Washington State Governor Jay Inslee has signed the "My Health My Data Act," into law today. This Act is a broad and complex piece of legislation that could have far-reaching impacts on businesses operating in the state. The Act will come into effect on March 31, 2024, with a delayed start date of June 30, 2024 for small businesses (but note, certain aspects of the Act may come into effect even sooner).
While the Act ostensibly seeks to cover gaps in the protection of health data offered under HIPAA, it goes far beyond that. The Act applies to “consumer health data” which it defines as “any personal information linked to a consumer's past, present, or future physical or mental health status.” This definition could include any data related to health, wellness, fitness, nutrition, and even location information indicating an attempt to acquire health supplies or services.
The Act applies broadly to both the consumers it seeks to protect and the entities it seeks to regulate, applying to any consumer health data that is processed in Washington. This means it will almost certainly capture data of non-residents as well.
The Act requires opt-in consent for collecting or sharing a consumer's health data (including biometric data), as well as a separate and quite onerous opt-in consent for the sale of consumer health data. Consumers also have the right to require deletion of their data, with no exceptions, and any deletion requests must be passed along to all third parties with whom the data has been shared.
Additionally, the Act requires the posting of a "Consumer Health Data Privacy Policy" on a company's homepage – which could mean that companies have to add yet another link and policy to their sites.
There is an absolute restriction on geofencing around entities that provide in-person healthcare services if used to identify or track consumers seeking healthcare services, collect consumer health data, or send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.
Another very key provision of the Act is that it provides for a private right of action for consumers. This significantly increases the risk of non-compliance for business covered by the Act. There is some concern that the breadth, complexity, and vagueness of this law may drive some companies to change or limit their business approach with respect to Washington, potentially having a negative effect on both consumers and companies operating in the state.