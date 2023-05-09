Reading time: 6 minutes

Practices: healthcare, healthcare privacy and security, digital health, data, privacy and cybersecurity

Sectors: Healthcare and life sciences

printable version

On April 27, 2023, Washington Governor Jay Inslee signed into law the “My Health My Data Act” (the “Act”), beginning the 11-month countdown until this new comprehensive data protection act privacy policy comes into effect. The law differs from other recent state privacy laws in that it is specifically focused on health care – aimed at protecting health data that falls outside the scope of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In an attempt to protect this category of information, Washington has enacted a sweeping law that will require robust compliance efforts from entities typically considered outside of traditional health care regulatory regimes. In addition, the private right of action present in the Act opens a new avenue for potential litigation and subsequent changes based on judicial interpretation.

In this alert, we provide a summary of the key provisions of the new law, compliance concerns, and steps businesses can take to prepare for the March 31, 2024 effective date.

Who and what is regulated?

Regulated entities are broadly defined. Rejected by postDobbs For privacy reasons, the stated intent of the Act is to “close the gap” between the health information people believe is protected and what is actually protected. To this end, the scope of the law is broad, applying to “regulated entities,” which are defined as any entity that conducts business or targets consumers in Washington and, jointly or unilaterally, determines the purpose and means of collecting, processing, sharing, or selling consumer health data. Unlike other state laws, the law does not have a threshold for annual revenue, the number of affected consumers, or the amount of revenue attributable to health information sharing for regulated entities. While so-called small businesses have a slightly longer deadline to achieve compliance (not before June 30, 2024 for small businesses versus March 31, 2024 for all other entities), regulated entities are otherwise treated the same way throughout the law, regardless of size. In terms of exceptions, there are some data-based exceptions including data subject to HIPAA, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act and Washington’s own Health Benefits Exchange Act.

Consumers include people whose data is “collected” in Washington. While “consumer” includes residents of Washington, it also covers an individual whose consumer health data is collected in Washington. “Collected” is broadly defined and includes purchasing, leasing, accessing, storing, receiving, acquiring, inferring, deriving, or otherwise processing consumer health data. either. There is no clarity given in the law as to which actions would be considered “inferential” or “derivative”; however, it should be noted that “consumer” does not include persons acting in an employment context. Companies should pay particular attention to assessing their relationship with any type of health data to better verify whether their processes could fall under this broad definition of “collection”.

Consumer health data includes health adjacent information. The definition of “consumer health data” is broad and includes information “related or reasonably likely to be related” to a consumer that identifies the consumer’s past, present, or future physical or mental health. The categories included in this definition range from individual health problems or treatments, to the use or purchase of medications, to measurements of bodily functions or vital signs, to specific locations that could “reasonably indicate” the attempt to consumer to acquire health services or supplies, and may also include information “derived or extrapolated from non-medical information”. Similar to the definition of “collection”, few details are given of what the broader categories actually mean in their application.

Compliance requirements

Strong notification and consent for consumer health data collection and sharing. Under the law, entities will be required to provide detailed consumer health data privacy policies. Additionally, opt-in consents will need to be obtained separately and distinctly for (a) collecting and (b) sharing consumer health data. Additionally, consumer health data privacy policies and consents should detail the categories of health data that is collected or shared, how the data will be used, the categories of data that will be shared, and how consumers can opt out. consent to said processes.

Selling Consumer Health Data Requires Consumer Permission. Similar to HIPAA permissions, the sale of consumer health information will require specific permission from the consumer. These permissions must specify the consumer health data to be sold, the buyer’s contact information, and the intended use of the purchased consumer health data. In addition, authorizations are revocable at any time and are only valid for a maximum of one year.

Absolute right to erasure. Consumers will have the right to withdraw their consent to the collection and sharing of their health data as well as the right to request the deletion of this data. Upon receipt of such a request, Entities shall delete Consumer Health Data from their records, including backup and archival systems, and shall notify all Affiliates of the deletion request.

Compliance issues

Prohibits the use of geofencing. The law prohibits the use of a geofence around an entity that provides in-person healthcare services in which geofence technology is used to identify or track consumers; collect consumer health data; or send notifications, messages or advertisements regarding health data or health care services. Entities that have combined retail and clinic spaces – more common with the advent of the fast clinic – need to take special care to ensure they do not contravene such a requirement. .

Violation of a contract with a regulated entity makes the processor a regulated entity itself. Processing consumer health data on behalf of a regulated entity requires a contract that lists processing instructions specific to what is needed based on consumer consent or to provide the requested product or service. A violation of said contract makes the processor a covered entity and, as such, subject to all the obligations of the regulated entity under the Act. Consequently, subcontractors must pay particular attention to compliance with these contractual conditions.

The law includes a private right of action. Similar to Illinois’ biometric information privacy law (“BIPA”), which has been the subject of much litigation, the law includes a private right of action under the Consumer Protection Act of Washington. Individuals can sue entities for damages of up to $7,500 per violation. The definition of a “violation” is not prescribed in law and, as seen in recent BIPA cases, whether a violation is defined as the general collection of information or each instance of information collection information can have drastic effects on final damage. calculation.

Next steps

The law differs from the privacy pack as a single, broad privacy law that attempts to target areas of sensitive health data that have become of greater concern in the post-war period.Dobbs world. Given the widespread fear of misuse of data surrounding reproductive health care, it is unlikely that this law is the only such legislation. Instead, it’s more likely the first of a new course on health data regulation. Other states like Illinois are also considering similar legislation. While those who fall within the definition of regulated entity in the Washington context should begin to prepare for the implementation of the law, those outside the scope of the law should still consider it as the sign of a new form of regulation of private life which could extend to other States also concerned.

To begin preparing for the application, entities should assess the extent to which they collect, share or sell consumer health data or any data that could reasonably be interpreted as consumer health data. As the BIPA litigation in Illinois showed, the vagueness of the terms should lead entities to be overly cautious when evaluating whether the data they collect relates to health information. Additionally, entities should begin to review their current privacy policies and notice-and-consent procedures and seek advice on crafting new compliant disclosures. Moreover, the right to erasure in the Act is robust in that laying the groundwork to make such a process as efficient as possible cannot begin soon enough. Taken as a whole, the law demonstrates the growing trend towards increased and more granular surveillance of private information – entities should monitor this trend closely and prepare accordingly.

* * *

If you have any questions regarding this Alert, please do not hesitate to contact one of the authors or your usual Ropes & Gray adviser.

printable version