Medical, medicine and Science. Molecular DNA model Structure and DNA sequencing. Analysis. Digital healthcare and network connection on hologram modern virtual screen interface, medical technology and network concept.

Since the U.S. Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision, healthcare privacy has become a more urgent issue as states such as Missouri seek to limit women from obtaining abortions in other states. For example, certain period tracking apps could be used to penalize anyone seeking or considering an abortion. In an effort to address bodily autonomy and reproductive healthcare, Washington House lawmakers recently passed the My Health My Data Act. A companion bill is presently making its way through Washington’s Senate.

The My Health My Data Act aims to close the gap that exists between (i) health data protected under the federal Health Information Portability and Accountability Act (HIPAA) that applies to specific healthcare entities (such as most healthcare providers) and (ii) health data not protected by HIPAA, given that HIPAA may not apply to certain other entities such as commercial website and mobile application providers/operators. A key sticking point, however, between supporters of and detractors from the My Health My Data Act understandably concerns the definition of “consumer health data” and how much information that may fall within the proposed act’s scope. The My Health My Data Act does not distinguish between “health data” as traditionally understood and maintained by health-focused entities and less-sensitive health data maintained by non-health-focused entities. For example, while the My Health My Data Act would likely apply to a wearable device provider that operates an app through which a Washington state resident’s heart rate and movement were collected during sleep in an effort to assess sleep patterns and provide guidance on how to improve sleep hygiene, it would also arguably apply equally to a less data-intensive app that collects a Washington state resident’s manually input static sleep time as part of a daily time tracker.

For now, key takeaways include:

  • To whom does the My Health My Data Act apply?
    • Any legal entity that (i) conducts business in Washington or produces or provides products or services that are targeted to Washington residents and (ii) determines the purposes and means of collecting consumer health data.
  • What is consumer health data?
    • There are two components of the defined term consumer health data: (1) personal information that is linked or linkable to a Washington resident or other individual whose personal information was collected in Washington and (2) information that identifies a consumer’s past, present, or future physical or mental health.
    • This definition includes individual health conditions, treatment, status, diseases or diagnoses; social, psychological, behavioral and medical interventions; health-related surgeries or procedures; use or purchase of medications; bodily functions, vital signs and symptoms; diagnoses or diagnostic testing, treatment or medication; gender-affirming care information; reproductive or sexual health information; biometric data; genetic data; precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and information that is derived or extrapolated from nonhealth information.
  • At a high level, what obligations would a regulated entity have under the My Health My Data Act?
    • Provide detailed privacy policy disclosures.
      • As drafted, the proposed law is not clear whether a regulated entity needs to provide a separate “consumer health data privacy policy” or whether a broader privacy policy would suffice.
    • Enter contracts with service providers that impose statutorily required terms.
      • Terms include setting forth instructions on how the service provider may use consumer health data and limiting actions that the service provider may take with respect to the consumer health data (for example, not using it for its own purposes).
    • Obtain “consent” from the consumer for collecting consumer health data, or such collection must be necessary to provide a product or service that the consumer has requested.
      • Consent must be an affirmative act and cannot be bundled in a broadly drafted “terms of use” or similar document.
    • Not share consumer health data except with the consumer’s distinct consent or as necessary to provide the product or service that the consumer has requested.
    • Respond to certain consumer requests related to their consumer health data, such as requests to access, withdraw consent to the collecting and sharing of the consumer health data, and delete their consumer health data (including from archived and backup systems).
      • This could pose technical difficulties for many organizations.
    • Establish an appeal mechanism for consumer health data requests.
    • Limit access to consumer health data only to those whose access is necessary to provide the product or service to the consumer and maintain other reasonable data security practices.
    • Not sell consumer health data without obtaining a valid authorization that, among other things, specifies the consumer health data to be sold; the name and contact information of the person who collected and intends to sell the consumer health data; the name and contact information of the person purchasing the consumer health data; and a description of the sale’s purpose, including how the purchaser will use the data.
  • In contrast to other comprehensive state consumer privacy laws such as the California Consumer Privacy Act, the Colorado Privacy Act, Virginia Consumer Data Protection Act and others, the My Health My Data Act does not provide entity-level exemptions for entities subject to HIPAA, the Gramm-Leach-Bliley Act (GLBA) or other regulatory schemes. Rather, as presently drafted, the My Health My Data Act provides for information-level exemptions such, as for information that is collected for certain clinical research; protected health information subject to HIPAA; certain de-identified information; and information subject to the GLBA, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, and other acts. Organizations that have previously been able to take advantage of “entity-level” exemptions under those state consumer privacy laws may have compliance obligations should Washington enact the My Health My Data Act as currently drafted.
  • Both the Washington attorney general and individuals may bring a claim against any regulated entity for failure to comply with the My Health My Data Act under Washington’s Consumer Protection Act.

The My Health My Data Act follows several failed prior attempts at comprehensive consumer personal information protection in Washington. Stay tuned to see if a similar fate awaits the My Health My Data Act.