A breakdown of Washington’s new health data act.

Last Updated: April 2023

Navigate by topic

Evergreen health data protections

On 27 April, Gov. Jay Inslee, D.-Wash, signed the My Health My Data Act, which aims to "close the gap" between current industry practices and consumers’ understanding of how their health data is collected, stored and transferred. The votes in the legislature to pass the law fell largely along party lines in both the House and Senate, with almost all Democratic lawmakers voting in favor. According to the law's primary sponsor Rep. Vandana Slatter, D-Wash., it is "part of a comprehensive pack of legislation from House Democrats" that responds to the U.S. Supreme Court decision in Dobbs v. Jackson Women's Health Organization and protects Washingtonians’ health privacy, especially for reproductive health care. This law reflects health data-focused trends in other states, such as California’s introduced amendment to the California Consumer Privacy Act and New York’s introduced bill, which both aim to provide more data privacy protections for health data outside the scope of the Health Insurance Portability and Accountability Act.

The consent-driven law essentially requires one of two possible legal bases for processing health-related data: consent or necessity. Either consent or necessity is required for collection and any processing of any consumer health data, and a regulated entity must obtain separate consent or meet the same necessity standard to share the data. Further, selling it requires a special written and signed authorization from the consumer. The definitions of consumer, covered data and health care services are broad, bringing a wide spectrum of data and entities into the scope of the MHMDA. The breadth of relevant data is important for businesses because the law recognizes a private right of action for consumers to sue companies for violating any provision of the act.

Scope

Entities

Similar to controllers under EU General Data Protection Regulation, the MHMDA applies to any legal entity that conducts business in the state, or targets products or services to Washington consumers, and determines the purpose and means of collecting, processing, sharing or selling consumer health data. Unlike in all comprehensive U.S. state privacy laws, there is no minimum number of data subjects or revenue threshold to fall within its scope. Because the law covers any consumer whose data is collected in Washington, it will likely cover non-Washington residents who interact with Washington businesses. Also unique, all requirements of the MHMDA apply to small businesses, defined based on total revenue and the number of Washington consumers whose data the organization processes, though small businesses have a three-month extension to reach compliance with most of the act's provisions. Government agencies, tribal nations and contracted service providers that process consumer health data on behalf of government agencies are not included in the scope of this law. Organizations of all sizes are required to comply with all operative provisions of the law.

Data

The MHMDA’s operative provisions apply to "consumer health data," which has a singularly broad definition: "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status." The act provides a nonexhaustive list of categories that count as "physical or mental health status," such as:

General categories and details

This expansive scope is likely to include many data types falling outside prior definitions of health-related data. Although online behavior such as search queries and browsing histories are explicitly captured only within the definitions of "gender-affirming care information" and "reproductive or sexual health information," the act also stipulates that any "data that identifies a consumer seeking health care services" falls within the scope of consumer health data. Similarly, the final provision in the definition draws into scope any information derived from nonhealth data, such as inferences, proxies or algorithms, used to identify consumers in connection to any of the physical or mental health data points listed in the chart above.

Exclusions

Data and entity exclusions are sprinkled throughout the law, in both the definitions section and a dedicated exclusions section. The definition of personal information categorically excludes deidentified data and publicly available information, although significantly biometric data a business collects from a consumer without their knowledge cannot be considered publicly available information. A "consumer" does not cover an individual acting in an employment context, so employee data and business-to-business data are excluded from the act. And, so long as research is conducted in the public interest and meets defined safeguards, "consumer health data" does not include personal information "used to engage in public or peer-reviewed scientific, historical, or statistical research."

