Washington’s legislature has passed the My Health My Data Act: A robust privacy law designed to ensure privacy in healthcare settings—but with implications that extend far beyond healthcare providers.
The act, HB 1155, is due to take effect on 31 March 2024 but is still awaiting the State Governor’s signature at the time of writing. There are some ambiguities in the text, but the act could be among the strongest privacy laws in the US—and it has a private right of action.
Here are five reasons to pay attention to Washington’s My Health My Data Act.
1. It applies broadly
The My Health My Data Act applies more broadly than other US state privacy laws, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).
The act covers two main types of organisations.
First, “regulated entities”, which means any legal entity that:
- Conducts business or targets consumers in Washington state, and
- “Determines the purpose and means” of collecting, processing, sharing, or selling of consumer health data.
“Targeting” consumers in Washington state is not defined. It’s possible that making an app or website accessible in Washington could meet this definition.
Second, “small businesses”, which means any legal entity that:
- Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year, or
- Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and
- Controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
Note that both types of entities are covered by the law, but some provisions take delayed effect for small businesses.
Some types of organisations are excluded from the scope of the act, including government entities, government contractors, and tribal nations.
2. It covers many types of data
The My Health My Data Act regulates “consumer health data”, which has a seemingly very broad definition. Before we look at the meaning of “consumer health data”, we need to see how the act defines “personal information” and “consumer”.
“Personal information” is “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer”.
The act provides examples, including any “persistent unique identifier, such as a cookie ID, an IP address, a device identifier.”
The act does not regulate personal information per se, but treats “consumer health data” as a type of personal information that reveals a person’s health status.
A “consumer” is a “natural person” (living individual) who is either a Washington resident or whose consumer health data was collected in Washington. The act explicitly excludes natural persons acting “in an employment context”.
The second element of this “consumer” definition implies that any person—even if they don’t live in Washington, or have any connection with Washington whatsoever—has rights under the act if their “consumer health information” is collected “in Washington”.
Consumer Health Data
As noted, the act regulates the processing of “Consumer health data”, which is:
“Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
It follows that “consumer health data” isn’t limited to “explicit” health information, like medical records or diagnoses. “Consumer health data” could be any type of personal information that identifies a consumer’s “past, present or future physical or mental health status”.
This approach is consistent with the FTC’s treatment of cookie IDs and device data as potential “health information” in the recent BetterHelp and GoodRX settlements.
The act also provides a non-exhaustive list of information qualifying as “consumer health data”, including information about individual health conditions, the use or purchase of prescription drugs, and health-related interventions.
The upshot of this broad definition is that cookie or pixel data collected on a website that provides health-related services could be “consumer health data” under the act.
However, the act does provide some exceptions to the “consumer health data” definition, including:
- “Protected health information” for the purposes of the Health Insurance Portability and Accountabilty Act (HIPAA).
- Information processed for the purposes of the Gramm-Leach Bliley Act (GLBA)
- Health care information processed in accordance with Washington’s medical records law (Ch 70.02 RCW).
- Information processed in accordance with various research-related laws and regulations.
- Information processed by hospitals, healthcare facilities, and other healthcare services.
3. It includes a very strong ‘consent’ definition
Consent is an important feature of the My Health My Data Act. We’ll look at some consent-related obligations below. But first, here’s the definition:
“‘Consent’ means a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means.
This is a very strong “consent” definition—much like the GDPR’s, but adding “voluntary” to the list of conditions of valid consent.
The act further strengthens its “consent” definition by stating that consent cannot be obtained via:
- A consumer’s acceptance of “general or broad” terms and conditions that includes information unrelenting to personal data processing.
- A consumer hovering over, muting, pausing, or closing a given piece of content.
- A consumer’s agreement obtained through the use of deceptive designs.
A “deceptive design”, otherwise known as a “dark pattern”, is defined in the act as “a user interface designed or manipulated with the effect of subverting or impairing user autonomy, decision making, or choice”.
4. It sets strict rules on collection and sharing data
Under the My Health My Data Act, covered organisations must not collect or share consumer health data unless:
- The consumer has consented in relation to a specified purpose, or
- The collection of sharing is necessary to provide a product or service requested by the consumer.
Requests for consent to share consumer health data must be made separately and distinctly from requests for consent to collect consumer health data.
When requesting consent, an organisation must disclose:
- The categories of consumer health data collected or shared.
- The purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used.
- The categories of entities with whom the consumer health data is shared
- How the consumer can withdraw consent from future collection or sharing of their health data.
However, there is an exemption to these obligations if collection or sharing of consumer health data is necessary to:
- Investigate, report, or prosecute those responsible for any action that is illegal under Washington state law or federal law.
- Preserve the integrity or security of systems.
- Prevent, detect, protect against, or respond to:
- Security incidents
- Identity theft
- Malicious or deceptive activities
- Any activity that is illegal under Washington state law or federal law.
5. It provides strong consumer rights
Under Washington’s My Health My Data Act, consumers have the following rights:
- To confirm whether a regulated entity or a small business is collecting, sharing, or selling consumer health data about the consumer.
- To access the data.
- To obtain a list of each third party or affiliate that has received the consumer’s health data, together with an email address or other online contact method.
- To withdraw consent.
- To have consumer health data, including that sent to third parties or stored on backup systems, deleted on request.
Consumers can exercise their rights up to twice per year, for free. Organisations must respond within 45 days, with a further 45-day extension available on request. They must also establish an appeals process for consumers who are unhappy with an organisation’s response to their request.