On April 5, 2023, the My Health My Data Act was passed by the Washington State Senate having been passed by the House of Representatives a month earlier. The My Health My Data Act, also known as House Bill 1155, provides stronger privacy protections for consumers in relation to their personal health data and places strict requirements on businesses that collect, share, or sell consumer health data.
In particular, the My Health My Data Act outlines a broad definition of consumer health data, provides a range of consumer rights, defines strict conditions for valid consent, and provides an extensive private right of action, among other things. Keep reading to learn more about the key provisions of the Bill and steps you can take in preparation for when the Washington My Health My Data Act is signed into law.
The My Health My Data Act is a privacy bill in the state of Washington that is concerned with the protection of consumers’ personal health data. The Bill is awaiting its final passage through the Washington state legislature before being put on the Governor’s desk for signature.
The Bill aims to provide heightened protection for the health data of Washington residents and will require businesses, in particular, those not covered by the Heath Insurance Portability and Accountability Act (HIPAA), to make additional disclosures about their use of personal health data. The Act also aims to empower consumers with additional rights in relation to their health data including the right to have their health data deleted, among others. The Act will prohibit the sale of consumers’ personal health data without first collecting valid consent from the consumer.
Provided the Act receives smooth passage into law, the My Health My Data Act will become effective on March 31, 2024, for enterprise businesses and June 30, 2024, for small to medium enterprises (SMEs).
Consumer health data
Under the My Health My Data Act, “consumer health data” would mean any “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health.”
The Act sets out several types of information that constitute consumer health data including, but not limited to:
The Act defines “personal information” as any “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.” This includes types of data associated with a unique identifier, such as an IP address, a device identifier, or any other form of persistent unique identifier.
Sell or sale
Similar to other state privacy laws, “sell” or “sale” is defined as the “sharing of consumer health data for monetary or other valuable consideration.”
Share or sharing
Similar to the California Privacy Rights Act (CPRA), the My Health My Data Act defines “share” or “sharing” as to “release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity to a third party or affiliate.”
A regulated entity is the term used to define which organizations the My Health My Data Act applies to. It means any legal entity that:
The term “regulated entity” does not include government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.
Processing consumer health data in a manner that isn’t consistent with the regulated entity’s consumer health data privacy notice will be considered a violation of the My Health My Data Act.
Consent is a key area of compliance under the My Health My Data Act. In fact, regulated entities are prohibited from collecting any consumer health data unless they do so under certain conditions, one of which is with consent from the consumer for a specified purpose.
"Consent" is defined under the My Health My Data Act as “a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement which may include written consent provided by electronic means.” The Act also outlines several actions that do not constitute valid consent such as “hovering over, muting, pausing, or closing a given piece of content.”
The My Health My Data Act requires regulated entities to obtain valid consent prior to the collection of personal health data and must request consent clear and conspicuous. Any consent request must also contain a disclosure that outlines:
Regulated entities under the My Health My Data Act will need to be prepared for fulfilling new consumer rights being provided to residents of Washington in relation to their personal health data. Under the Act, consumers will have the following rights:
The Act prescribes specific timeframes for responding to consumer requests stating that a regulated entity shall fulfill requests to delete any consumer health data without unreasonable delay and no more than 30 calendar days from authenticating the deletion request. Additionally, regulated entities will be required to respond to the consumer without undue delay, but within 45 days of receipt. This can be extended by an additional 45 days if the request is considered complex.
Although not explicitly listed as consumer rights, individuals also have the right the non-discrimination and the right to appeal decisions made by the regulated entity, and information provided in response to a consumer request must be provided free of charge, up to twice annually per consumer.
Restriction of access
The My Health My Data Act will introduce governance rules relating to access and security of personal health information.
Regulated entities are required to restrict employee, processor, and contractor access to consumer health data only to individuals that need access to such data to fulfill the purposes for its use that the individual consented to or to provide a product or service requested by the individual. Regulated entities must also “establish, implement, and maintain administrative, technical, and physical data security practices.” These measures should provide a “reasonable standard” of security to that would protect the confidentiality, integrity, and accessibility of consumers’ personal health data.
Penalties for violations
Violations of the My Health My Data Act will be considered an unfair or deceptive act in trade or commerce and an unfair method of competition meaning that the penalties outlined in the consumer protection act, chapter 19.86 RCW will apply.
In turn, consumers may also bring a civil action in court to recover the actual damages sustained, together with the costs of the suit, including a reasonable attorney's fee. The court has the discretionary power to increase the award of damages up to an amount three times the actual damages sustained not exceeding $25,000.
The Bill is still to make its way through the Washington legislature and the Governor’s signature is required before the My Health My Data Act can be passed into law. However, it is expected that the Act will progress without further amendments and would start to become applicable in March 2024. This gives some businesses that would fall under the definition of a regulated entity less than 12 months to prepare for the Act’s provisions. Here are a few ways you can get a head start.
Data discovery and data mapping exercises will be a sensible starting place and will help you to find all instances of data from across your web systems that might fall under the definition of “consumer health data” and applying the correct governance rules to it for compliance with the Act. You must also ensure you have the tools in place to be able to make the correct disclosures at the time of collecting consent. A Consent and Preference Management center will help to track and maintain valid consent and, when linked with an evergreen data map, can flag information that is no longer needed or is no longer fit for purpose. This evergreen data map can also serve as the basis for fulfilling the new consumer rights outlined by the My Health My Data Act within the prescribed timeframes.