New Washington Law Has Broad Implications For Protecting Consumer Health Data
On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the "Act"), which will regulate the collection, use, and disclosure of "consumer health data" ("Consumer Health Data" or "CHD"). The Act is intended to provide stronger privacy and security protections for health-related information not protected under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), but a significant gap remains. In spite of its title and purported focus on the health information of Washington residents, a careful reading of the Act shows that it will have a much broader reach – both geographically and substantively. Most provisions of the Act come into effect on March 31, 2024, with small businesses required to comply by June 30, 2024. Some sections (e.g., Section 10 prohibition against "geofencing") do not provide effective dates. It is unclear whether those sections become effective on July 22, 2023, which would be 90 days after the end of the legislative session, as provided under Washington law, or whether failure to include an effective date for all sections of the Act was an oversight.
Whom the Act Covers
The Act applies to entities that conduct business in Washington, or that "produce" or "provide" products or services that are targeted to consumers in Washington, and that determine the purpose and means of collecting or using CHD ("regulated entities"). This includes "small businesses," which are regulated entities that: (a) collect, process, sell, or share the consumer health data of fewer than 100,000 consumers in a calendar year; or (b) derive less than 50% of gross revenue from collecting, processing, selling, or sharing CHD, and control, process, sell, or share the CHD of fewer than 25,000 consumers. Unlike other state privacy laws, the Act does not exempt these smaller businesses but merely postpones by three months the date by which small businesses must come into compliance.
Also unlike other state privacy laws that protect that state's residents, the Act defines "consumers" broadly to include not just Washington residents but also any natural person whose CHD is "collected" in Washington. And because the Act defines "collect" to mean "buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner," any regulated entity located anywhere – including outside of the U.S. – that retains or processes CHD in Washington, or that contracts with a "processor" (as defined in the Act, and including a cloud or other service provider) that retains, processes (e.g., stores) or allows access to CHD in Washington, will be subject to the Act with respect to the CHD of any natural person, regardless of where that natural person resides.
What Data the Act Covers
"Consumer health data" is broadly defined as personal information[1] that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The Act includes a long, non-exhaustive list of data elements that comprise CHD (CHD "includes, but is not limited to" the elements listed) and covers some information that is not typically thought of as health-related. The list of CHD includes the following:
- Individual health conditions, treatments, diseases, or diagnoses
- Social, psychological, behavioral, and medical interventions
- Health-related surgeries or procedures
- Use or purchase of prescribed medication
- Bodily functions, vital signs, symptoms, or measurements of the information described in this listing
- Diagnoses or diagnostic testing, treatment, or medication
- Gender-affirming care information
- Reproductive or sexual health information
- Biometric data
- Genetic data
- Precise location information (within a radius of 1,750 feet) that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies
- Data that identifies a consumer seeking health care services (including gender-affirming care and reproductive or sexual health information)
- Any other information that a regulated entity or their processor processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
While some of these data elements describe information that typically is associated with health-related conditions or treatment, some go far beyond that. For instance, the definition of CHD could capture grocery items purchased that might indicate someone is diabetic. Or it could be broadly interpreted to encompass a consumer's online browsing history showing a search for information about yoga studios or other wellness activities. An open question is when precise location information would reasonably indicate that a consumer has attempted to acquire – or has acquired – health care services or supplies. For example, it is not clear whether precise location information showing that someone went to a hospital is CHD because someone could visit a hospital for treatment or to visit a friend or family.
Most important, because "consumers" include any natural person whose CHD is "collected" (e.g., "retained" or "processed") in Washington, this could include the CHD of, for example, a New York resident whose search request is initially collected and analyzed by a company in California but later stored on or accessed from a server in Washington—including by a cloud services provider that hosts some of its customers' data in Washington.
The Act does not apply to such data in an employment (e.g., HR-related records) or commercial (i.e., B2B) context. De-identified data and publicly available data are excluded from the definition of "personal information" and therefore are not CHD. The Act includes a long list of other exemptions:
- Protected health information (PHI) as defined by HIPAA
- Health care information under Washington's Uniform Health Care Information Act
- Substance use disorder records collected, used, or disclosed pursuant to 42 C.F.R. Part 2
- Identifiable private information for purposes of certain federal laws governing human subjects research
- Certain peer review and health care quality improvement information and documents and HIPAA de-identified information
- Information originating from and intermingled with the above information that is maintained by a HIPAA-covered entity or business associate, a health care facility or health care provider under Washington's Uniform Health Care Information Act, or a substance use disorder program or its qualified service organization under 42 C.F.R. Part 2
- Information used only for public health activities or that is part of a limited data set (as defined under HIPAA)
- Certain claims and drug information collected as part of Washington State health care programs
- Personal information that is governed by and collected, used, or disclosed pursuant to:
- The Gramm-Leach-Bliley Act
- HIPAA (it is not clear why HIPAA is referenced both here and above)
- The Fair Credit Reporting Act
- The Family Educational Rights and Privacy Act
- The Washington health benefit exchange and applicable statutes and regulations
- Washington privacy rules adopted by the Washington insurance commissioner
Regulated entities will need to carefully evaluate the information that they "collect" to determine what information could be deemed covered CHD, and they will need to be mindful of how such information is handled by the business and its cloud services provider or other processors to determine whether it has a nexus to Washington, however tenuous. One consequence of the Act may be that companies will implement data localization provisions, including in their contracts with cloud service providers and other processors, to prevent data from being stored, handled or otherwise "collected" in Washington.
