On April 17, 2023, the Washington State Legislature passed the “My Health My Data Act” (“WMHMDA” or “Act”). Unlike other modern state privacy laws that purport to regulate any collection of “personal data,” WMHMDA confers privacy protections only upon “Consumer Health Data.” While the Act was promoted as a measure to help protect reproductive and gender affirming care, its scope goes beyond those discreet issues.*
The Act has led to confusion regarding what constitutes “Consumer Health Data.” While some assume that Consumer Health Data refers to health-related information collected by physicians and medical practitioners, HIPAA-regulated entities are exempt under the statute. Instead, the Act uses the term to refer to non-HIPAA regulated information that is linked (or linkable) to an individual and that identifies their “past, present, or future physical or mental health status.” The statute specifically states that this includes “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies” is considered “Consumer Health Data.”
Plaintiffs may take the position that if an organization systematically collects precise location information – i.e., continually tracks a consumer’s movements – the organization may be on notice that such information may, at least over time, indicate consumers’ attempts to acquire health services or supplies. For example, if an app continually tracks precise geolocation (and the developer of an app stores such information), plaintiffs may argue that the collection of location movement will eventually indicate a consumer’s attempt to receive health care services when the consumer visits a pharmacy, clinic, or medical practices.
If, on the other hand, an organization sporadically collects precise location information in a context where the organization has no reason to believe the information could be used to reveal that a consumer is attempting to receive health care service, there may be a strong argument that such information is not consumer health data. For example, if a mobile application for a restaurant has a “find a location” feature that allows a consumer to send a one-time transmission of their precise location for the purpose of locating the nearest restaurant, the restaurant might argue that it has no reason to believe that such information would indicate health data about consumers. Such an argument might be made even if it is possible that in a small minority of cases the geolocation information could, in fact, suggest that the consumer attempted to receive health care services (e.g., it is conceivable that some consumer may at some point in time use the “find a location” feature while exiting a health clinic).
Organizations that collect precise location information – either systematically or sporadically – may consider the following additional steps to reduce the likelihood that a court will determine that the Act applies to them:
- Anti-correlation policy. If an organization maintains an internal policy or procedure that prohibits employees from using location information to identify whether a data subject has visited a health care service, the organization may be able to argue that the location information cannot “reasonably indicate” an attempt to receive health services.
- Restrictions on sharing. If an organization prohibits the sharing of location information with third parties or restricts such sharing to organizations that contractually agree not to use such information to identify whether a data subject has visited a health care service, the organization may be able to argue that the location information will not be accessed by a third party that can use it to “reasonably indicate” an attempt to receive health services.
- Retention periods. If an organization limits the duration of time that geolocation information is retained, it may be able to argue that such information can no longer “reasonably indicate” an attempt to acquire or receive health services. Specifically, information kept over a longer period of time (i.e., months or years) might be used to reconstruct the movements of a person and correlate those movements against known health care providers. Information that is kept over a short period of time (i.e., minutes or days) may have less inferential value when reconstructing a data subject’s movements and/or correlating those movements against known health care providers.