Who and what does the Act protect?
Who must comply?
How to comply?
Comment


Legislative activity in Washington continues in 2023 with numerous bills being considered. Businesses that process health data should follow the process of House Bill 1155 (the My Health, My Data Act), which has been amended once and was approved in the House Committee on Civil Rights & Judiciary hearing on 3 February 2023.

Who and what does the Act protect?

The My Health, My Data Act protects as "consumers" Washington residents and natural persons whose consumer health data is collected in Washington. "Consumers" are those who act only in an individual or household context; individuals acting in an employment context are excluded.

Consumers' "health data" is protected. This means personal information that is linked or reasonably linkable to a consumer and relating to health, as broadly understood. The definition includes a non-exhaustive list of examples, including:

  • location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; and
  • health data that is derived from non-health information (eg, proxy, derivative, inferred or emergent data by any means, including algorithms or machine learning).

The Act includes an exemption for public or peer-reviewed research. The Act also has exemptions for processing covered by existing health privacy laws, including the Health Insurance Portability and Accountability Act.

Who must comply?

Certain obligations apply to "any person". "Person" includes, where applicable:

  • natural persons;
  • corporations;
  • trusts;
  • unincorporated associations; and
  • partnerships.

"Person" does not include:

  • government agencies;
  • tribal nations; or
  • contracted services providers when processing consumer health data on behalf of a government agency.

But most obligations apply to "regulated entities", which means any legal entity that:

  • conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
  • alone or jointly with others determines the purpose and means of collecting, processing, sharing or selling of consumer health data.

"Regulated entity" does not mean:

  • government agencies;
  • tribal nations; or
  • contracted services providers when processing consumer health data on behalf of the government agency.

"Processors" to regulated entities must assist the regulated entity with technical and organisational measures and only process consumer health data in a manner consistent with the binding instructions set forth in a contract with the regulated entity. A "processor" is a person that processes consumer health data on behalf of a regulated entity.

How to comply?

Obtain consent or document why collection or sharing of consumer health data is strictly necessary
Collecting and sharing consumer health data is prohibited unless:

  • a consumer gives prior consent; or
  • collecting or sharing the data is necessary to provide a product or service the consumer has requested from the regulated entity.

If relying on consent, the regulated entity must obtain one consent for collection and one consent for sharing. The request for consent must disclose:

  • the categories of data collected or shared;
  • the purpose of the collection or sharing;
  • the categories of entities with which the data is shared; and
  • how the consumer can withdraw consent.

Include new disclosures in website privacy policies or create new dedicated policies
Regulated entities must maintain a consumer health data privacy policy on their homepages that includes enumerated information such as:

  • the categories of consumer health data collected;
  • processing purposes;
  • the categories of consumer health data that is shared;
  • how a consumer can exercise data subject rights; and
  • a list of the categories of third parties and specific affiliates with which the regulated entity shares the consumer health data.

Collecting, using or sharing additional categories of consumer health data, not disclosed in the consumer health privacy policy, requires prior affirmative consumer consent.

Do not sell consumer health data without signed authorisation
It is unlawful for any person to sell, or offer to sell, consumer health data without first obtaining valid signed authorisation, which must include prescribed information such as the purpose for the sale and a one-year expiration date of the authorisation, from the consumer. "Selling" means sharing for monetary or other valuable consideration. It does not include sharing with a third party as an asset in a merger or other similar transaction, or by a regulated entity to a processor when such sharing is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.

Do not implement geofences around healthcare facilities
It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages to a consumer that enters any entity which provides in-person healthcare services.

Honour authenticated data subject requests
Consumers have a right to:

  • confirm whether a regulated entity is collecting, sharing or selling consumer health data concerning the consumer;
  • access such data, including:
    • a list of all third parties and affiliates with which the regulated entity has shared or sold the consumer health data; and
    • an active email address or other online mechanisms that the consumer may use to contact these third parties;
  • withdraw consent; and
  • have consumer health data concerning the consumer deleted.

A regulated entity that receives a consumer's request to delete must without unreasonable delay and no more than 30 calendar days from authenticating the request delete the data and notify all affiliates, processors, contractors and other third parties of the request. All affiliates, processors, contractors and other third parties must honour the deletion request. A regulated entity must respond to the consumer without undue delay, but in all cases within 45 days of receipt. The period for a substantive response may be extended by an additional 45 days when reasonably necessary.

A regulated entity must establish an appeals process for consumers to appeal the entity's refusal to take action on a request. Such appeals process must be conspicuously available. If the appeal is denied, the regulated entity must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.

Sign contracts with processors
Processors may process consumer health data only pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limits the actions the processor may take. If a processor fails to adhere to the regulated entity's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity, the processor is considered a regulated entity.

Implement security measures
Regulated entities must implement technical and organisational measures that satisfy a reasonable standard of care with the regulated entity's industry and restrict access to consumer health data to those with a need to know.

Do not discriminate
A regulated entity may not unlawfully discriminate against a consumer for exercising any rights under the act.

Comment

If passed, the My Health, My Data Act will impose challenging compliance burdens on businesses that will need to determine whether they can leverage compliance with existing privacy laws, including the California Consumer Privacy Act in California.

For further information on this topic please contact Helena J Engfeldt at Baker McKenzie by telephone (+1 415 576 3000) or email ([email protected]). The Baker McKenzie website can be accessed at www.bakermckenzie.com.