Key Provisions
The Act imposes some of the most rigorous obligations in any state privacy law thus far, including:
- Transparency: Regulated entities must maintain a specific "consumer health data privacy policy" containing certain disclosures about their collection, use, and disclosure of CHD and the consumer's rights with respect to CHD. Regulated entities must post a link to this policy on their homepage. While the Act does not expressly prohibit this policy from being combined with a regulated entity's general privacy policy, the requirement to include a separate link to the CHD policy on the homepage suggests that this is intended to be a standalone policy. In any event, it is clear that regulated entities must add yet another link to their homepage.
- Consumer Consent: The Act requires regulated entities to obtain consent before collecting or sharing (which is distinct from selling) CHD. Requests for consent must include the following information: (1) the categories of CHD to be collected or shared; (2) the purposes for which such CHD will be collected or shared; (3) the categories of entities with whom the information will be shared; and (4) how a consumer can withdraw consent to future collection or sharing. As described below, when regulated entities sell—or even offer to sell – CHD, they must go through an even more rigorous process to obtain consent.
- Collection: Consumers must grant a regulated entity opt-in consent for the "collection" of their CHD except when collection is necessary to provide a product or service that the consumer requests, and must grant new consent before a regulated entity may collect (or share, or use) additional categories of CHD not disclosed in the consumer health data privacy policy. Because "collection" is so broadly defined, this likely means that regulated entities will need to obtain opt-in consent for any processing (including analysis or retention) of CHD that is not required to provide the product or service requested, including – for instance – when CHD is used to offer coupons for previously purchased products or services.
- Sharing: The Act defines "sharing" to mean releasing, disclosing, making available, providing access to, licensing, or otherwise communicating CHD to a "third party" or an "affiliate." As with "collection," a regulated entity must obtain consent from a consumer before "sharing" the consumer's CHD.
Certain Disclosures are Exempt: The following disclosures are excluded from the definition and therefore do not require opt-in consent: (1) to a processor to provide a product or service that the consumer requests and in a manner consistent with the purpose for which the data was collected, as disclosed to the consumer; (2) to a third party with whom the consumer has a direct relationship so long as the sharing is: (i) for the purpose of providing the product or service requested; (ii) the regulated entity retains control and ownership over the CHD; and (iii) the third party uses the CHD only at the direction of the regulated entity consistent with the purpose for which the consumer gave consent at collection; and (3) to a third party as an asset in connection with a merger, acquisition, or similar transaction involving a change in corporate control, so long as the third party complies with the Act.
No Bundling of Consent Requests: The consent for "sharing" must be "separate" and "distinct" from the consent obtained for "collection." Therefore, regulated entities cannot bundle consents to collect and share CHD.
- Sales: A "sale" of CHD means any disclosure of such data in exchange for monetary or "other valuable consideration." The Act requires not only regulated entities but also any person to obtain a "valid authorization" from the consumer before selling or offering to sell the consumer's CHD. This "valid authorization" must be both "separate" and "distinct" from consents to collect or share and must be written in plain language and include the following:
- The specific CHD concerning the consumer to be "sold"
- The name and contact information of the person collecting and selling the CHD
- The name and contact information of the purchaser of the CHD
- A description of the purpose for the "sale," including how the CHD was gathered and how it will be used by the purchaser
- A statement that the provision of goods and services may not be conditioned on signing the valid authorization
- A statement that the consumer has the right to revoke the valid authorization at any time (and how to do so)
- A statement that CHD sold may be subject to redisclosure by the purchaser and may no longer be protected by the Act
- Signature of the consumer and date of signature
- A statement that the valid authorization expires one year from the date of the consumer's signature
Invalid Authorizations: The authorization will not be valid if the expiration date has passed, if it lacks all of the required information, has been revoked by the consumer, has been combined with one of the other documents to create a compound authorization, or if it conditions the provision of goods and services on the signing of the authorization.
Recordkeeping: The seller and purchaser must retain copies of all valid authorizations for six years from the date of signature or the date when the valid authorization was last in effect, whichever is later. A copy of the signed valid authorization must be provided to the consumer as well.
