<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

    Washington My Health, My Data Act Close to March 2024 Effective Date

    by Alex Margau
    12 min read
    washington-my-health-my-data-act-effective-march-2024

    In April of 2023, Washington State introduced a new privacy law called the Washington My Health, My Data Act, known as HB 1155, which focused on the protection of personal health information of consumers in the state. This law was created following the reversal of the Roe v. Wade decision and is aimed at changing  the way businesses in Washington manage health data. 


    Despite what the name might suggest, the Washington My Health, My Data Act covers a wide range of privacy issues and impacts many organizations, including those not directly related to the healthcare sector. The rules and responsibilities outlined in the law could also extend to people who aren't residents of Washington because the legislation considers anyone whose data is collected or processed within the state as consumers under its scope. The Washington My Health, My Data Act enhances existing privacy laws like HIPAA by covering additional types of health data not previously protected, such as information from websites and apps, including period tracking apps. Its main aim is to offer stronger privacy protections for health data, addressing gaps between what consumers know and what companies do.


    The law as a whole, which the Governor signed on April 27th, 2023, actually became effective as of July 23rd, 2023. However, the law is organized into sections with different effective dates. According to the official website of the Washington Attorney General, the effective dates are as follows: 

    All persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.

    Below we outline these dates in more detail: 


    Requirement in the text of the law

    Date of enforcement for most of the regulated entities

    Date of enforcement for small businesses

    §4(1)(a) Obligation to maintain a "consumer health data privacy policy"

    March 31, 2024

    June 30, 2024

    §4(1)b) Obligations to publish a homepage link to the consumer health data privacy policy

    End of July 2023

    June 30, 2024

    §4(1)(c) Consent for collection, use, or sharing categories of data not disclosed in consumer health data privacy policy

    End of July 2023

    June 30, 2024

    §4(1)(d) Consent for collection, use, or sharing for purposes not disclosed in consumer health data privacy policy

    End of July 2023

    June 30, 2024

    §4(1)(e) Prohibition on contracting with a processor to process in manner inconsistent with consumer health data privacy policy

    End of July 2023

    June 30, 2024

    §5(1)(a) Consent for collection of consumer health data for a secondary purpose

    March 31, 2024

    June 30, 2024

    §5(1)(b) Consent for sharing consumer health data for a secondary purpose

    End of July 2023

    June 30, 2024

    §5(1)(d) Prohibition on unlawful discrimination

    End of July 2023

    June 30, 2024

    §6(1)(a) Right to know / right of access

    March 31, 2024

    June 30, 2024

    §6(1)b) Right to withdraw consent

    End of July 2023

    June 30, 2024

    §6(1)(c) Right of deletion

    End of July 2023

    June 30, 2024

    §6(1)(d)-(h) Procedural requirements related to consumer requests to exercise rights

    End of July 2023

    June 30, 2024

    §7 Data Security

    March 31, 2024

    June 30, 2024

    §8(1)(a)() Requirement for processor contract

    March 31, 2024

    June 30, 2024

    §8(1)(a)(ii) Processor limit to processing consistent with contractual instructions

    End of July 2023

    June 30, 2024

    §8(1)(b) Processor obligation to assist regulated entity in meeting its obligations

    End of July 2023

    June 30, 2024

    §9 Consumer Authorization for Data "Sale"

    March 31, 2024

    June 30, 2024

    $10 Geofencing Prohibition

    End of July 2023

    End of July 2023

    What is the scope of the Washington My Health, My Data Act?

    The Washington My Health, My Data Act applies to what it defines as ‘regulated entities,’ namely “any legal entity that: (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” 

    When it comes to the data it protects, the law defines ‘consumer health data’ as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health” and offers a wide list of examples, such as health conditions, treatments, diagnoses, surgeries or other medical procedures, reproductive or sexual health information, specific biometric or genetic data, etc. 

     

    Who is exempt from compliance with the Washington My Health, My Data Act?

    The Washington My Health, My Data Act exempts health information that is protected under HIPAA, patient identifying information under  42 C.F.R. Part 2, de-identified information, or certain information related to research. It also states that it “does not restrict a regulated entity's or processor's ability for collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or   deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.”

     

    What are the obligations of entities regulated by the Washington My Health, My Data Act?

    The Washington My Health, My Data Act comes with a list of obligations for regulated entities and/or persons, as follows: 

    • Regulated entities have to provide a link to a “consumer health data privacy policy” that clearly and conspicuously discloses the categories of consumer health data collected and the purpose, including how the data will be used; the categories of sources for the data; the categories of consumer health data that is shared; a list of the categories of third parties and specific affiliates with whom the regulated entity shares consumer health data; and the means through which consumers can exercise their rights. 
    • Regulated entities can not collect or share health data without consumer consent, unless exceptions apply, such as when this is necessary “to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity.”
    • Regulated entities have to provide consumers with their data subject access rights and reply to requests "without undue delay, but in all cases within 45 days of receipt of the request."
    • Access to consumer health data has to be restricted and appropriate data security measures have to be put in place that are “appropriate to the volume and nature of the personal data at issue.”
    • If they enter into data processing agreements with processors, regulated entities can only do so “pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limits the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity.”
    • No person can sell consumer health data without the consumer’s valid authorization. Defined as “the exchange of consumer health data for monetary or other valuable consideration,” the sale of health data can only be done pursuant to a valid authorization which is a document which must be written “in plain language” and contain the following details: the specific health data being sold, the names of both the ones selling and the ones purchasing the data, a description of the purpose of the sale, the consumer’s right to revoke authorization, a statement that the health data may be re-disclosed, an expiration date for the authorization, and the date and signature of the consumer. 
    • No person can implement a geofence around “an entity that provides in-person health care services where such geofence is used to: identify or track consumers seeking health care services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.” the text of the law defines ‘geofencing’ as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location” and sets the boundary for a geofence to be “2,000 feet or less from the perimeter of the physical location.”

     

    What consumer rights does the Washington My Health, My Data Act grant? 

    Section 6 of the Washington My Health, My Data Act sets out three rights of consumers:

    • The right to confirm whether a regulated entity is collecting, sharing, or selling the consumer’s health data and, if so, to access the data. This includes the right to obtain a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer’s health data as well as an active email address or other online mechanism that the consumer may use to contact these third parties.
    • The right to withdraw consent from the regulated entity's collection and sharing of one’s health data.
    • The right to have their health data deleted.

     

    Who enforces the Washington My Health, My Data Act grant? 

    A violation of the Washington My Health, My Data Act is, according to the text of the law, “not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act.” As such, violations are enforceable by Washington’s Attorney General. 

    Additionally, there is a private right of action available to consumers.


    Key takeaway

    The Washington My Health, My Data Act aims to change the way businesses in Washington handle the health information of the people living there. It is expected that this law will inspire similar actions across the United States and while it builds on HIPAA it offers more protection for the health data of Washington's consumers by making sure people know more and that companies follow stricter privacy rules.


    For websites and apps that track health information, this law means they will have to follow new privacy rules, especially for users in Washington. 


    If your business deals with health information, it's important to check your privacy practices, see if you need to make any changes, and make sure you follow HB1155's rules when dealing with customers from Washington.


    Last but not least, in short, businesses must now follow specific rules:

    • Share a clear privacy policy on what health data they collect and how it's used.
    • Get consent from consumers before collecting or sharing their health data.
    • Allow consumers to access their data and respond to their requests within 45 days.
    • Implement strong data security measures.
    • Ensure data processing agreements with third parties are clear and binding.
    • Not sell health data without clear consumer consent.
    • Not use geofencing near healthcare facilities to track or collect data on consumers seeking healthcare.