracked at a location – “making it unlawful to utilize a geofence around a facility that provides health care services”; and in Sec 10: “It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services”.
These privacy rights are further strengthened in other sections which describe similar rights to those spelled out in the California Consumer Privacy Act (CCPA), including:
- Right not to be discriminated against/non-retaliation – “A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in this chapter” (Sec. 5 1d)
- Right of private action – consumers along with the Attorney General can initiate enforcement actions for any violation deemed an unfair or deceptive act in trade or commerce. The My Health, My Data Act adds to the huge list of activities enforced under Washington’s Unfair Business Practices–Consumer Protection laws, with health data violations overseen by a joint committee (detailed in Sec. 13 of My Health, My Data text).
Whose personal health information is covered by the Act?
The definition of a “Consumer” in Washington’s My Health, My Data Act is very broad. A new section (Sec. 3. (7)) in the text states “Consumer” means:
- (a) a natural person who is a Washington resident; or
- (b) a natural person whose consumer health data is collected in Washington. “Consumer” means a natural person who acts only in an individual or household context, however identified, including by any unique identifier.
The one exclusion noted is: Consumer does not include an individual acting in an employment context.
So, while the overall stated intention of the Act is to “provide heightened protections for Washingtonian’s health data,” it could potentially also cover people living elsewhere if their personal health information is collected at any point by any organization in Washington.
>>> For more detail on what this could mean for organizations handling personal health information, read the accompanying article in this series: Washington My Health, My Data Act: Implications.
What Personal Information is Covered by the Act’s Definition of Consumer Health Data?
The authors of the My Health, My Data text have seemingly aimed to cover as many data categories as possible under the Act.
An incredibly broad definition appears in Section 3, (8)(a): “Consumer Health Data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
This definition is followed in Section 3, (8)(b) by a long list of 13 examples of how consumers’ physical or mental health statuses could be identified, several of which are further defined elsewhere in the text.
But the list is not exhaustive – the authors have included a strong qualifier that it is not limited by these examples.
The main categories of data considered to be health data are:
- Data collected through health assessments – (i) individual health conditions, treatment, diseases, or diagnosis; (v) bodily functions, vital signs, symptoms, or measurements of information described in the list; (vi) diagnoses or diagnostic testing, treatment, or medication; (xii) data that identifies a consumer seeking health care services
- Data collected during management of health concerns – (iii) health-related surgeries or procedures; (ii) social, psychological, behavioral, and medical interventions; (iv) use or purchase of prescribed medication; (xii) data that identifies a consumer seeking health care services
- Data collected at any stage of gender-affirmation – (iii) health-related surgeries or procedures; (vii) gender-affirming care information; (xi) precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; (xii) data that identifies a consumer seeking health care services; (xiii) any data derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)
- Data related to reproductive and sexual health (including information related to abortion) – (iii) health-related surgeries or procedures; (viii) reproductive or sexual health information; (xi) precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; (xiii) any data derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)
- Data collected that contains unique biological identifiers such as genetic data (x) and biometric data (ix) – biometric data is further defined in Sec. 3 (4) as data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Among common biometrics such as iris/retina, fingerprint and face imagery the definition also includes measures of movement that contain identifying information, such as human interaction with computer systems (keystroke patterns or rhythms) and walking (gait patterns or rhythms)
- Data collected about activities related to health – this definition may raise some major concerns as it mentions user experience tracking data: (xiii) any data derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
Exceptions for health information under HIPAA and other laws
The main exceptions are for health data covered by other laws. Section 3 (c) notes “Consumer health data” does not include:
- Protected health information that is subject to HIPAA
- Personal health information used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest (provided it meets other ethics, privacy and government oversight laws)
- Clinical trial information (provided it meets all applicable laws for clinical trials).
Learn more about the implications of the Washington My Health, My Data Act
TrustArc’s privacy experts are committed to helping organizations get on top of new privacy rules and compliance obligations efficiently and effectively. Here are some new resources to help you get up to speed with the implications of the Washington My Health, My Data Act:
Listen to TrustArc’s Serious Privacy podcast episode: My Health, My Data, My Goodness. Join Dr K Royal, Paul Breitbarth, and Mike Hintze in discussion of the strengths and concerns around this act – and what your business may need to know.
Read the accompanying articles in this series: Washington My Health, My Data Act: Implications and Washington My Health, My Data Act: Obligations to learn from TrustArc experts about the potential effects of new privacy rules in this act, including how its private right of action could trigger waves of litigation.