Washington is poised to pass legislation that would implement substantive changes to consumer health data protections in the state, and potentially beyond.
House Bill 1155, the My Health My Data Act, would grant consumers the right to access, delete and withdraw consent from the collection, sharing or sale of their health data and includes express consent requirements for collecting, sharing and selling consumer health information. It would require companies to implement a detailed health data policy and prohibit implementing a geofence around a facility providing in-person health care services.
But perhaps most notably, it establishes a private right of action for violations, enforceable under Washington's Consumer Protection Act.
"The My Health My Data Act would be the first law of its kind in the U.S. to take a comprehensive approach to the protection of consumer health information and, like the California Consumer Privacy Act, could inspire the adoption of similar legislation in other states," Future of Privacy Forum Policy Fellow Felicity Slater said. "Furthermore, the My Health My Data Act would be the first significant sectoral state privacy framework to include a private right of action since the adoption of the Illinois Biometric Information Privacy Act in 2008."
The bill passed the Senate with amendments in a 27-21 vote 5 April and returns to the House — where it passed 4 March — for concurrence. If accepted by the House, it then moves on to Gov. Jay Inslee for final action.
If passed, most sections of the bill would take effect 31 March 2024, while the geofencing prohibition would go into effect 90 days after the bill's passage.
My Health My Data Act's broad scope
"Information related to an individual’s health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected. Washingtonians expect that their health data is protected under laws like the Health Information Portability and Accountability Act," the bill states. "However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data."
In addition to protecting private health care data not currently covered by HIPAA, ACLU of Washington Technology and Liberty Project Manager Jennifer Lee said the bill "will reduce barriers to abortion and gender-affirming health care access."
But Hintze Law Partner Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, said the act goes "far broader than just regulating health data" with definitions that "make it potentially applicable to nearly any type of personal data," "substantive requirements unlike any other privacy law," and "unprecedented obligations." He said it requires opt-in consent for "many common, and benign and beneficial, data uses," notice requirements including a separate "and redundant" privacy notice, and deletion requirements "with virtually no exceptions."
The bill covers any entity that conducts business in Washington state or that sells products or services there.
Slater said many of the bill's definitions — including "consumer health data," "biometric data" and "health care service" — appear significantly broader than definitions within other federal and state privacy laws, "meaning that the bill might apply to many companies that do not currently consider themselves to collect or process health information."
Digital health platform Evidation Health Head of Privacy Lauren Wu, CIPP/US, who spoke on her own behalf, said the bill's "fairly broad" definitions "may bring into scope data and processing activities that likely were not intended to be included and would not necessarily result in additional protection for these more sensitive categories of health data."
Wu noted health data, including associated demographic data, is essential to "the development of potentially life saving and quality of life improving innovation." While the My Health My Data Act seems to include exemptions, including for certain research and data already regulated under other laws and regulations like HIPAA, she said those exceptions are "limited" and "apply only at the data — and not entity — level."
"These exemptions are generally insufficient to avoid potentially negative impacts to health-related research and innovation," she said.
In particular, she said regulated entities will have just 30 days to comply with data deletion requirements and will no longer be able to decline, or delay, deletion requests for legitimate purposes, like meeting certain legally-required record keeping and retention requirements.
Adaptive Biotechnologies Head of Privacy Alea Garbagnati, CIPP/US, speaking on her own behalf, said regulated companies are required to retain data for a period of time, which can span years to decades under requirements by the U.S. Food and Drug Administration, Clinical Laboratory Improvements Amendments, and others.
"If we can’t rely on exemptions and there are no exceptions to these deletion requests, then we are going to be in a place where it's like which law do we want to comply with, and that's not a good position to put any company in when both laws are intended to do something good," she said.
Adding 'additional complexity' to the regulatory environment
Consumers could sue for violations of the My Health My Data Act under Washington's Consumer Protection Act. If plaintiffs can prove injury, they could receive up to treble damages.
"This bill will be a boon for compliance attorneys, litigation departments, and most of all, trial lawyers. Unfortunately, its overbreadth may well mean that notifications for collecting and sharing truly sensitive reproductive health and gender-affirming care data get lost in the shuffle of opt-in notifications for innocuous, everyday transactions," said Mariner Strategies President Andrew Kingman, who advocated on behalf of the business industry during the drafting process.
Without the private right of action, Hintze said the bill's "broad definitions and vague language" would be "far less concerning."
"Companies could put some faith in the attorney general exercising judgment and discretion to pursue bad actors and enforcement actions designed to further the stated objectives of the legislation," he said. "However, the incentives for plaintiffs' lawyers are far different, where they will look for technical violations, 'gotcha' claims, and cases that are most likely to result in a quick settlement and easy payday."
With the ever-evolving state privacy legislative landscape, Goodwin Procter Partner and IAPP Westin Emeritus Fellow Omer Tene said a law with a private right of action, once in place and enforced, could "create pressure on Congress to act" on federal legislation. The My Health My Data Act, he said, will add to the "regulatory maze that companies need to navigate, including the multiplication of state laws and FTC enforcement actions."
"Many companies respond to BIPA by staying out of Illinois. Obviously, that strategy loses momentum as additional states introduce a private right of action," he said.
Wu said the My Health My Data Act "adds additional complexity to an already difficult to navigate legal and regulatory environment, making it more challenging and increasingly burdensome for companies to comply." This, she said, ultimately has a negative impact on consumers.
"The result of the continued expansion of the patchwork of privacy laws in the U.S. is likely that consumers may become less informed, less engaged, and less empowered as privacy notices become ever more complicated and filled with legalese, consent forms become more confusing, too numerous, or unnecessarily voluminous, and processes for consumers to effect their data-related requests become more cumbersome," she said.
As the Washington bill seems likely to pass in the coming days, Wu said it is "essential that companies find ways to protect these types of health data, be transparent with consumers about the company’s data practices and data usage, and ensure that individuals are easily able to exercise control over their own data, especially when it involves sensitive health data."