On Monday, April 17, the Washington House passed an amended version of the My Health My Data Act (HB 1155) (the “Act”), a bill that would impose sweeping new requirements on the collection, processing, and sale of consumer health data in the state. The Act had been passed by the Senate on April 5 and now moves to Governor Jay Inslee’s desk for signature.
If enacted, the My Health My Data Act would constitute a major development in the U.S. privacy law landscape. While we have seen an increased interest in the regulation of health data by the Federal Trade Commission, the My Health My Data Act would represent a novel step towards regulating health data at the state legislative level. And the Act’s impact would be significant. The bill applies broadly in terms of the consumers that it protects, the entities that it regulates, and the types of health data and health data transactions within its scope. Further, the bill offers not just breadth, but also depth, imposing robust requirements on the collection, sharing, and sale of consumer health data, including separate affirmative opt-in consent requirements for collection and sharing, as well as a distinct requirement for “valid authorization” of sale. Most importantly, the law would be enforceable through a private right of action — potentially exposing regulated businesses to substantial legal exposure for violations.
In this post, we identify notable takeaways from the My Health My Data Act and summarize the bill’s key provisions. We are happy to answer any questions you have about the My Health My Data Act and its potential implications for your data privacy compliance program.
- Expanding on the HIPAA Framework: The Act explicitly describes itself as supplementing the limited protections for health data offered by HIPAA. As the statute points out in its statement of legislative findings — and as we have previously observed on this blog — though many people “expect that their health data is protected under laws like [HIPAA],” the reality is that HIPAA only applies to health data collected by certain types of health care entities, such as health care providers. Notably excluded from the HIPAA framework, for example, is health data collected by many health-related apps and websites. The Act, then, “works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections” for consumer health data.
- Broad Applicability: The Act applies broadly along several dimensions. First, it employs an expansive definition of “consumer health data,” covering any “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health.” This definition includes not just information like health conditions, treatment history, and medication prescriptions, but also, among other things, “[p]recise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies” or health-related information “that is derived or extrapolated from nonhealth information.” Second, the consumers protected by the Act include both Washington residents and individuals “whose consumer health data is collected in Washington.” And third — in a notable departure from the HIPAA model — the “regulated entities” subject to the Act include any entity that has a commercial nexus to Washington and “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Presumably, this would encompass health-related websites and apps that go largely unregulated under HIPAA.
- Separate Affirmative Opt-In Consent Requirements for Collecting and Sharing: The Act provides that regulated entities must obtain separate consents before collecting or sharing a consumer’s health data (unless such collection or sharing is necessary to provide a product or service requested by the consumer). And the Act’s definition of “consent” is a robust one, requiring “a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement.”
- Authorization for Sale: In addition to requiring separate consents for the collection and sharing of consumer health data, the Act imposes distinct preconditions for the sale of consumer health data, requiring that such sales be preceded by a “valid authorization” from the relevant consumer. These authorizations must, in turn, include such information as the specific consumer health data to be sold, the name and contact information of the buyer and seller, the purpose of the sale, and an expiration date for the authorization itself. Notably, the Act defines “sale” broadly as “the exchange of consumer health data for monetary or other valuable consideration” — meaning that this authorization requirement could apply to a wide range of transactions.
- Private Right of Action: The Act is enforceable through a private right of action under the Washington Consumer Protection Act. The bill’s inclusion of a private right of action greatly increases the compliance risk for regulated entities, as it exposes these companies to lawsuits from individual litigants. For a rough analogue, companies can look to the impact of the Illinois Biometric Information Privacy Act (BIPA), a biometric privacy law that similarly includes a private right of action and has created massive potential legal exposure for violators.
Key provisions of the My Health My Data Act include:
Scope and Applicability
- Consumer Health Data: Defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health.” Enumerates a non-exhaustive list of types of consumer health data, including health conditions, procedure histories, and medication purchases, as well as gender-affirming care information, reproductive and sexual health information, biometric and genetic data, “[p]recise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies,” and health information “derived or extrapolated from nonhealth information.”
- Protected Consumers: “Consumers” protected by the statute include Washington residents and any person “whose consumer health data is collected in Washington.”
- Regulated Entities: Regulated entities include any entity that (1) conducts business in Washington or targets products or services to Washington consumers and (2) determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
- Exemptions: Exempts various entities and information types, including government and tribal entities, as well as information subject to HIPAA, GLBA, FCRA, and FERPA.
- Consumer Health Data Privacy Policies: Requires that regulated entities maintain and publish consumer health data privacy policies that disclose: (1) categories of consumer health data collected and the purpose for which such data is collected (including how the data will be used); (2) categories of sources from which the consumer health data is collected; (3) categories of consumer health data shared; (4) categories of third parties and affiliates with whom the entity shares consumer health data; and (5) how a consumer can exercise relevant rights under the Act.
- Affirmative, Opt-In Consent for Data Collection and Sharing: Prohibits regulated entities from collecting or sharing consumer health data without obtaining consumer’s affirmative, opt-in consent, unless the collection or sharing is necessary to provide a product or service the consumer has requested. Regulated entities must obtain separate consents for collection and sharing.
- Consumer Data Rights: Creates rights for individual consumers, including: the right to confirm whether a regulated entity is collecting, sharing, or selling an individual’s health data and to access such data; the right to withdraw consent for the collection and sharing of consumer health data; and the right to delete consumer health data.
- Data Protection: Requires that regulated entities restrict access to consumer health data and implement data security practices sufficient to satisfy a “reasonable standard of care” within its industry.
- Data Sale Authorizations: Prohibits the sale of consumer health data without the consumer’s valid authorization. Such valid authorization must be a document containing, among other things, the specific consumer health data to be sold, the name and contact information of the buyer and seller, the purpose of the sale, and an expiration date for the authorization.
- Geofencing Restrictions: Prohibits the placement of geofences around entities that provide in-person health care services when the geofence is used to identify or track consumers seeking health care services; collect consumer health data; or send messages or advertisements to consumers regarding consumer health data or health care services.
- State AG Enforcement: Violation of the Act is deemed “an unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act. Violations are enforceable by the state AG.
- Private Right of Action: Individuals who are injured by a violation of the Act may bring an action under the Washington Consumer Protection Act.