In response to the Supreme Court’s decision to overturn Roe v. Wade in June of 2022, states across the nation are enhancing the protection of health data confidentiality. Washington has taken a significant step by enacting the “My Health My Data Act” (the “Act”), signed into law by Governor Inslee. This legislation brings about substantial privacy improvements for the personal health data of Washington consumers, without exemptions based on business size or data collection volume.
Defining Consumer Health Data
Consumer health data, as defined by the Act, encompasses a wide range of personal information linked to or reasonably could identify a consumer’s past, current, or future physical or mental health status consumer’s physical or mental health status. Examples include individual health conditions, treatments, genetic data, diseases, diagnosis, use or purchase of prescribed medications, vital signs, bodily functions, symptoms, genetic data, biometric data, and more!
Compliance for Small Businesses
Unlike many other data privacy laws, the Act extends a grace period of three additional months for small businesses, with compliance set to commence on June 30, 2024. To qualify as a Small Business, a company must meet specific criteria related to the collection, processing, selling, or sharing of consumer health data.
- Collect, process, sell, or share the consumer Health Data of fewer than 100,000 consumers in a calendar year; or
- Derive less than 50% of gross revenue from collecting, processing, selling, or sharing Consumer Health Data, and control, process, sell, or share the Consumer Health Data of fewer than 25,000 consumers.
Application and Scope
The Act is not confined to traditional healthcare organizations; its reach extends to businesses, both in and out of Washington, that may not perceive themselves as health-related entities. The law applies to “regulated entities” controlling the processing of “consumer health data,” encompassing businesses of any size operating in Washington or targeting Washington consumers.
- It does not just apply to Washington residents but also applies to non-Washington residents if their health data is collected or processed in Washington (excluding employees).
- No annual revenue threshold and no minimum consumer number for applicability, which means it will apply to a vast number of businesses inside and outside of Washington state
- Likely applies to data beyond traditional health data, such as geolocation data.
- Provides a private right of action, allowing individuals (even outside of Washington) to file lawsuits for alleged violations.
A. Opt-In Consent Requirements: obtaining general consent from consumers before collecting or sharing their consumer health data for a purpose other than providing the product or service requested by the consumer. The Act also requires specific authorization to sell consumer health data.
B. Consumer Rights: Grants consumers the right to confirm, access, delete, and withdraw consent regarding their health data.
C. Consumer Health Data Privacy Policies: Mandates businesses to maintain privacy policies, disclosing data collection details, sharing practices, and consumer rights.
Violations of the Act are defined as unfair trade practices that are subject to enforcement under Washington’s Consumer Protection Act. Under the Act, both the Washington Attorney General and private parties can bring enforcement actions.
Takeaways for Businesses
Given the Act’s broad scope, businesses must promptly assess its applicability, scrutinize its impact on existing policies, and take necessary steps for compliance before the effective date. Companies are urged to proactively address the implications and develop a plan to ensure adherence to the new regulations.