New Health Data Privacy Law to be Passed in Washington
The month of April marks the appearance of a new privacy law that protects the privacy of health data of individuals. HB 1155, or the Washington My Health, My Data Act, as it is being referred to, is a new law that arose out of the overturning of Roe v. Wade, and if enacted it will significantly impact the way entities in the state of Washington handle the health data of residents. The law was passed by the Senate on the 5th of April, then by the Washington House on the 17th, and is now moving to the Governor’s desk for signature.
As one may be tempted to ask “What about HIPAA?” it would seem that HB 1155 would supplement HIPAA, which covers the data that gets collected by specific healthcare entities and healthcare providers, but does not protect, for example, website and apps data, such as period tracking apps. As such, its intended goal, as stated in the text of the law, is “to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data.” HB 1155 would be a new step towards regulating the way health data is handled on a state level if passed and it stands out through its broad scope of application, its inclusion of separate opt outs for data collection and data sharing, and its offering of a private right of action to data subjects.
Scope
The law applies to what it defines as ‘regulated entities,’ namely “any legal entity that: (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
When it comes to the data it protects, the law defines ‘consumer health data’ as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health” and offers a wide list of examples, such as health conditions, treatments, diagnoses, surgeries or other medical procedures, reproductive or sexual health information, specific biometric or genetic data, etc.
Exemptions
HB 1155 exempts health information that is protected under HIPAA, patient identifying information under 42 C.F.R. Part 2, de-identified information, or certain information related to research. It also states that it “does not restrict a regulated entity's or processor's ability for collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.”
Obligations of regulated entities
HB 1155 comes with a list of obligations for regulated entities and/or persons, as follows:
- Regulated entities have to provide a link to a “consumer health data privacy policy” that clearly and conspicuously discloses the categories of consumer health data collected and the purpose, including how the data will be used; the categories of sources for the data; the categories of consumer health data that is shared; a list of the categories of third parties and specific affiliates with whom the regulated entity shares consumer health data; and the means through which consumers can exercise their rights.
- Regulated entities can not collect or share health data without consumer consent, unless exceptions apply, such as when this is necessary “to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity.”
- Regulated entities have to provide consumers with their data subject access rights and reply to requests "without undue delay, but in all cases within 45 days of receipt of the request."
- Access to consumer health data has to be restricted and appropriate data security measures have to be put in place that are “appropriate to the volume and nature of the personal data at issue.”
- If they enter into data processing agreements with processors, regulated entities can only do so “pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limits the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity.”
- No person can sell consumer health data without the consumer’s valid authorization. Defined as “the exchange of consumer health data for monetary or other valuable consideration,” the sale of health data can only be done pursuant to a valid authorization which is a document which must be written “in plain language” and contain the following details: the specific health data being sold, the names of both the ones selling and the ones purchasing the data, a description of the purpose of the sale, the consumer’s right to revoke authorization, a statement that the health data may be re-disclosed, an expiration date for the authorization, and the date and signature of the consumer.
- No person can implement a geofence around “an entity that provides in-person health care services where such geofence is used to: identify or track consumers seeking health care services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.” the text of the law defines ‘geofencing’ as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location” and sets the boundary for a geofence to be “2,000 feet or less from the perimeter of the physical location.”
Consumer rights
Section 6 of the HB 1155 sets out three rights of consumers:
- The right to confirm whether a regulated entity is collecting, sharing, or selling the consumer’s health data and, if so, to access the data. This includes the right to obtain a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer’s health data as well as an active email address or other online mechanism that the consumer may use to contact these third parties.
- The right to withdraw consent from the regulated entity's collection and sharing of one’s health data.
- The right to have their health data deleted.
Enforcement
A violation of HB 1155 is, according to the text of the law, “not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act.” As such, violations are enforceable by Washington’s Attorney General.
Additionally, there is a private right of action available to consumers.
Update - 8th of May 2023
On the 27th of April, the Governor signed this into law, making it official that it will become effective as of July 23rd, 2023.