On April 27, 2023, Washington Governor Jay Inslee signed into law House Bill 1155, otherwise known as the My Health My Data Act.  Certain “geofencing” portions of the law became effective July 23, 2023.  Other provisions will become effective for “small businesses” on June 30, 2024, and for all other regulated entities on March 31, 2024. Below is a brief summary of the law’s following core components: (1) covered individuals and entities, (2) covered data, and (3) data collection and sharing requirements.

Who is Covered?

The law covers a broad range of consumers and regulated entities. “Consumer,” for example, is defined to include any Washington resident or someone whose consumer health data is collected in Washington. Similarly, a “regulated entity” means any legal entity that either conducts business in Washington or provides products or services that are targeted to Washington consumers. Taken together, these definitions produce an expansive privacy law that covers consumers residing in Washington, any consumer health data collected in Washington, and any other business that conducts business in Washington or provides products or services targeted to Washington consumers that collect consumer health data.

“Small Businesses,” for the purpose of determining the law’s effective date as described above, includes any regulated entity that either: (i) collects, processes, sells, or shares less than 100,000 consumers’ data in a calendar year or (ii) derives less than 50 percent of its gross revenue from the collection collecting, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares fewer than 25,000 consumers’ health data.

What Data is Covered?

The law regulates the collection, sharing, and selling of “consumer health data,” which includes  all personal information linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status.  This definition does not include certain data already protected or otherwise subject to other state and federal authorities, such as protected health information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

What are the Key Data Collection and Sharing Requirements?

The Act imposes various consumer privacy and data protection requirements that regulated entities must follow to collect, share, and sell consumer health data:

  1. Regulated Entity Requirements

A regulated entity may not collect consumer health data except (i) with the consumer’s consent for the relevant specified purpose or (ii) to the extent “necessary” to provide a product or service that the consumer has requested from the entity. Regulated entities “collect” data if they “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” This broad “collection” definition means that almost any handling of consumer health data could be considered the collection of consumer health data. The state’s eventual interpretation of “necessary,” which will be important to determine whether an entity must seek consumer consent, remains unclear.

A regulated entity may not share consumer health data except (i) with the consumer’s consent that is separate from the collection consent described above or (ii) if necessary to provide a product or service that the consumer has requested from the entity.

The opt-in consent required for the collection or sharing of any consumer health data must be obtained prior to any use. The request for consent must clearly disclose: (i) the categories of consumer health data collected or shared, (ii) the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used, (iii) the categories of entities with whom the consumer health data is shared, and (iv) how the consumer can withdraw consent from future collection or sharing of their data.

A regulated entity may also not sell or offer to sell consumer health data without first obtaining signed authorization from the consumer, separate from the previous consent needed to collect or share the data. A “sale” is defined broadly as the exchange of consumer health data for monetary or other valuable consideration. This consent must be in a document written in plain language that contains: (i) the specific consumer health data the entity or person intends to sell, (ii) the name and contact information of the entity purchasing, collecting and selling the data, (iii) the description of the sale’s purpose, and (iv) the consumer’s signature and date.

The law also requires regulated entities to provide a privacy policy on their websites that clearly discloses to consumers the categories of consumer health data collected and shared, the sources from which it is collected, the intended use for the collected data, a list of third parties with whom the data is shared, and how consumers can exercise their rights. Regulated entities must publish a link to the privacy policy on their homepage. Regulated entities are not permitted to collect, use, or share consumer health data for purposes not disclosed in the privacy policy without first disclosing and obtaining the consumer’s affirmative consent.

Regulated entities must also restrict access to consumer data to only those individuals needed to further the purposes for which the consumer provided consent or where necessary to provide a product or service that the consumer requested. Regulated entities must establish and implement security practices that satisfy a reasonable standard of care to protect the confidentiality of consumer health data.

Lastly, a regulated entity that receives a request for deletion of consumer health data must delete the data and instruct all relevant third parties to also honor that request. Once a consumer submits a request, the regulated entity must comply within 45 days of receipt.

  1. Consumer Rights

The law endows consumers with several rights concerning the collection, sharing, and selling of their health data. Consumers have the right, for example, to confirm whether a regulated entity is collecting, sharing, or selling their health data. Consumers also have the right to access that data, as well as a list of all third parties with whom the data has been shared with or sold to and an active email address for those third parties. 

Consumers may withdraw their consent from the collection and sharing of their consumer health data and request that the data be deleted, which must be honored by regulated entities without exception. Regulated entities must communicate this deletion request to all third parties with whom the consumer health data has been shared.

If a regulated entity fails to act on the consumer’s request, the law allows for consumers, including those who are not Washington state residents but otherwise meet the definition of “consumer,” to bring a private right to action to appeal the refusal. This right, coupled with the Washington Attorney General’s enforcement authority, may lead to significant litigation going forward.  Regulated entities and service providers should take caution now to prepare and strictly follow their obligations under the law.

  1. Geofencing

The law prohibits implementing a so-called “geofence” around a facility that provides in-person health care services where the geofence is used to (i) identify or track consumers seeking health care services; (ii) collect consumer health data from consumers; or (iii) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. The law defines a geofence as technology that uses any form of spatial or location detection to locate a consumer within a virtual boundary of 2,000 feet or less from the perimeter of physical location. This prohibition became effective July 23, 2023.

What are next steps for businesses?

Businesses should consider whether they are subject to the law and, if so, assess their current privacy compliance posture against its requirements.  Businesses that have taken steps to comply with the General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, or the various other US state consumer privacy laws may have already implemented relevant compliance measures.  But because many of the law’s elements are unique and not currently required under existing consumer privacy laws (e.g., signed authorization for the sale of consumer health data), relevant businesses should conduct an audit to determine their current compliance and consider implementing any new requirements immediately. 

Reed Smith will continue to monitor any relevant updates related to this law and other state health privacy laws and regulations. If you have any questions about compliance with this or any other health privacy provisions please reach out to the health care lawyers at Reed Smith.