In response to the Supreme Court’s decision to overturn Roe v. Wade in June of 2022, states across the nation are enhancing the protection of health data confidentiality. Washington has taken a significant step by enacting the “My Health My Data Act” (the “Act”), signed into law by Governor Inslee. This legislation brings about substantial privacy improvements for the personal health data of Washington consumers, without exemptions based on business size or data collection volume.
Consumer health data, as defined by the Act, encompasses a wide range of personal information linked to or reasonably could identify a consumer’s past, current, or future physical or mental health status consumer’s physical or mental health status. Examples include individual health conditions, treatments, genetic data, diseases, diagnosis, use or purchase of prescribed medications, vital signs, bodily functions, symptoms, genetic data, biometric data, and more!
Unlike many other data privacy laws, the Act extends a grace period of three additional months for small businesses, with compliance set to commence on June 30, 2024. To qualify as a Small Business, a company must meet specific criteria related to the collection, processing, selling, or sharing of consumer health data.
The Act is not confined to traditional healthcare organizations; its reach extends to businesses, both in and out of Washington, that may not perceive themselves as health-related entities. The law applies to “regulated entities” controlling the processing of “consumer health data,” encompassing businesses of any size operating in Washington or targeting Washington consumers.
A. Opt-In Consent Requirements: obtaining general consent from consumers before collecting or sharing their consumer health data for a purpose other than providing the product or service requested by the consumer. The Act also requires specific authorization to sell consumer health data.
B. Consumer Rights: Grants consumers the right to confirm, access, delete, and withdraw consent regarding their health data.
C. Consumer Health Data Privacy Policies: Mandates businesses to maintain privacy policies, disclosing data collection details, sharing practices, and consumer rights.
Violations of the Act are defined as unfair trade practices that are subject to enforcement under Washington’s Consumer Protection Act. Under the Act, both the Washington Attorney General and private parties can bring enforcement actions.
Given the Act’s broad scope, businesses must promptly assess its applicability, scrutinize its impact on existing policies, and take necessary steps for compliance before the effective date. Companies are urged to proactively address the implications and develop a plan to ensure adherence to the new regulations.
By submitting this form, you are consenting to receive marketing emails from: Equinox Business Law Group PLLC, 11130 NE 33rd PL, Suite 120, Bellevue, WA, 98004, US, http://www.equinoxbusinesslaw.com.