Section 12 specifies data exemptions for HIPAA and other exclusions for medical research, quality assurance testing, public health activities and reporting. Notably, a number of common entity-level exemptions are absent from this act. Finally, the MHMDA does not cover data that falls within scope of the following laws:

• Gramm-Leach-Bliley Act
• Social Security Act, title XI
• Fair Credit Reporting Act
• Family Educational Rights and Privacy Act

Consumer rights

Washington’s legislature has yet to pass a comprehensive data privacy bill, but this act gives consumers a set of data rights that appears more expansive than typical sectoral laws. Under the MHMDA, consumers have a right to access their consumer health data and receive a list of all third parties and affiliates — including contact information — who receive their individual data from the regulated entity. Washington consumers also have a right to withdraw their consent from an entity collecting and sharing their health data. Similar to other state privacy laws, consumers have the right to delete. If a consumer requests to have their health data deleted, the regulated entity must also delete it from archives and backups, and notify all affiliates and third parties, who must honor the deletion request as well. It is unclear whether noncompliance with this deletion provision would lead to mandated algorithmic disgorgement, as seen in the Federal Trade Commission’s actions against Everalbum and Weight Watchers. In these cases, the entity under enforcement had to delete any work product — including algorithms — that used the data without authorization.

If a consumer exercises any of the above rights, regulated entities have a 45-day compliance window to respond to their requests. However, the act recognizes responding to these requests may take longer than the allotted time. It allows for regulated entities to take an additional 45 days to act on a consumer’s request depending on the "complexity and number of the consumer’s request." This allows for a total of 90 days to respond to a consumer’s request, provided the entity responds to the consumer within the initial 45-day window with updates on the expected timing. Additionally, the act allows a delay of up to six months to complete deletion requests if a regulated entity needs to restore archives or back up systems.

Regulated entity obligations

Transparency

Regulated entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and shared, the categories of sources from which it is collected, the purpose and intended use for the collected data, the categories of third parties and affiliates that receive the data, and how consumers can exercise their rights in accordance with the act.

Purpose limitation

Similar to the "do not sell" provisions in the CCPA and several subsequent comprehensive state privacy laws, regulated entities must publish a prominent link to their consumer health data privacy policy on their homepage. Here, "homepage" is defined as any internet webpage where personal information is collected and a mobile apps' platform page, "about" page or download page. Entities are also barred from collecting, using or sharing consumer health data, or additional categories of such data, for purposes not disclosed in the health data privacy policy without first disclosing the additional purposes and obtaining affirmative consent from the consumer. Processors may process consumer health data pursuant to a binding contract that sets forth processing instructions and limits the actions a processor may take with that data..

Collection and sharing

Regulated entities collect data if they "buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner." This broad definition essentially means most actions intersecting with consumer health data may be considered a collection. Regulated entities cannot collect consumer health data unless they have consent for the specific purpose of collection or require the data to provide a product or service the consumer requested. Entities also may not share consumer health data without separate consent from the consumer for sharing it or to the extent necessary to provide a product or service the consumer requested. In this case, consent must be obtained from the consumer before the collection or sharing of consumer health data, and the request for consumer consent must clearly and conspicuously state the purpose, categories of data collected, used or shared, and how consumers can withdraw consent from future collection or sharing.

Access control

Regulated entities must restrict access to consumer health data internally to only individuals who require access to further the purposes for which the consumer provided consent or, where necessary, to provide a product or service the consumer requested. Entities must also establish, implement and maintain appropriate administrative, technical and physical data security practices that satisfy the reasonable standard of care within the entity's industry to protect the confidentiality, integrity and accessibility of consumer health data in relation to its volume and nature. This provision mirrors the reasonable security standard provisions that address the C-I-A security triad in the six existing comprehensive state privacy laws.

Sale

No entity or person may sell or offer to sell consumer health data without first obtaining signed authorization from a consumer, separate from the previous consent needed to collect or share the data. This authorization must be a document written in plain language containing the specific consumer health data the entity or person intends to sell, the name and contact information of the entity purchasing, collecting and selling the data, the description of the sale's purpose, and the consumer's signature and date. It also requires statements:

• Allowing the consumer to revoke their authorization with a description of how to submit a revocation.
• Forbidding the provision of goods or services to be conditioned on the consumer providing their signed authorization.
• Explaining data sold pursuant to the consumer's valid authorization may be subject to redisclosure and thus may no longer be protected by the act.

