On April 27, 2023, Washington State Governor Jay Inslee signed a far-reaching health privacy law entitled the “My Health My Data Act” (the Act), which extends protections to consumer health data collected by entities not currently covered under the Health Information Portability and Accountability Act of 1996 (HIPAA). The Act may transform the already fast-evolving healthcare privacy landscape, and could impose onerous obligations on entities that do not process traditional categories of health data.1 Unlike HIPAA, the Act provides for a private right of action, which could heighten risks for entities subject to the law. Below is a high-level analysis of the Act.
Key Takeaways from the Act
- “Covered entities” include organizations that do not specialize in or provide healthcare services, including small businesses and start-ups. The Act covers any legal entity that (1) conducts business in Washington or targets products or services to consumers in the State, and (2) determines the purpose of processing of such consumers’ health data. Unlike the CCPA and other recently enacted comprehensive state privacy laws, the Act does not provide any baseline thresholds (e.g., annual revenue), thereby subjecting small businesses and start-ups to the Act’s requirements. Although the Act extends the compliance deadline for certain small businesses by three months (from March 31, 2024, to June 30, 2024), the Act will nevertheless apply to them eventually.
- “Consumer health data” includes 13 broad, nonexclusive categories. The definition of “consumer health data” is defined to mean personal information (including IP addresses and other persistent identifiers) (1) that is linked or reasonably linkable to a consumer and (2) identifies the consumer’s past, present, or future physical or mental health status. “Physical or mental health status” includes, but is not limited to, 13 different categories, such as:
- “bodily functions, vital signs, symptoms, or measurements of [health status],” which would cover sensory data from wearable devices;
- “data that identifies a consumer seeking health care services,” which aligns with the FTC’s position in its settlement with BetterHelp that even an email address of a health service subscriber constitutes health information since it implies that the subscriber is seeking a health service;
- “biometric data,” which itself is broadly defined to include “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted” (emphasis added);2
- “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies”; and
- any health data derived from non-health information, including through algorithms or machine learning.
Attempts to limit the broad definition of “consumer health data” during the legislative process and to clarify that the term is not intended to include information from everyday purchases such as footwear, groceries, cleaning products, and first aid supplies were rejected, so the actual scope of “consumer health data” will likely be left to the courts to determine through the inevitable private actions that will follow.
- “Consumers” include not only Washington state residents, but also individuals whose consumer health data is collected in Washington. The Act offers rights not only to Washington state residents, but also to those “whose consumer health data is collected in Washington,” which presumably includes out-of-state visitors and individuals who have never even stepped foot in Washington but whose health data is collected in Washington, e.g., via a health-related app.
- Covered entities’ obligations under the Act include unprecedented consent and authorization requirements, as well as new, tailored privacy policy disclosures.
- Three separate, required occasions to obtain consumer “consent” and “authorization” to process their health data: Unless processing a consumer’s health data is necessary to provide a service or product requested by the consumer, e.g., to share or sell the consumer health data with a third party, the Act requires covered entities to obtain consent “separate and distinct” from the consent initially obtained to collect the consumer health data. Consent must be a clear, affirmative “opt-in,” which cannot be obtained by way of a consumer reading a general terms of use agreement if the data processing description is included with other unrelated information.
Moreover, prior to “selling” a consumer’s health data, covered entities must also receive a “valid authorization” from the consumer, which consists of a document with eight different required disclosures (e.g., specific consumer health data to be sold and the purpose of the sale, the name and contact information of the buyer and seller, and a warning that the data may be redisclosed) as well as the consumer’s signature. Because a consumer’s authorization to sell is only valid for 12 months, covered entities must annually renew the authorization to continue to sell the consumer’s health data. Also note that the Act broadly defines “sell” to mean any exchange of consumer health data for monetary or other valuable consideration, with only limited exceptions for mergers and processors. - Tailored privacy policy requirements: Covered entities must maintain a consumer health data privacy policy that discloses each category of consumer health data collected and shared, the purposes for which the data is collected and used, the categories of sources from which the data is collected, a list of the categories of third parties and affiliates with whom the data is shared, and how consumers can exercise their rights (as described in more detail below). Because of the Act’s unique definitions, covered entities that have taken measures to comply with the California Consumer Privacy Act (CCPA) and other state privacy law disclosures will need to create new privacy policies to address the disclosures on the new health data categories.
- Three separate, required occasions to obtain consumer “consent” and “authorization” to process their health data: Unless processing a consumer’s health data is necessary to provide a service or product requested by the consumer, e.g., to share or sell the consumer health data with a third party, the Act requires covered entities to obtain consent “separate and distinct” from the consent initially obtained to collect the consumer health data. Consent must be a clear, affirmative “opt-in,” which cannot be obtained by way of a consumer reading a general terms of use agreement if the data processing description is included with other unrelated information.
- Processors that violate their contract with covered entities are deemed covered entities themselves. Processors may only process health data on behalf of a covered entity pursuant to a binding contract that sets forth the processing instructions between the processor and the covered entity, and those instructions must be limited to what is necessary to further the purposes for which the consumer provided consent or where necessary to provide the product or service the consumer requested. Violating this contract renders the processor as a covered entity with respect to that health data, subjecting the processor to all of the covered entity obligations in the Act.
- Consumer rights include the right to confirm, right to delete, and right to withdraw consent. Covered entities receiving the deletion requests must notify all of their affiliates, processors, contractors, and third parties with whom the covered entities have shared consumer health data, and those notified must delete the requested records. The deletion right contains few exceptions and is likely to create conflicts with other laws requiring the retention of consumer data, particularly given the Act’s broad definitions.
- The Act grants private right of action, allowing consumers to bring a lawsuit through the Washington Consumer Protection Act. Covered entities may face costly class-action litigation battles for alleged violations (regardless of merit), as we have seen from Illinois’ Biometric Information Privacy Act (BIPA), which also grants a private right of action.
Next Steps
This sweeping Act is likely to pose compliance challenges to even those businesses who have taken measures to comply with the CCPA and other comprehensive state laws. We recommend businesses to reevaluate their compliance programs, as the compliance deadline for many is less than a year away.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your compliance efforts related to My Health My Data Act, please contact Tracy Shapiro, Haley Bavasi, Eddie Holman, Hale Melnick, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
[1]We previously covered the Federal Trade Commission’s recent enforcement actions involving consumer health data in the following Wilson Sonsini Alerts: “FTC Announces First Enforcement Action Under the Health Breach Notification Rule Against GoodRx” and “FTC Announces Settlement with BetterHelp for Disclosing Consumers’ Health Information to Third-Party Advertisers.”
[2]Note that the definition of “biometric data” could conceivably include pictures of individuals’ faces and voice recordings, regardless of whether any identifier templates are extracted from such information. In that case, such pictures and recordings could then be considered to be “consumer health data” provided that the pictures or recordings are capable of being associated with a particular consumer.
