19 April 202314 minute read

Washington state passes My Health My Data Act

Sweeping legislation upends how companies handle non-HIPAA-regulated health information
On April 17, 2023, Washington state lawmakers passed the My Health My Data Act, which significantly expands privacy protections for Washington consumers' health data and includes a broad private right of action. The Act applies to consumer health information that is not covered under health privacy laws like the Health Information Portability and Accountability Act (HIPAA).

The Act is widely expected to be signed into law by Washington Governor Jay Inslee and will have significant implications for how a wide range of businesses collect, share, and sell consumer health data. Once enacted, certain provisions of the Act will take effect as early as July 2023, while others will not take effect until March 31, 2024, for most regulated businesses (and June 30, 2024 for small businesses).

The expansive definition of “consumer health data,” far-reaching substantive obligations, and broad private right of action are likely to make compliance especially critical for companies that handle health information not regulated by HIPPA, such as advertisers, app providers, wearable device manufacturers, and healthcare companies and their processors.

Regulated entities and persons

The Act would apply to any legal entity that (1) conducts business in Washington or (2) produces or provides products or services that are targeted to consumers in Washington, and (3) alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Unlike laws such as the California Consumer Privacy Act, the Colorado Privacy Act, and the Connecticut Data Privacy Act, the Act does not contain thresholds for initial application based on revenue or number of consumers. However, entities that fall under certain revenue and processing thresholds are considered “small businesses” and granted extended implementation timelines to meet the laws’ compliance requirements.  

Certain of the Act’s provisions, such as geofencing restrictions, would apply to a broader definition of “persons” rather than regulated entities. The Act defines “person” to include natural persons, corporations, trusts, unincorporated associations, and partnerships.  

Regulated entity and person exemptions
The Act would not apply to government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency. The definition of “consumer” also specifies that it does not include individuals acting in an employment context. 

Covered data

The Act defines "consumer health data" as personal information that (1) is linked or reasonably linkable to a consumer and (2) identifies a consumer's past, present, or future physical or mental health. It defines “personal information” to include a cookie ID, an IP address, a device identifier, or other form of persistent unique identifier.

Specifically, “consumer health data” includes but is not limited to: 
  1. Individual health conditions, treatment, status, diseases, or diagnoses
  2. Social, psychological, behavioral, and medical interventions
  3. Health-related surgeries or procedures
  4. Use or purchase of medication
  5. Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection
  6. Diagnoses or diagnostic testing, treatment, or medication
  7. Gender-affirming care information
  8. Reproductive or sexual health information
  9. Biometric data
  10. Genetic data
  11. Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies and
  12. Any information in the above categories that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). 
Covered data exemptions

The definition of “consumer health data” excludes personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest subject to certain conditions. The definition of “personal information” excludes information that is publicly available or deidentified. Notably, the Act's definition of “de-identified” data does not align with the definition in HIPAA and requires a public commitment and contractual obligation limiting re-identification.

In addition, the Act contains a number of exemptions for healthcare-related data such as:

  1. Protected health information for purposes of HIPAA and related regulations
  2. Information originating from, and intermingled to be indistinguishable with, personal health information maintained by a covered entity or business associate
  3. Healthcare information collected, used, or disclosed in accordance with Washington’s medical records statutes and
  4. Personal information subject to the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Washington Health Benefit Exchange and applicable statutes and regulations, and the privacy rules adopted by the Washington State Office of the Insurance Commissioner. 
Finally, the Act does not restrict the collection, use, or disclosure of consumer health data by a regulatory entity or processor to (1) detect, prevent, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive or illegal activities; (2) preserve the integrity or security of systems; or (3) investigate, report, or prosecute those responsible for any such action.
Obligations of regulated entities and persons

The Act requires regulated entities to (1) maintain a consumer health data privacy policy; (2) obtain consumer consent to collect and share consumer health data; (3) respect consumers’ rights regarding their consumer health data; (4) restrict access to consumer health data and maintain data security practices; and (5) implement data processing agreements with processors. The Act also prohibits persons from selling consumer health data without valid authorization and from implementing a geofence around an entity that provides in-person healthcare services.

1.  Privacy policy requirements

The Act requires a regulated entity to “prominently” publish a link on its homepage to a consumer health data privacy policy. The policy must clearly and conspicuously disclose:

  1. The categories of consumer health data collected and the purpose for collection, including how the data will be used
  2. The categories of sources from which the consumer health data is collected
  3. The categories of consumer health data that is shared 
  4. A list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data and
  5. How consumers can exercise their rights under the Act.
A regulated entity may not collect, use, or share additional categories of consumer health data not disclosed in its consumer health data privacy policy unless it discloses these additional categories and obtains the consumer's affirmative consent. By the same token, the entity may not collect, use, or share such data for undisclosed purposes without first disclosing the additional purposes and obtaining the consumer's affirmative consent.

2.  Consumer consent requirements

The Act restricts a regulated entity from collecting or sharing consumer health data without consumer consent or to the extent necessary to provide a product or service requested by the consumer. Notably, consent to collect and consent to share must be obtained separately.

The Act defines “consent” to mean a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means. Such consent may not be obtained by (a) a consumer’s acceptance of a general terms; (b) a consumer hovering over or closing any content; or (c) a consumer's agreement obtained through the use of deceptive designs.

Consent must be obtained prior to any collection or sharing of consumer health data and must include: (a) the categories of consumer health data collected or shared, (b) the purpose of such collection or sharing, including the specific ways in which the consumer health data will be used, (c) the categories of entities with whom the consumer health data is shared; and (d) how the consumer can withdraw consent from future collection or sharing.

