On April 27, 2023, Washington Governor Jay Inslee signed Engrossed Substitute House Bill 1155, commonly known as the My Health My Data Act, into law. This landmark legislation creates sweeping new protections for consumer health data in Washington State, and its impact extends well beyond traditional healthcare organizations.
Why This Law Is Different
Unlike state comprehensive privacy laws that include revenue or volume thresholds, the My Health My Data Act has no applicability thresholds. Any entity that conducts business in Washington or targets products or services to Washington residents and that collects consumer health data may be subject to the law.
Additionally, the law includes a private right of action, allowing consumers to sue for violations directly, without waiting for the state attorney general to act. This is a significant enforcement lever not present in most other state privacy laws.
What Is “Consumer Health Data”?
The My Health My Data Act protects a broad range of “consumer health data,” including:
- Health conditions, diagnoses, treatments, and surgical procedures
- Social, psychological, behavioral, and medical interventions
- Use of medications
- Reproductive or sexual health information
- Biometric data and genetic data
- Bodily functions, vital signs, symptoms, or measurements
- Precise geolocation data when it could reasonably indicate a health condition
- Data derived or extrapolated from other data, such as through algorithmic or machine learning analysis
Who Is a “Regulated Entity”?
A “regulated entity” is any legal entity that:
- Conducts business in Washington or produces or provides products or services targeted to consumers in Washington; and
- Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data
Importantly, the law is not limited to HIPAA-covered entities. Wellness apps, fitness trackers, retail pharmacies, telehealth platforms, period tracking apps, and many other organizations may be subject to the law.
Key Compliance Obligations
Privacy Policy Publication
Regulated entities must maintain a consumer health data privacy policy that is publicly available and includes specific information about data collected, purposes, and consumer rights.
Restrictions on Data Sales
Selling consumer health data is prohibited without consumer authorization obtained through a consent form meeting specific requirements.
Consumer Consent Requirements
Collecting consumer health data beyond what is necessary to provide a requested product or service requires affirmative authorization (opt-in consent).
Consumer Rights Processing
Consumers have the right to:
- Confirm whether their consumer health data is being collected
- Access their consumer health data
- Delete their consumer health data
Regulated entities must respond to consumer requests within 30 days.
Data Processing Agreements
Regulated entities must contractually require processors to adhere to the law’s requirements.
Geofencing Prohibition
The law prohibits implementing a geofence around any facility that provides in-person health care services for the purpose of identifying, tracking, or sending health care-related communications to consumers.
Effective Dates
- Geofencing prohibition: Approximately July 23, 2023
- General compliance: March 31, 2024
- Small business compliance: June 30, 2024
Enforcement
Violations of the law are unfair or deceptive acts or practices under the Washington Consumer Protection Act, which permits both AG enforcement and a private right of action. Maximum civil penalties under the CPA are $7,500 per violation, with no maximum on total civil penalties.
Takeaway
The My Health My Data Act has broad reach and significant enforcement teeth. Organizations that collect health-related data, whether or not they are HIPAA-covered, should evaluate their compliance obligations under this new law.
Need privacy guidance?
Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.
Contact Us