Washington’s My Health My Data Act was signed into law on April 27, 2023, by Governor Jay Inslee.
The Act is designed to deliver stronger protections of personal information in health data and close a gap for health data not covered by HIPAA.
The effective dates for the Act are based on the size of an organization:
- March 31, 2024 – large businesses
- June 30, 2024 – small businesses (see below for more information on the thresholds for organizations to be defined as ‘small businesses’)
As the Act includes broad definitions for ‘consumer,’ ‘regulated entity,’ and ‘consumer health data,’ its impact will expand well beyond Washington State.
Which organizations are covered by the Washington My Health My Data Act?
Some of the definitions in the Act are so broad they could cover a wide range of organizations well beyond the traditional healthcare sector.
The text specifically calls out organizations that aren’t already covered entities or business associates under HIPAA in Section 2, noting that while “Washingtonians expect their health data to be protected by privacy laws such as HIPAA,” the legislature in the State has deemed some personal health information isn’t adequately protected due to HIPAA’s definitions of health data and covered entities:
“However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.”
Arguably, the Washington My Health My Data Act is effectively a wide-reaching data privacy act in all but name, as the very next section in the text – Section 3(23) – broadly defines a “Regulated entity” as any legal entity that:
- (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
- (b) Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.
By the definitions above, some small businesses are defined as ‘regulated entities’ if they collect, process, sell or share consumer health data. The thresholds allowing them to be defined as ‘small businesses’ are determined by the number of consumers they deal with:
- less than 100,000 consumers’ personal health information collected, processed, sold or shared in a calendar year; or
- less than 25,000 consumers’ personal health information controlled, processed, sold or shared – and the organization derives less than 50 per cent of its gross revenue from collecting, processing, selling or sharing consumer health information.
Which organizations are excluded?
The exclusions are outlined in Sec 3 (23, b): “Regulated entity” does not mean government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.
Although it is clear the intent of Washington’s My Health My Data Act is to target “certain apps and websites”, it is not clear which other kinds of organizations might be in scope further along the data collection chain.
The text contains multiple mentions of “affiliates, processors, contractors and third parties with whom the regulated entity or the small business has shared consumer health data”, which suggests organizations processing consumer health data at any stage could be in scope. But this could also cover the Washington presences of cloud hosting providers like Amazon and Microsoft, which deliver online services on behalf of a huge range of health-related websites, apps and devices. It could also cover a big range of other technology vendors with a Washington presence.
Therefore, we strongly recommend your organization gets advice on how the Act might apply to your data management activities.
Commentary: My Health My Data could trigger waves of litigation
TrustArc lawyer Andrew Scott notes Washington’s My Health My Data Act has profound implications for organizations of all sizes, particularly those that have not had to comply with HIPAA:
- Do not assume the Act does not apply to your organization – “In an effort to protect non-HIPAA-covered consumer health data (such as data from popular apps and wearable devices) and reproductive health care data, the law will impact a very wide range of companies and consumers within and outside Washington State – consumers in any State or even in the EU could have rights under the Act.”
- The definition of ‘consumer health data’ is very broad – “Consumer health data under the Act is personal information that identifies the consumer’s past, present, or future physical or mental health status – and though it excludes data collected by HIPAA, it includes 13 non-exhaustive categories of health and health-related data, with specific callouts for cookies, IP addresses, device IDs and other types of unique identifiers. It is much more than a health law: it’s arguably more sweeping and prescriptive, which makes it the most consequential State law since CCPA.”
- Get compliance and legal advice well before the Act takes effect – “A Private Right of Action is provided by Washington’s Consumer Protection Act for any violation of the My Health My Data Act. This makes it scope much broader than CCPA, which only provides a Private Right of Action for individuals after a data breach. The people of Washington see privacy as a fundamental right – and unlike some other State laws, My Health My Data is very plaintiff friendly.”
Background Brief
Read the accompanying article in this series: Washington My Health My Data Act
Read more