On April 5, 2023, the My Health My Data Act was passed by the Washington State Senate having been passed by the House of Representatives a month earlier. The My Health My Data Act, also known as House Bill 1155, provides stronger privacy protections for consumers in relation to their personal health data and places strict requirements on businesses that collect, share, or sell consumer health data.
In particular, the My Health My Data Act outlines a broad definition of consumer health data, provides a range of consumer rights, defines strict conditions for valid consent, and provides an extensive private right of action, among other things. Keep reading to learn more about the key provisions of the Bill and steps you can take in preparation for when the Washington My Health My Data Act is signed into law.
What is the My Health My Data Act?
The My Health My Data Act is a privacy bill in the state of Washington that is concerned with the protection of consumers’ personal health data. The Bill is awaiting its final passage through the Washington state legislature before being put on the Governor’s desk for signature.
The Bill aims to provide heightened protection for the health data of Washington residents and will require businesses, in particular, those not covered by the Heath Insurance Portability and Accountability Act (HIPAA), to make additional disclosures about their use of personal health data. The Act also aims to empower consumers with additional rights in relation to their health data including the right to have their health data deleted, among others. The Act will prohibit the sale of consumers’ personal health data without first collecting valid consent from the consumer.
Provided the Act receives smooth passage into law, the My Health My Data Act will become effective on March 31, 2024, for enterprise businesses and June 30, 2024, for small to medium enterprises (SMEs).
What are the main requirements of the Act?
Definitions
Consumer health data
Under the My Health My Data Act, “consumer health data” would mean any “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health.”
The Act sets out several types of information that constitute consumer health data including, but not limited to:
- Individual health conditions, treatment, status, diseases, or diagnoses
- Social, psychological, behavioral, and medical interventions
- Health-related surgeries or procedures
- Use or purchase of medication
- Bodily functions, vital signs, symptoms, or measurements of the information described by the Act
- Diagnoses or diagnostic testing, treatment, or medication
- Gender-affirming care information
- Reproductive or sexual health information
- Biometric data related to the information described by the Act
- Genetic data related to the information described by the Act
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies
- Any information listed above that is derived or extrapolated from non-health information
Personal information
The Act defines “personal information” as any “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.” This includes types of data associated with a unique identifier, such as an IP address, a device identifier, or any other form of persistent unique identifier.
Sell or sale
Similar to other state privacy laws, “sell” or “sale” is defined as the “sharing of consumer health data for monetary or other valuable consideration.”
Share or sharing
Similar to the California Privacy Rights Act (CPRA), the My Health My Data Act defines “share” or “sharing” as to “release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity to a third party or affiliate.”
Regulated entity
A regulated entity is the term used to define which organizations the My Health My Data Act applies to. It means any legal entity that:
- Conducts business in Washington
OR
- Produces or provides products or services that are targeted to consumers in Washington
And
- Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
The term “regulated entity” does not include government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.
Privacy notices
Regulated entities under the My Health My Data Act will be required to maintain a “consumer health data privacy policy.” This notice should clearly and conspicuously disclose the following information:
- The categories of consumer health data collected
- The purpose for which the data is collected, including how the data will be used
- The categories of sources from which the consumer health data is collected
- The categories of consumer health data that are shared
- A list of the categories of third parties with whom the regulated entity shares the consumer health data
- How a consumer can exercise the rights provided by the Act
A link to a consumer health data privacy policy should be displayed prominently on the homepage of a regulated entity’s web property.
The My Health My Data Act also states that a regulated entity may not collect, use, or share additional categories of consumer health data or for additional purposes that have not been disclosed in the consumer health data privacy policy without first disclosing this information and obtaining valid consent before the collection and use of such data.
Processing consumer health data in a manner that isn’t consistent with the regulated entity’s consumer health data privacy notice will be considered a violation of the My Health My Data Act.
Consent
Consent is a key area of compliance under the My Health My Data Act. In fact, regulated entities are prohibited from collecting any consumer health data unless they do so under certain conditions, one of which is with consent from the consumer for a specified purpose.
"Consent" is defined under the My Health My Data Act as “a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement which may include written consent provided by electronic means.” The Act also outlines several actions that do not constitute valid consent such as “hovering over, muting, pausing, or closing a given piece of content.”
The My Health My Data Act requires regulated entities to obtain valid consent prior to the collection of personal health data and must request consent clear and conspicuous. Any consent request must also contain a disclosure that outlines:
- The categories of consumer health data being collected or shared
- The purpose of the collection or sharing of the consumer health data
- Specifying ways in which consumer health data will be used
- The categories of entities with whom the consumer health data is shared
- How the consumer can withdraw consent
Consumer Rights
Regulated entities under the My Health My Data Act will need to be prepared for fulfilling new consumer rights being provided to residents of Washington in relation to their personal health data. Under the Act, consumers will have the following rights:
- The right to confirm processing
- The right to withdraw consent
- The right to deletion
The Act prescribes specific timeframes for responding to consumer requests stating that a regulated entity shall fulfill requests to delete any consumer health data without unreasonable delay and no more than 30 calendar days from authenticating the deletion request. Additionally, regulated entities will be required to respond to the consumer without undue delay, but within 45 days of receipt. This can be extended by an additional 45 days if the request is considered complex.
Although not explicitly listed as consumer rights, individuals also have the right the non-discrimination and the right to appeal decisions made by the regulated entity, and information provided in response to a consumer request must be provided free of charge, up to twice annually per consumer.
Restriction of access
The My Health My Data Act will introduce governance rules relating to access and security of personal health information.
Regulated entities are required to restrict employee, processor, and contractor access to consumer health data only to individuals that need access to such data to fulfill the purposes for its use that the individual consented to or to provide a product or service requested by the individual. Regulated entities must also “establish, implement, and maintain administrative, technical, and physical data security practices.” These measures should provide a “reasonable standard” of security to that would protect the confidentiality, integrity, and accessibility of consumers’ personal health data.
Penalties for violations
Violations of the My Health My Data Act will be considered an unfair or deceptive act in trade or commerce and an unfair method of competition meaning that the penalties outlined in the consumer protection act, chapter 19.86 RCW will apply.
In turn, consumers may also bring a civil action in court to recover the actual damages sustained, together with the costs of the suit, including a reasonable attorney's fee. The court has the discretionary power to increase the award of damages up to an amount three times the actual damages sustained not exceeding $25,000.
How can businesses prepare and what’s next?
The Bill is still to make its way through the Washington legislature and the Governor’s signature is required before the My Health My Data Act can be passed into law. However, it is expected that the Act will progress without further amendments and would start to become applicable in March 2024. This gives some businesses that would fall under the definition of a regulated entity less than 12 months to prepare for the Act’s provisions. Here are a few ways you can get a head start.
Data discovery and data mapping exercises will be a sensible starting place and will help you to find all instances of data from across your web systems that might fall under the definition of “consumer health data” and applying the correct governance rules to it for compliance with the Act. You must also ensure you have the tools in place to be able to make the correct disclosures at the time of collecting consent. A Consent and Preference Management center will help to track and maintain valid consent and, when linked with an evergreen data map, can flag information that is no longer needed or is no longer fit for purpose. This evergreen data map can also serve as the basis for fulfilling the new consumer rights outlined by the My Health My Data Act within the prescribed timeframes.
Request a demo today to see how the OneTrust Privacy & Data Governance Cloud can help you to prepare for compliance with US state privacy laws including the My Health My Data Act.