Enacted on April 27, 2023, Washington’s “My Health, My Data” Act (the “Act”) creates significant compliance obligations for companies processing data in its scope. The expansive reach of the Act, coupled with a private right of action and short compliance deadlines, creates material regulatory and litigation risk for regulated entities.
Effective Date and Scope
Most provisions of the Act are effective on March 31, 2024 (or June 30, 2024 for regulated entities below certain thresholds). Notably, the geofencing prohibition (see below) could technically take effect in July 2023 due to statutory ambiguity.
The Act applies to “any legal entity” that (1) conducts business in Washington state or targets products or services to Washington consumers, and (2) alone or jointly determines the purposes and means of collecting, processing, sharing (disclosing to affiliates or third parties), or selling (exchanging for any valuable consideration) consumer health data (“CHD”).
The Act goes beyond HIPAA as CHD means any information that identifies or is reasonably capable of being associated or linked with a particular consumer and “identifies the consumer’s past, present, or future mental or physical health status.” This includes not only information about a diagnosis, health condition, and medication, but also biometric data (broadly defined) and “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies” (for example, a visit to a hospital or pharmacy).
The Act also applies outside of Washington state because it defines “consumer” and “collect” very broadly.“Consumer” includes both Washington residents and any individual whose CHD is “collected” in Washington. “Collect” means to “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process [CHD] in any manner” (emphases added). Under these definitions, a company that stores health-related information about non-Washington residents on a server in Washington state would be subject to the Act.
The Act exempts employee data, B2B data, “protected health information” covered by HIPAA, and certain other data covered by certain federal and state laws.
Requirements and Consumer Rights
A regulated entity must:
- Obtain consumers’ “valid authorization” (more similar to a HIPAA authorization than consent) to sell CHD.
- Protect CHD using reasonable security.
- Have contracts with processors that instruct them how to process CHD and require them to do so only on the regulated entity’s behalf.
- Not implement a geofence around a location providing in-person healthcare services to: (1) identify or track consumers seeking healthcare; (2) collect CHD; or (3) send communications or ads to consumers related to their CHD or healthcare services.
Consumers have the right to:
- Confirm whether a regulated entity collects, shares, or sells their CHD and access this CHD, including a list of all third parties and affiliates with whom CHD has been shared or sold;
- Withdraw consent to collect and share their CHD; and
- Request deletion of their CHD (which the regulated entity must flow down).
Regulated entities have 45 days to comply with requests, with a possible 45-day extension, and can decline requests that are manifestly unfounded, excessive, or repetitive, or that cannot be authenticated.
Violations of the Act are per se violations of the Washington Consumer Protection Act (“WA CPA”). The WA CPA provides both for the attorney general to bring enforcement actions and for a private right of action. Under the WA CPA, plaintiffs can sue for actual damages and the costs of the suit, including reasonable attorney’s fees, and injunctive relief. Courts have discretion to increase the damages by up to three times the amount of actual damages, or up to a total of $25,000. The Act may prove attractive to the plaintiff’s bar, especially given its detailed requirements and short compliance deadlines.