Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives. Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law. The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade. If enacted, the Act could dramatically affect how companies treat the health data of Washington residents.
This blog post summarizes a few key takeaways in the statute.
Scope
HB 1155 is broad and would impact businesses and information that may not otherwise be regulated under other state consumer or medical privacy laws. The Act generally applies to “regulated entities,” defined to include any legal entity that (1) conducts business in the state of Washington or produces or provides services targeted to Washington consumers, and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of “consumer health data.” Unlike other state consumer privacy laws, the Act does not contain any thresholds based on revenue or number of affected consumers. The Act’s restrictions on “geofencing,” described in more detail below, apply to persons more broadly.
The Act defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.” The Act provides a number of examples of what could constitute consumer health data, including gender-affirming care information, reproductive or sexual health information, and certain biometric and genetic data.
Consumer Rights
The Act provides consumers with rights to (1) confirm whether the regulated entity collects, shares, or sells the consumer’s health data and access to that data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism that the consumer can use to contact the third parties; (2) withdraw consent from the collection and sharing of their health data (where such consent is required to collect and share, per the discussion below); and (3) request that their consumer health data be deleted. HB 1155 defines “consumers” as natural persons who are Washington residents or whose consumer health data is collected in Washington, and includes persons identified through “unique identifiers.” Although the term “unique identifier” is not defined, the Act suggests that it may include cookie identifiers, IP addresses, and device identifiers. The term “consumer” does not apply to individuals acting in an employment context.
Regulated Entity Obligations
The Act places a number of obligations on regulated entities, including to:
- Maintain a consumer health data privacy policy. The Act requires regulated entities to maintain a link to a “consumer health data privacy policy” on their homepages. The policy must clearly and conspicuously disclose (1) the categories of consumer health data collected and the purpose of collection, including how the data will be used; (2) the categories of sources of the consumer health data; (3) the categories of consumer health data that is shared; (4) a list of the categories of third parties and specific affiliates with whom the regulated entity shares consumer health data; and (5) how consumers can exercise their rights. The Act does not specify whether this policy is meant to be separate from an entity’s more general consumer privacy notice.
- Restrict their collection and sharing of consumer health data. HB 1155 prohibits regulated entities from collecting or sharing consumer health data without consumer consent, unless such collection or sharing is necessary to provide a product or service that the consumer has requested from the regulated entity. Notably, the consent to share must be “separate and distinct from the consent obtained to collect consumer health data.”
- Provide consumers with rights regarding their consumer health data. HB 1155 requires regulated entities to provide consumers with the aforementioned health data rights.
- Restrict access to consumer health data and maintain appropriate data security measures. The Act requires regulated entities to restrict access to consumer health data only to those individuals for which access is necessary to (1) further the purposes for which the consumer provided consent, or (2) provide the requested product or service. Regulated entities are also required to implement reasonable data security measures to protect consumer health data that are “appropriate to the volume and nature of the personal data at issue.”
- Implement data processing agreements with processors. HB 1155 requires regulated entities to enter into data processing agreements with processors that set forth the processing instructions and limit the actions the processor may take with respect to consumer health data.
- Not sell consumer health data without the consumer’s valid authorization. HB 1155 makes it unlawful for any person to “sell or offer to sell” consumer health data without a valid authorization signed by the consumer. The Act defines “sell” to include the sharing of consumer health data “for monetary or other valuable consideration.” Under the Act, a valid authorization must be written in plain language and state (1) what specific consumer health data is being sold, (2) the contact information of the seller, (3) the name and contact information of the purchaser, (4) the purpose of the sale including how the sold data will gathered and used by the purchaser, (5) the fact that goods and services cannot be conditioned on the signing of the authorization, (6) the consumer’s right to revoke the authorization, (7) the fact that the consumer’s information may be re-disclosed by the purchaser and no longer be protected by the Act, and (8) an expiration date not more than one year from when the consumer signs the valid authorization.
- Not implement “geofencing” in certain situations. HB 1155 prohibits any person (not only regulated entities) from implementing geofencing around any entity that provides in-person health care services when the geofence is used to (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to the consumers related to their consumer health data or health care services. HB 1155 defines “geofencing” as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location,” and “geofence” means “a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.”
Exemptions
Among other exemptions, HB 1155 would exempt protected health information under HIPAA, patient identifying information under 42 C.F.R. Part 2, certain research information, and information de-identified in accordance with HIPAA. HB 1155 further states that its obligations are not intended to restrict a regulated entity’s ability to “prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.” Unlike other state consumer privacy laws, the Act does not set forth an explicit exemption for cooperating with law enforcement agencies or complying with certain legal inquiries, investigations, subpoenas, or summons.
Enforcement and Private Right of Action
HB 1155 grants the state Attorney General enforcement authority and provides that a violation of the Act would constitute an unfair or deceptive act under the state’s consumer protection laws. In addition, HB 1155 contains a broad private right of action that allows consumers to seek damages under the state’s general consumer protection laws for Act violations.