Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives.  Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law.  The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade.   If enacted, the Act could dramatically affect how companies treat the health data of Washington residents. 

This blog post summarizes a few key takeaways in the statute.

Scope

HB 1155 is broad and would impact businesses and information that may not otherwise be regulated under other state consumer or medical privacy laws.  The Act generally applies to “regulated entities,” defined to include any legal entity that (1) conducts business in the state of Washington or produces or provides services targeted to Washington consumers, and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of “consumer health data.”  Unlike other state consumer privacy laws, the Act does not contain any thresholds based on revenue or number of affected consumers.  The Act’s restrictions on “geofencing,” described in more detail below, apply to persons more broadly.

The Act defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.”  The Act provides a number of examples of what could constitute consumer health data, including gender-affirming care information, reproductive or sexual health information, and certain biometric and genetic data.

Consumer Rights 

The Act provides consumers with rights to (1) confirm whether the regulated entity collects, shares, or sells the consumer’s health data and access to that data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism that the consumer can use to contact the third parties; (2) withdraw consent from the collection and sharing of their health data (where such consent is required to collect and share, per the discussion below); and (3) request that their consumer health data be deleted.  HB 1155 defines “consumers” as natural persons who are Washington residents or whose consumer health data is collected in Washington, and includes persons identified through “unique identifiers.”  Although the term “unique identifier” is not defined, the Act suggests that it may include cookie identifiers, IP addresses, and device identifiers.  The term “consumer” does not apply to individuals acting in an employment context.

Regulated Entity Obligations

The Act places a number of obligations on regulated entities, including to:

  • Maintain a consumer health data privacy policy.  The Act requires regulated entities to maintain a link to a “consumer health data privacy policy” on their homepages. The policy must clearly and conspicuously disclose (1) the categories of consumer health data collected and the purpose of collection, including how the data will be used; (2) the categories of sources of the consumer health data; (3) the categories of consumer health data that is shared; (4) a list of the categories of third parties and specific affiliates with whom the regulated entity shares consumer health data; and (5) how consumers can exercise their rights.  The Act does not specify whether this policy is meant to be separate from an entity’s more general consumer privacy notice.
  • Restrict their collection and sharing of consumer health data.  HB 1155 prohibits regulated entities from collecting or sharing consumer health data without consumer consent, unless such collection or sharing is necessary to provide a product or service that the consumer has requested from the regulated entity.  Notably, the consent to share must be “separate and distinct from the consent obtained to collect consumer health data.”
  • Provide consumers with rights regarding their consumer health data.  HB 1155 requires regulated entities to provide consumers with the aforementioned health data rights.
  • Restrict access to consumer health data and maintain appropriate data security measures.  The Act requires regulated entities to restrict access to consumer health data only to those individuals for which access is necessary to (1) further the purposes for which the consumer provided consent, or (2) provide the requested product or service.  Regulated entities are also required to implement reasonable data security measures to protect consumer health data that are “appropriate to the volume and nature of the personal data at issue.”
  • Implement data processing agreements with processors.  HB 1155 requires regulated entities to enter into data processing agreements with processors that set forth the processing instructions and limit the actions the processor may take with respect to consumer health data.
  • Not sell consumer health data without the consumer’s valid authorization.  HB 1155 makes it unlawful for any person to “sell or offer to sell” consumer health data without a valid authorization signed by the consumer.  The Act defines “sell” to include the sharing of consumer health data “for monetary or other valuable consideration.”  Under the Act, a valid authorization must be written in plain language and state (1) what specific consumer health data is being sold, (2) the contact information of the seller, (3) the name and contact information of the purchaser, (4) the purpose of the sale including how the sold data will gathered and used by the purchaser, (5) the fact that goods and services cannot be conditioned on the signing of the authorization, (6) the consumer’s right to revoke the authorization, (7) the fact that the consumer’s information may be re-disclosed by the purchaser and no longer be protected by the Act, and (8) an expiration date not more than one year from when the consumer signs the valid authorization.
  • Not implement “geofencing” in certain situations.  HB 1155 prohibits any person (not only regulated entities) from implementing geofencing around any entity that provides in-person health care services when the geofence is used to (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to the consumers related to their consumer health data or health care services.  HB 1155 defines “geofencing” as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location,” and “geofence” means “a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.”

Exemptions

Among other exemptions, HB 1155 would exempt protected health information under HIPAA, patient identifying information under 42 C.F.R. Part 2, certain research information, and information de-identified in accordance with HIPAA.  HB 1155 further states that its obligations are not intended to restrict a regulated entity’s ability to “prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.”  Unlike other state consumer privacy laws, the Act does not set forth an explicit exemption for cooperating with law enforcement agencies or complying with certain legal inquiries, investigations, subpoenas, or summons.

Enforcement and Private Right of Action

HB 1155 grants the state Attorney General enforcement authority and provides that a violation of the Act would constitute an unfair or deceptive act under the state’s consumer protection laws.  In addition, HB 1155 contains a broad private right of action that allows consumers to seek damages under the state’s general consumer protection laws for Act violations.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.