My Health, My Data: Washington Enacts First State Comprehensive Health Privacy Law
The sweeping law imposes new requirements on the processing and sale of consumer health data in the state.
On April 27, 2023, Washington State Governor Inslee signed the "My Health My Data Act" ("Act"). This Act marks the first state comprehensive consumer health information privacy law. This first-of-its-kind state law becomes effective March 31, 2024, and will impose new requirements on the processing and sale of consumer health data in the state.
The Act does not apply to entities regulated under HIPAA; however, it will broadly apply to legal entities that conduct business in Washington, produce or provide products or services to Washington consumers, and determine the purpose and means of collecting, processing, sharing, or selling "consumer health data." There is no exemption for nonprofit organizations and generally no threshold for applicability based on revenue or number of consumers within the state.
The Act broadly defines consumers to include not only individuals in Washington, but also any person "whose consumer health data is collected in Washington." The Act also broadly applies to "consumer health data" defined as personal information that is linked, or reasonably linkable, to a consumer and that identifies the consumer's physical or mental health status. This definition includes, among other things, biometric data, gender-affirming care information, reproductive or sexual health information, health data derived from non-health information that can identify a consumer, and "[p]recise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies."
The Act requires regulated entities, among other things, to:
- Publish a consumer health data privacy policy;
- Obtain consumers' affirmative consent before collecting or sharing consumer health data;
- Provide consumers with certain rights regarding their consumer health data;
- Maintain reasonable data security practices; and
- Enter into a written contract with processors relating to their use of consumer health data.
In addition, the Act makes it unlawful for any person or entity to:
- Sell consumer health data without first obtaining the consumer's authorization; or
- Implement a geofence around an entity that provides in-person health care services to identify or track consumers seeking health care services, collect consumer health data, or send notifications to consumers related to their consumer health data or health care services.
Violations of this Act are enforceable by the attorney general under the Washington Consumer Protection Act. The Act also provides a private right of action under which consumers can sue to enforce the Act.