Washington is poised to pass legislation that will introduce significant changes to the protection of health data for consumers in the state and potentially beyond.
House Bill 1155, the My Health and My Data Act, would provide consumers with the right to access, delete, and withdraw consent to the collection, sharing, or sale of their health data and include requirements for express consent to the collection, sharing, and sale of consumer health information. This would require companies to implement a detailed health data policy and prohibit geofencing around a facility providing personal health services.
But perhaps most notably, it establishes a private right of action for infringements enforceable under Washington’s Consumer Protection Act.
“The My Health My Data Act would be the first law of its kind in the U.S. to take a comprehensive approach to protecting consumer health information and, like California’s Consumer Privacy Act, could inspire the adoption of similar legislation in other states,” said Felicity Slater, policy fellow at the Future Privacy Forum. “Additionally, the My Health and My Data Act would be the first significant sector-wide state privacy framework to include a private right of action since the passage of the Illinois Biometric Information Privacy Act in 2008.”
The bill passed the Senate with amendments on a 27-21 vote on April 5 and returns to the House – where it passed on March 4 – for approval. If passed by the House, it goes to Gov. Jay Inslee for final action.
If passed, most sections of the bill would go into effect on March 31, 2024, while the geofencing ban would go into effect 90 days after the bill’s passage.
My health My data across the board
“Information related to an individual’s health status or attempts to obtain health care services is among the most personal and sensitive categories of data collected. “Washingtonians expect that their health information is protected under laws such as the Health Information Portability and Accountability Act,” the bill states. “However, HIPAA only covers health data collected by specific health care institutions, including most health care providers. Health data collected from non-covered individuals, including certain apps and websites, does not enjoy the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all consumer health data in Washington.”
In addition to protecting private health data not currently covered by HIPAA, ACLU of Washington Technology and Liberty Project Manager Jennifer Lee said the bill would “reduce barriers to abortion and access to gender-affirming health care.”
But Hintze law partner Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, said the act is “far broader than just regulating health data” with definitions, which “make it potentially applicable to almost any type of personal data”, “substantial requirements different from any other privacy law” and “unprecedented obligations”. It said it requires opt-in consent for “very common and benign and beneficial uses of data,” notice requirements including a separate “and redundant” privacy notice, and erasure requirements “with virtually no exceptions.”
The bill covers any entity that does business in Washington state or that sells products or services there.
Slater said many of the definitions in the bill — including “consumer health data,” “biometric data” and “health service” — appear to be significantly broader than definitions in other federal and state privacy laws, “which means that the bill may apply to many companies that do not currently believe they collect or process health information.”
Digital health platform Evidation Health Chief Privacy Officer Lauren Wu, CIPP/US, speaking on her own behalf, said the bill’s “quite broad” definitions “may bring into scope data and processing activities that may not have been intended to be included and will not necessarily result in additional protection for these more sensitive categories of health data.”
Wu noted that health data, including related demographic data, is essential to “the development of potentially life-saving and quality-of-life-enhancing innovations.” Although the My Health and My Data Act appears to include exemptions, including for certain research and data already governed by other laws and regulations such as HIPAA, she said those exemptions are “limited” and “apply only at the data level , and not of a legal entity”. “
“These exemptions are generally insufficient to avoid potentially negative impacts on health-related research and innovation,” she said.
In particular, it said that regulated entities will only have 30 days to comply with data erasure requirements and will no longer be able to refuse or delay erasure requests for legitimate purposes, such as meeting certain legally required requirements for record keeping and storage.
Adaptive Biotech’s Chief Privacy Officer, Alea Garbagnati, CIPP/US, speaking on behalf of herself, said regulated companies are required to retain data for a period of time that can span years to decades under US Food and Drug Administration requirements. food and drugs, clinical laboratory Improvements Changes and others.
“If we can’t rely on exceptions, and there are no exceptions to these takedown requests, then we’re going to be in a place where it depends on which law we want to comply with, and that’s not a good position to put any company in when both laws are aimed at to do something good,” she said.
Adding “extra complexity” to the regulatory environment
Consumers can sue for violations of the My Health and My Data Act under the Washington Consumer Protection Act. If plaintiffs can prove an injury, they can receive up to treble damages.
“This bill will benefit compliance attorneys, litigation departments, and most importantly, trial attorneys. Unfortunately, its overreach can mean that notices to collect and share truly sensitive data about reproductive health and gender-affirming care get lost in the shuffle of opt-in notices for innocuous, everyday transactions,” said Mariner Strategies president Andrew Kingman. who advocated on behalf of the business industry during the drafting process.
Without the private right of action, Hinze said the bill’s “broad definitions and vague language” would be “far less troubling.”
“Companies could trust the attorney general to exercise discretion and discretion to pursue bad actors and enforcement actions designed to achieve the stated goals of the legislation,” he said. “However, the incentives for plaintiffs’ attorneys are far different, where they will pursue technical violations, ‘gotcha’ claims, and cases most likely to result in a quick settlement and easy payment.”
With the ever-evolving state legislative privacy landscape, Goodwin Procter partner and IAPP Westin Honorary Fellow Omer Tene said that a private right of action law, once introduced and implemented, could “put pressure on Congress to operates’ against federal law. The My Health My Data Act, he said, would add to the “regulatory maze that companies must navigate, including the proliferation of state laws and FTC enforcement actions.”
“Many companies are complying with BIPA by staying out of Illinois. Clearly, this strategy is losing momentum as additional states introduce private right of action,” he said.
Wu said the My Health and My Data Act “adds additional complexity to an already difficult to navigate legal and regulatory environment, making it more challenging and increasingly burdensome for companies to comply.” This, she said, ultimately has a negative impact on consumers.
“The result of the continued expansion of the patchwork of privacy laws in the US is that consumers are likely to become less informed, less engaged and less empowered as privacy notices become more complex and regulatory-laden, forms for consent also become more confusing, numerous or unnecessarily bulky, and the processes for consumers to fulfill their data-related requests become more cumbersome,” she said.
With the Washington bill looking likely to pass in the coming days, Wu said it’s “essential that companies find ways to protect these types of health data, be transparent with consumers about the company’s data practices and data usage, and to ensure that people can easily exercise control over their own data, especially when it comes to sensitive health data.”