Geofencing

The act makes it unlawful for any actual or legal person to utilize a geofence around an entity that provides in-person "health care services"—defined broadly to include "any service provided to a person to assess, measure, improve, or learn about a person's health"—for certain purposes. Geofences may not be used to identify or track consumers seeking health services, collect health data from consumers, or send notifications, messages or ads to consumers related to their health data or services received. The act defines a geofence as technology that uses GPS coordinates, cell tower data, Wi-Fi data, or other forms of spatial or location data to create a virtual boundary up to 2,000 feet from the perimeter of a physical location or to locate a consumer within such virtual boundary.

Enforcement

As is the norm with state laws, Washington’s office of the attorney general may enforce violations through the state's Consumer Protection Act, which also provides consumers with a private right of action to seek damages for violations. Under the Consumer Protection Act, consumers must prove five elements to prevail in a private suit: the business committed an unfair or deceptive act or practice, the practice occurred in trade or commerce, there was public interest impact, the consumer suffered injury to their business or property and the practice caused the injury. Although the MHMDA makes it clear the attorney general can skip the first three elements, it specifies consumers suing a company on their own "must establish all required elements." If plaintiffs can meet this standard, they may receive up to treble damages with a predetermined cap per violation.

To help measure the impact of the legislation, the MHMDA also establishes a joint committee to review enforcement actions brought by the attorney general and consumers. The committee will also create a report about the impact and effectiveness of the act’s enforcement provisions. The structure, resources and funding of the joint committee remain an open question to be answered as the government begins implementing the act.

Key dates

The MHMDA mandates that regulated entities must comply with its obligations and prohibitions beginning 31 March 2024. Small businesses are given until the end of June 2024. The only exception to these operational dates is the provision banning geofencing, which does not include an effective date. This means the provision will be enforceable within Washington's default time frame of 90 days.

More to come

Businesses may be concerned about overlaps with existing biometric privacy laws like the Biometric Information Privacy Act. The MHMDA is not a Washington clone of Illinois' BIPA. While BIPA provides a right to obtain statutory damages, the MHMDA relies on Washington’s Consumer Protection Act for civil penalties, which requires a showing of injury to business or property. Further analysis is needed to fully review the overlaps in the substantive provisions of the two laws as well as the existing Washington biometric identifiers law, which covers "automated measurements." Under the MHMDA, biometric data includes information generated from an individual's physiological, biological or behavioral characteristics that identifies a consumer, but is only covered if it relates to health information. On the one hand, this is narrower than the BIPA, where biometric information includes "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." The list of specific types of biometric identifiers in the BIPA exceeds that in the MHMDA as well. On the other hand, the definition could be far more inclusive, as it does not specify the data be used as a biometric to be covered. Without explicit exceptions for photographs and other inchoate biometrics, there is potential for the MHMDA to be applied in an expansive manner.

Working through the broad application of this health-focused law will take time. The MHMDA’s definition of consumer does not just apply to Washington residents, but also includes any "natural person whose consumer health data is collected in Washington." As Hintze Law Partner Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, noted in his overview of the act, "Some of the largest global cloud service providers are headquartered in Washington, with significant data center footprints in Washington." This broad drafting language is also reflected in the act’s definition of the healthcare services that fall within scope of the law, which some legal analysts say also captures businesses providing ancillary services to clinical care, such as exercise programs, nutrition programs and social care services. This potential for an application that goes well beyond the borders of the Evergreen State and traditional healthcare services has the privacy community buzzing as we wait to see how regulated entities operationalize the act — and how it will be utilized by the state attorney general and plaintiffs’ lawyers.

Additional Resources