Insights

My_Health_My_Data_Washington_Enacts_First_230045

My Health, My Data: Washington Enacts First State Comprehensive Health Privacy Law

The sweeping law imposes new requirements on the processing and sale of consumer health data in the state.

On April 27, 2023, Washington State Governor Inslee signed the "My Health My Data Act" ("Act"). This Act marks the first state comprehensive consumer health information privacy law. This first-of-its-kind state law becomes effective March 31, 2024, and will impose new requirements on the processing and sale of consumer health data in the state.

The Act does not apply to entities regulated under HIPAA; however, it will broadly apply to legal entities that conduct business in Washington, produce or provide products or services to Washington consumers, and determine the purpose and means of collecting, processing, sharing, or selling "consumer health data." There is no exemption for nonprofit organizations and generally no threshold for applicability based on revenue or number of consumers within the state.

The Act broadly defines consumers to include not only individuals in Washington, but also any person "whose consumer health data is collected in Washington." The Act also broadly applies to "consumer health data" defined as personal information that is linked, or reasonably linkable, to a consumer and that identifies the consumer's physical or mental health status. This definition includes, among other things, biometric data, gender-affirming care information, reproductive or sexual health information, health data derived from non-health information that can identify a consumer, and "[p]recise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies." 

The Act requires regulated entities, among other things, to:

  • Publish a consumer health data privacy policy;
  • Obtain consumers' affirmative consent before collecting or sharing consumer health data;
  • Provide consumers with certain rights regarding their consumer health data;
  • Maintain reasonable data security practices; and
  • Enter into a written contract with processors relating to their use of consumer health data.

 In addition, the Act makes it unlawful for any person or entity to:

  • Sell consumer health data without first obtaining the consumer's authorization; or
  • Implement a geofence around an entity that provides in-person health care services to identify or track consumers seeking health care services, collect consumer health data, or send notifications to consumers related to their consumer health data or health care services.

Violations of this Act are enforceable by the attorney general under the Washington Consumer Protection Act. The Act also provides a private right of action under which consumers can sue to enforce the Act.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.