May 32023

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

Colleen Theresa Brown, Sheri Porath Rockwell, Lauren Kitces and Carly R. Owens
, , , , ,

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

The Act has the potential to spur a sizable wave of litigation because it includes a private right of action and imposes new and operationally challenging obligations on regulated entities. Individuals other than Washington state residents may also have the right to bring actions for alleged violations of the law. Businesses that function as service providers to regulated entities need service provider contracts and will want to strictly follow their obligations under those contracts; failure to do so could render the service provider as a “regulated entity” fully subject to the Act, regardless of domicile.

This article highlights key provisions of the Act and initial steps companies in scope can take to prepare for implementation.

Entities and Data in Scope

The Act applies broadly to “regulated entities” that control the processing of “consumer health data” and largely defines each of these terms in a manner that is broader than any other U.S. data privacy laws that have been passed to date.

  • Regulated entities of all sizes, including nonprofits. The Act applies to “regulated entities,” defined as legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to consumers in Washington, and alone or jointly with others determine the purpose and means of collecting, processing, sharing, or selling of “consumer health information.” In contrast to the California Consumer Privacy Act (CCPA) and other state privacy laws, there is no revenue, data processing, or consumer threshold for an entity to be classified as a “regulated entity,” and nonprofits appear to be in scope.
  • “Consumers” are natural persons regardless of domicile if their data is processed in Washington. The Act defines Washington residents as “consumers” and, in another departure from other U.S. state laws, extends the definition of “consumer” to include a natural person who may not be a resident of Washington but whose consumer health data is collected (which includes to retain, infer, derive, or otherwise process) in the state. If a person who meets either of these thresholds is able to be identified, including “by any unique identifier” (e.g., IP address), they are in scope. Consumers do not include individuals when not acting in their individual or household context and expressly excludes those acting in an employment context.
  • Consumer health data extends far beyond traditional “medical” information. The definition of “consumer health data” is also broadly defined and means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” Examples in the Act include the use or purchase of a medication; efforts to obtain health supplies or services; biometric data; and precise location information that could “reasonably indicate” a “consumer’s attempt to acquire or receive health supplies or health services.” Such “consumer health data” may also include information that is “derived or extrapolated from non-health information,” including through machine learning and algorithms — a provision that would seem to put cookies and other third-party trackers firmly in scope.

The Act’s reach will extend far beyond healthcare and life sciences entities. Certain entities in retail (e.g., health/supplement stores, general retailers) and providers and users of online adtech and location-related technologies (including vehicle manufacturers) may be in scope.

While the scope is broad, the Act does have exceptions. Notably, protected health information that is subject to the Health Insurance Portability and Accountability Act of 1996 is not subject to the Act. Examples of additional exemptions include certain information subject to Washington medical records laws, 42 C.F.R. Part 2, federal research and clinical trial laws, and personal information that is governed by and collected, used, or disclosed pursuant to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.

Opt-In Consent Requirements for the Collection, Sharing, and Sale of Consumer Health Data

The Act introduces new and expansive opt-in consent requirements that businesses will want to take time to understand, as they appear to be very different from what we have seen in other U.S. data privacy laws, including identification of data recipients by name.

  • Opt-in consent to collect or share. Entities must obtain the consumer’s consent before collecting or sharing consumer health data when such data is collected or shared for purposes other than to provide the product or service that the consumer has requested from the entity. Sharing, as used in the Act, means the disclosure of data; it does not track the bespoke definition used in CCPA relating to behavioral advertising. Consents to collect or share cannot be combined, and each request for consent must include privacy policy–like disclosures regarding collection and sharing practices. While the consent obtained for sharing need not identify the data recipient by name, other provisions of the Act give consumers the right to request identification of those data recipients.
  • Time-limited opt-in consent to sell. Consumers must provide consent to allow entities to sell their consumer health data, which likely will be interpreted to include the sale of consumer health data through third-party advertising cookies and trackers. The definition of “sale” tracks the CCPA’s definition that refers to the exchange of data (here, consumer health data) for monetary “or other valuable” consideration. However, the Act does not include exceptions for sale that we see in the CCPA or other laws (e.g., intentional interaction exception).

The consents for sales require a level of detail and transparency that we have not seen before in general U.S. privacy laws. For example, the consent must describe the data being sold and why it is being sold and then identify by name and contact information of the purchaser and describe how the purchaser will be using the data it purchases. Further, any consent obtained is valid only for one year.

Additional Compliance Obligations of Note — Detailed and Extensive

In addition to the consents described above, entities subject to the Act will have several additional compliance obligations, including the following.

  • Data subject rights, with no limitations on deletion rights. The Act grants consumers data subject rights that we see in other state laws: the right to know, access, delete, and correct consumer health data. Unlike those laws, the right to delete does not include any exceptions; consumers have absolute right to have data deleted, and it must be honored. Moreover, the deletion request must be passed on to all affiliates, processors, contractors, and other third parties with which the consumer health data has been shared, and the law explicitly requires deletion from archives and backups. And these data subject rights apply to all “consumers” and their data, which can include individuals other than persons who reside in the state of Washington.
  • Contracts with service providers. The Act requires regulated entities to enter binding contracts with service providers that prescribe how such providers may process and the actions it may take regarding consumer health data. If a service provider fails to adhere to these contractual obligations, it will be considered a regulated entity subject to the Act.
  • Prohibition on geofencing. The Act also disallows any person from implementing a geofence around in-person healthcare service, whether the geofence is used to identify, track, collect data from, or notify someone entering the perimeter.

Enforcement and Private Right of Action

Violations of the Act are defined as unfair trade practices that are subject to enforcement under Washington’s Consumer Protection Act. The Attorney General can bring enforcement actions, as can private parties (i.e., there is a private right of action).

Given the breadth of obligations and the imminent effective date, companies should waste no time determining whether they will be subject to the Act and, if so, taking measures to ensure that an appropriate compliance program is in place.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

Lauren Kitces

Washington, D.C.

lkitces@sidley.com

Carly R. Owens

New York

cowens@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.