3.  Consumer rights

The Act provides that consumers have the following rights:

  1. To confirm whether a regulated entity is collecting, sharing, or selling consumer health data and to access such data (along with a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism for contacting these third parties)
  2. To withdraw consent and
  3. To request deletion of their consumer health data, including information shared or processed by affiliates, processors, contractors, or other third parties, as well as archived or backup systems (there is no exception for circumstances in which other laws or regulations require that records be retained for a certain period of time).

A regulated entity has 45 days to respond to a consumer request for access or to withdraw consent, and 30 days to respond to an authenticated deletion request. It must also establish a process for consumers to appeal any refusal to act on a request.

4.  Access restrictions and security requirements

The Act requires a regulated entity to restrict internal access to consumer health data to those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer consented or to provide a product or service that the consumer has requested.

A regulated entity must also establish, implement, and maintain administrative, technical, and physical data security practices that satisfy the reasonable standard of care within the regulated entity's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the personal data at issue.

5.  Data processing agreement requirements

The Act provides that a regulated entity may process consumer health data only pursuant to a binding contract with a processor. That agreement must set forth the processing instructions and limit the actions the processor may take with respect to the consumer health data it processes.

6.  Sale restrictions

Like recently enacted comprehensive state privacy laws, the Act places restrictions on the sale of consumer data. It follows the model set out in HIPAA, however, by making it unlawful for any person to sell or offer to sell consumer health data without valid authorization signed by the consumer. “Sale” is defined broadly as an exchange of data for monetary transfer or other valuable consideration. The authorization must be written in plain language and contain the following: 

  1. The specific consumer health data being sold
  2. The name and contact information of the person collecting and selling the data
  3. The name and contact information of the person purchasing the data
  4. The purpose for the sale, including how the data will be gathered and used by the purchaser
  5. A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization
  6. A statement that the consumer has a right to revoke the authorization at any time (and a description of how to submit such revocation)
  7. A statement that the data may be subject to redisclosure by the purchaser and no longer be protected by the Act and
  8. An expiration date for the authorization that expires one year from when the consumer signs it.

The Act does not permit compound authorizations and requires that a copy of the authorization be provided to the consumer.

7.  Geofencing prohibition

The Act makes it unlawful for any person to implement a geofence around an entity that provides in-person healthcare services if the geofence is used to identify or track consumers seeking healthcare services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.

“Geofence" is defined to include technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location. For purposes of the Act, "geofence" means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.

“Health care services” include any service provided to a person to assess, measure, improve, or learn about a person's health, including:

  1. Individual health conditions, status, diseases, or diagnoses
  2. Social, psychological, behavioral, and medical interventions
  3. Health-related surgeries or procedures
  4. Use or purchase of medication
  5. Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection
  6. Diagnoses or diagnostic testing, treatment, or medication
  7. Reproductive healthcare services or
  8. Gender-affirming care services

Effective date

Unless amended, certain provisions of the Act will take effect as soon as July 2023.  While the version of the bill that initially passed the House did not contain any effective date, the Senate version of the bill, which was later approved by the House, incorporated an effective date into several (but not all) of the provisions of the Act.  

Interestingly, the explanatory comments in the final (Senate) version of the bill purport to introduce an effective date of June 30, 2024, for small businesses, and March 31, 2024, for other regulated businesses.  However, the effective date was incorporated only on a section-by-section basis into only certain sections and subsections.  So, the sections and subsections for which no effective date is specified will take effect ninety (90) days after the end of the current legislative session.  As of now, the 2023 regular session is scheduled to adjourn on April 23, 2023 and the next regular session will not begin until January 2024.  Thus, the chances seem relatively low that any amendments will be passed before July 1, 2023—when certain provisions of the Act take effect. 

Violations of the Act may be enforced by the Washington Attorney General under the Washington Consumer Protection Act (WCPA). The Act also permits a private right of action for aggrieved consumers. 

Civil penalties of up to $7,500 per violation may be available for unfair and deceptive trade acts and unfair competition under the WCPA. Such penalties could also include treble damages which may not exceed $25,000.

Key takeaways

  • The Act’s definitions are exceptionally broad. The term “consumer health data” could arguably include virtually any category of personal data (eg, the inclusion of inference data makes it difficult to exclude any data whatsoever in the health, wellness, and fitness space). In addition, “health care services” includes any service provided to a person to assess, measure, improve, or learn about a person's health. Further, “regulated entity” includes any entity doing business in Washington or that provides products or services targeted to consumers in Washington.
  • The Act provides for few exceptions related to federal law. As in California, the exceptions relate to data rather than the regulated entity or person – meaning that the Act may apply to certain categories of data even if the regulated entity is otherwise subject to HIPAA or other excluded federal laws. 
  • The consent and authorization model goes beyond other comprehensive state privacy laws to restrict the collection, processing and disclosure of information. Instead, it skews closer to the structure of HIPAA and recent FTC enforcement actions (see our alert regarding the FTC’s proposed settlement with BetterHelp).
  • Although the Act does not explicitly focus on targeted or online advertising, its consent and authorization approach to the collection and disclosure of data, as well as its limitation on sales, will have the practical effect of limiting the use of third-party trackers, cookies and other online advertising tools.
  • The Act’s data subject rights are broader than any other state law, with almost no exceptions for the right of deletion. This dynamic is likely to create conflicts where data is subject to laws that otherwise require retention. 
  • The Act imposes unprecedented substantive requirements on companies, including opt-in consent for numerous common and beneficial data uses, and separate and distinct privacy notices for the collection, sharing, and selling of consumer health data.
  • The Act contains a general private right of action.  We anticipate aggressive enforcement by plaintiff’s lawyers, similar to the trend we have seen in Illinois in relation to BIPA.

To find out more about the implications of this new legislation, please contact either of the authors or your usual DLA Piper relationship attorney.