Major Portions Go Into Effect March 31, 2024, Including Its Private Right of Action

Washington's "My Health, My Data Act" is a new data privacy statute that regulates the collection, sharing, selling, and processing of "consumer health data" by certain entities. The act is intended to protect health data not otherwise protected by federal health care privacy regulations, such as entities not regulated by HIPAA. Despite its name, the act broadly encompasses the regulation of personal data beyond traditional health care data. In certain circumstances, it regulates the collection of non-Washington residents' data and businesses outside of Washington. "Regulated entities," as defined by the act, must comply with its obligations beginning March 31, 2024, while "small businesses" have until June 30, 2024. The act will have wide-reaching ramifications for businesses due to the expansive scope of the act's coverage and enforcement through a private right of action.

Individuals Covered and Entities Regulated

The act defines key terms as follows: A "consumer" includes Washington residents, as well as any individual whose data is collected in Washington. "Collect" means "to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner." This broad definition will likely become the subject of litigation and eventual judicial interpretation. Notably, the definition of "process" is sweeping and ambiguous. It is "any operation or set of operations performed on consumer health data," which does not provide clarity as to the types of actions included. Therefore, businesses should assume that any interaction with consumer health data in Washington or from Washington's residents may be subject to the act until the courts provide greater clarity. The definition of consumer does not cover an individual acting in an employment context, so employee data is excluded from the act.

The act applies to "regulated entities" and "small business" entities. Regulated entities include those that conduct business in Washington as well as entities that produce or provide products or services that target consumers in Washington. Small businesses are generally entities that collect consumer health data of fewer than 100,000 consumers per year. Other than the required implementation dates, the obligations under the act for regulated entities and small businesses are the same. The act does not apply to government agencies or providers that process consumer health data on behalf of government agencies. The act does not otherwise limit the types of entities subject to its provisions, such as based on an entity's revenue or non-profit status.

Scope of Protected Information

The act broadly defines the term "consumer health data." It includes "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." A non-exhaustive list of categories that qualify as "physical or mental health status" include:

  • General health data such as individual health conditions, treatment, diseases, or diagnosis;
  • Social, psychological, behavioral, and medical interventions;
  • Health-related surgeries or procedures;
  • Use or purchase of prescribed medication;
  • Bodily functions, vital signs, and symptoms;
  • Diagnoses or diagnostic testing, treatment, or medication;
  • Gender-affirming care information;
  • Reproductive or sexual health information;
  • Biometric data, such as imagery of a retina, iris, fingerprint, hand, and face, and voice recordings;
  • Genetic data, such as DNA data;
  • Precise location information reasonably indicating a consumer's attempt to receive health services or supplies; and
  • Data identifying a consumer as seeking health care services.

Some exclusions apply to the data protected under the law. For example, deidentified data that cannot reasonably be linked to a particular individual and publicly available information are excluded from the definition of personal information. Further, the statute does not regulate data protected by certain federal laws.

Requirements for the Collection, Sharing, Sale, and Processing of Consumer Health Information

Like many data privacy laws enacted in recent years, the act includes various notice, consent, and security requirements. Washington's act imposes the following obligations:

  • Data Privacy Policy: Entities must maintain a detailed consumer health data privacy policy that is linked on their homepage. The policy must disclose (1) categories of health data collected and shared and the sources from which it is collected; (2) the use for the collected data; (3) categories of third parties or affiliates that will receive the data; and (4) how consumers can exercise their rights in accordance with the act.
  • Consent: There are various situations in which consent is required under the act. Entities cannot collect consumer health data unless they obtain consent for the specific purpose of the collection. Consent is not required if the collection is necessary to provide a product or service the consumer requested. Consumer health data cannot be shared or sold without obtaining separate consent from the consumer. Additionally, the act requires certain disclosures depending on the consent required. Separate consents are required for the collection, sharing, and sale of data.
  • Right to Access and Deletion: Similar to other data privacy laws, consumers have the right to access their data and request its deletion. If a consumer requests deletion, the regulated entity must delete the data from their records, archives, and backups. The entity must notify all affiliates, processors, contractors, and third parties that the data must be deleted.
  • Data Security: Among other requirements, entities must restrict internal access to consumer health data to only individuals who require access for the purposes described in the consent obtained. Entities must establish, implement, and maintain various data security practices that meet the reasonable standard of care within the entity's industry.
  • Relationship with Data Processors: Notably, the act requires a binding contract between an entity and a data processor that processes consumer health data on the entity's behalf. The contract must set forth various obligations and limitations on the processor. If the processor fails to comply, it becomes a "regulated entity" subject to all the requirements in the act. The act has no limitation on the location of the processor for it to be subject to the requirements in the act. It also prohibits an entity regulated by the act from contracting with a data processor to process consumer health data in a manner that is inconsistent with the act's requirements.
  • Prohibits Geofencing: A "geofence" is technology that creates a virtual boundary around a physical location or locates a consumer within a virtual boundary using data such as GPS, cell tower, and Wi-Fi data. The act makes it unlawful for any person to implement a geofence around an entity that provides in-person health care services if the geofence is used to (1) track or identify consumers seeking health care services; (2) collect health data from consumers; or (3) send messaging or advertisements to consumers related to health data or services. The ban on geofencing has no implementation date and, therefore, should be presumed to already be enforceable.

Enforcement

Washington's Attorney General can enforce violations of the act through Washington's Consumer Protection Act. More importantly, the Consumer Protection Act also gives consumers a private right of action for violations of the My Health, My Data Act to seek injunctive relief, damages for violations, and attorneys' fees. This will undoubtedly lead to class action filings. Businesses familiar with operating in Illinois, however, should note that the act differs from Illinois' Biometric Information Privacy Act (BIPA), which regulates the collection of biometric information. BIPA allows an individual to obtain statutory damages of $1,000 or $5,000 per violation without showing actual harm — making it particularly susceptible to class actions. By contrast, the act is enforced through Washington's Consumer Protection Act, which requires consumers to show they suffered injuries to their businesses or property and sets recovery at an amount equal to those injuries.

Takeaway

As discussed above, this act is complex in its scope and application. Exceptions exist, such as for data already regulated by federal laws and employee data. However, if the act follows the development of Illinois' BIPA, plaintiffs will quickly and repeatedly test the boundaries of the private right of action. The courts will likely take some time to interpret the act through litigation by private plaintiffs and enforcement actions by the state attorney general. As seen with BIPA, litigants will likely also test the bounds of who may be sued under the act, regardless of whether the entity initially collects the data—for example, against technology companies that host, store, and process data in Washington.

Any entity that believes it may "collect" any of the types of data qualifying as "consumer health data" should immediately review its policies and processes to ensure compliance with the act. Any entity that provides services to an entity regulated under the act should also review its service provider contracts to determine whether it needs additional terms to comply with the act. The act should also serve as a reminder to businesses outside of its scope that state legislatures around the country will continue to consider legislation directed at the collection and use of personal data. Businesses should remain vigilant as they implement new technologies that collect or use personal data and consider consulting legal counsel before undertaking costly implementations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.