The act adds to several laws that provide healthcare-data privacy for Washingtonians.
On April 27, 2023, Washington state Governor Jay Inslee signed the My Health My Data Act, a novel privacy law that expands privacy rules significantly beyond the bounds of existing federal and Washington state privacy laws. It establishes a series of rules that bind most commercial entities in the Washington market, covering most forms of personal information that have a reasonable connection to healthcare. It also gives protected individuals a private right of action to enforce violations. Most regulated entities have less than a year to become compliant.
The act adds to several laws that provide healthcare-data privacy for Washingtonians. The federal Health Insurance Portability and Accountability Act (HIPAA) requires “covered entities” (health plans, healthcare clearinghouses and certain healthcare providers) to obtain a patient’s authorization before disclosing that patient’s protected health information. Washington’s Uniform Health Care Information Act (UHCIA) forbids healthcare providers from disclosing healthcare information absent written authorization or an applicable exception. Additionally, Washington’s constitution provides an explicit right to privacy.
The My Health My Data Act adds to these laws but covers only areas not already addressed by them. It does not cover information that is collected, used or disclosed pursuant to certain federal and state laws, including HIPAA, UHCIA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and statutes and regulations related to the Washington Health Benefit Exchange. Thus, providers may need to comply not only with existing HIPAA laws but also with the expanded new state law. The new act also exempts government agencies and tribal entities from its definition of “regulated entity,” defined as all entities that conduct business in Washington or with Washington consumers and that play a role in determining how to collect, process, share or sell consumer health data.
Effective dates vary. The My Health My Data Act creates a private right of action to enforce violations and prohibits certain uses of geofences (i.e., virtual perimeters that track when a cellphone or other device enters them, usually notifying the geofence operator when one does so), as outlined in greater detail below, and those rules become effective July 23, 2023, the general effective date of the law. The other below-listed rules become effective March 31, 2024, for most regulated entities but June 30, 2024, for “small businesses,” defined as regulated entities that use consumer health data from fewer than 100,000 consumers per year or who derive less than half of their gross revenue from its use.
The act broadens the applicability of existing healthcare-privacy laws. Its provisions cover all consumer health data, defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” “Physical or mental health status” has a broad definition, including 18 categories that range from health conditions and surgeries to sexual health and location data. Expressly excluded from this definition, however, is information used for certain scientific, historical or statistical research. Covered consumers include all Washington residents and persons whose consumer health data are collected in Washington.
The new My Health My Data Act adds a series of privacy rules to those already provided by HIPAA, UHCIA and Washington’s constitution. Below are some further highlights of the key provisions:
- Collecting consumer health data is prohibited unless either the collector obtains a valid authorization or collecting a consumer’s health data is necessary for providing a product or service requested by that consumer.
- Selling consumer health data is prohibited without a valid authorization, and both sellers and buyers must retain copies of all valid authorizations for six years.
- Regulated entities must clearly and conspicuously disclose what consumer health data they collect, why they collect it and what sources they use for collecting it.
- Consumers have a right to confirm whether a regulated entity is following the My Health My Data Act and may at any time request a copy of their consumer health data or request that the entity delete their data. Regulated entities must respond to such requests “without undue delay” but in no case more than 45 days.
- Regulated entities must restrict consumer health data access by employees and contractors and must establish sufficient security protocols to that end.
- Implementing a geofence around healthcare facilities is prohibited when done for the purpose of identifying or tracking patients seeking healthcare services, collecting consumer health data from consumers or sending them messages related to their consumer health data or healthcare services.
- A violation of the My Health My Data Act constitutes an unfair or deceptive act in trade or commerce and an unfair method of competition, making it a per se violation of the Washington Consumer Protection Act. This rule gives consumers a private right of action to enforce violations of the new law.
The My Health My Data Act’s scope is significantly broader than that of most related laws, particularly given its expansive definition of consumer health data, its coverage of nonhealthcare entities and its private right of action. Further, the same day Governor Inslee signed the act, he also signed several other laws addressing sensitive areas in healthcare: e.g., SB 5242 eliminates cost sharing for abortions, and the Shield Law prohibits cooperation with certain out-of-state subpoenas and other actions related to abortion. The novelty of the act alongside these related initiatives may indicate a trend in Washington law. Regulated entities should therefore begin crafting their policies to satisfy the statute’s rules, as most have less than a year to become compliant, and should watch for continued development in this area of Washington law.
For More Information
If you have any question about this Alert, please contact Neville M. Bilimoria, Taylor Hertzler, any of the attorneys in our Privacy and Security for Healthcare Providers Group, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.