?Washington State lawmakers passed the most consequential privacy legislation in the country since the California Consumer Privacy Act (CCPA) was adopted in 2018, which will soon require businesses to take significant action in order to stay in compliance.
The Washington Senate voted to approve the My Health My Data Act on April 5 after the House passed a similar bill in March. Once the two bills are reconciled, Gov. Jay Inslee is likely to sign it into effect, expanding the privacy rights for medical information and expanding employer obligations well beyond the federal HIPAA law.
HIPAA covers just a narrow host of entities, including health providers and others in the healthcare sector. Washington’s law goes further than HIPAA and applies broadly to “regulated entities.” This is defined as any legal entity that:
- Conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington.
- Collects, shares, or sells consumer health data (CHD).
- Determines the purpose and means of the processing of CHD.
The Washington law protects CHD, defined as any information that links or reasonably links a consumer to their past, present, or future physical or mental health. This includes information about health conditions, treatment, diagnoses, surgeries, procedures, mental/behavioral health interventions, medication purchase or use, health measurements, gender-affirming care, reproductive and sexual health, biometrics, genetic data, and location data showing a consumer’s attempt to acquire or receive health services.
Location data could include any data showing a consumer’s visit to a grocery store, pharmacy, or e-commerce website selling pharmaceuticals or contraceptives. Protected CHD does not include de-identified information.
The Washington law protects people who reside in Washington or whose health data is collected in Washington. As Washington is a major hub for cloud data storage, this definition could encompass many entities whose only connection to the state is the presence of their data on Washington-based cloud platforms.
The law’s definition of consumers excludes consumers acting in their capacity as employees. It is unclear at this time how a court will decide when a consumer has provided CHD purely as a consumer and when they have done so as an employee. It is also undetermined how this exclusion will affect an employer’s liability when the employer acquires an employee’s CHD from a regulated entity.
Any consumer injured by a violation of the state law can sue under the Washington Consumer Protection Act. The Washington Attorney General also may sue to enforce the law.
A regulated entity must maintain and publish a consumer health data privacy policy on its internet homepage that discloses:
- The categories of consumer health date the entity collects.
- The purpose of collection.
- The use of collected data.
- The sources of collection.
- The categories of data that may be shared.
- The entities with whom data may be shared.
- A consumer’s rights under the law.
If a regulated entity violates its own policy in collecting, using, or sharing CHD, it must first inform consumers and obtain their affirmative opt-in consent. Regulated entities must obtain a consumer’s affirmative opt-in consent before collecting CHD, preferably in writing. Consumers may revoke this consent at any time.
The law provides several exceptions. Consent is not required when a regulated entity must collect CHD to provide a requested service or product, to detect or respond to security incidents, or to identify illegal activity.
Upon request from a consumer, regulated entities must confirm whether they are collecting CHD and allow the consumer to access their own CHD within 45 days.
Sharing Consumer Data
A regulated entity can only share CHD internally with employees or processors on a need-to-know basis, consistent with the stated purpose for which the CHD was collected.
Regulated entities will only be able to share CHD externally with the consumer’s specific consent. The law includes exceptions where necessary to provide a requested product or service, or for security and safety.
Regulated entities can share CHD based on opt-in consent in various reasonable forms, but they must have written consent before selling that CHD. That written consent must identify the CHD at issue, the name and online contact information for both buyer and seller, the purpose of the sale, the buyer’s intended use of the data, a statement that provision of goods and services is not conditional on the consumer granting consent, and a statement that the CHD may be redisclosed by the buyer to third parties without the protection of the law.
Such written consent is valid for one year, and the consumer may revoke it at any time. Regulated entities must retain copies of written consent for six years from the date of signature, or when the consent was last effective, whichever is later.
Consumers may request confirmation of whether a regulated entity is selling or sharing their CHD, and the regulated entity must respond within 45 days.
The law includes a “right to forgotten” broader than any counterpart on the planet. Consumers have the right to ask regulated entities to delete their CHD without limitation. The law’s broad deletion requirements may put regulated entities in a bind when a consumer requests deletion of CHD that entities are legally obligated to maintain.
Facing a deletion request, regulated entities will have 30 days to comply, unless they can show that deletion would require restoring backup systems that may take longer. In complying with deletion requests, regulated entities must direct third parties who received the relevant data, so these requirements should be laid out in contracts with third parties.
Assuming Inslee signs the law, its current effective date is unclear. While some commentators have speculated that it could come into force in March 2024, the bill itself includes no effective date. It could come into effect as soon as July 22.
Next Steps
We recommend you spend the next few months considering the following action steps:
- Review and revise your internet privacy policies.
- Review or develop your opt-in procedures.
- Implement annual consent reminders for data sales.
- Implement procedures to delete CHD upon request.
- Review your recordkeeping obligations to make policy determinations of when CHD data must be deleted upon request.
- Review where your CHD is stored, as well as who processes it and how.
Jeremy F. Wood is an attorney with Fisher Phillips in Seattle. Annie Ziesing is an attorney with Fisher Phillips in New York City. © 2023. All rights reserved. Reprinted with permission.