- Targeted Advertising: The Act does not separately address or define targeted advertising, but it is possible that the Washington attorney general or Washington courts will follow California's lead by treating disclosures of CHD for targeted advertising as "sales" of such information. If so, regulated entities that want to use CHD for targeted ads would need to obtain the valid authorizations described above before doing so and would be prohibited from conditioning the provision of products or services on consumers' willingness to receive targeted ads.
- Consumer Rights: The Act gives consumers the usual rights under state consumer privacy laws, all of which are subject to requirements that the regulated entity use commercially reasonable efforts to authenticate the request. Regulated entities must establish a process for consumers to appeal an adverse decision and take action within 45 days of receipt of the appeal. Consumers must be provided an online mechanism or other method to contact the attorney general to submit a complaint if their appeal is denied.
- Confirmation: Consumers have the right to confirm whether a regulated entity is collecting, sharing, or selling their CHD.
- Access: Consumers may request access to their CHD and are also entitled to a list of all third parties and affiliates with whom CHD was shared or sold as well as an active email address or other online mechanism that the consumers may use to contact the third parties.
- Withdrawal of Consent: Consumers may withdraw consent from collection or sharing of their CHD at any time (note that collection is defined broadly to include processing, accessing, and inferring).
- Deletion: A regulated entity that receives a request from a consumer to delete the consumer's CHD must delete such information not just from its "records," but also "from all parts" of its "network, including archived or backup systems," except that it may delay deletion of CHD stored on such archived or backup systems for up to six months after authenticating the request. Regulated entities must also notify all affiliates, processors, contractors, and other third parties with whom the CHD was shared, and those entities also must delete such data.
- Security Obligations of Regulated Entities: Regulated entities must restrict access to CHD to only those employees, processors, and contractors for whom access is "necessary to further the purposes for which the consumer provided consent" or when "necessary" to provide the product or service requested. They also must maintain reasonable security practices to protect the "confidentiality, integrity, and accessibility" of CHD consistent with industry standards "appropriate to the volume and nature of the [CHD] at issue."
- Processor Agreements: Regulated entities may engage "processors" to process CHD on their behalf. Processors must be bound by contracts that contain certain restrictions on the processors' use of data, but unlike European and other U.S. state laws, the Act does not require processors to assume extensive obligations. They must agree to process the CHD only according to the regulated entity's instructions and to assist the regulated entity in fulfilling its obligations under the Act. However, if a processor fails to adhere to the regulated entity's instructions or processes CHD outside the scope of the contract, the processor will be considered a regulated entity with regard to the CHD and subject to the Act.
- Geofence Restrictions: One of the most novel provisions in the Act prohibits any person from establishing a "geofence" around an entity that provides in-person health care services if the geofence is used to (1) identify or track consumers seeking such services, (2) collect CHD from consumers, or (3) send notifications or ads to consumers related to CHD or health care services. The Act defines a "geofence" as a technology that uses GPS coordinates, cell tower connectivity, cellular data, RFID, Wi-Fi data, or other form of spatial or location detection to establish a virtual boundary around a specific physical location or to locate a consumer within 2,000 feet or less from the perimeter of the physical location. This provision will limit businesses' ability to send geotargeted ads for some products and services that could fall within the definition of CHD, depending on how broadly that term is construed.
Moreover, because the Act governs Washington residents wherever they may travel and non-Washington residents whose information is "collected" (i.e., stored or otherwise processed or accessed) in Washington, it arguably prohibits a geofence anywhere in the world that meets the above criteria if that geofence has a nexus with Washington. For example a national pharmacy chain's geofence around its Florida location could trigger this prohibition to the extent that the pharmacy chain does business in Washington and its Florida location is visited by a Washington resident on vacation, or a New York resident whose CHD is retained in or accessed from Washington.
- Limited Exceptions: Unlike other state consumer privacy laws, the Act lacks substantive exceptions that would permit a regulated entity to, among other things, use or disclose CHD to comply with law (but see below with respect to law enforcement access); conduct internal research to improve or develop products, services, or technology; effectuate a product recall; or perform internal operations reasonably aligned with consumer expectations. The only exceptions that the Act provides allow regulated entities and processors to process CHD to do the following: (1) prevent, detect, protect against, or respond to security incidents, fraud, or malicious, deceptive, or illegal activities; (2) preserve the integrity or security of systems; or (3) investigate, report, or prosecute those responsible for illegal activities.
A Swing and a Miss? The Act Appears to Leave a Large Gap in Health Data Protection
The Act's exemptions appear to leave a large regulatory gap related to health information that the Washington legislature likely did not intend. Specifically, the Act generally exempts categories of information from other data privacy laws, without regard to limitations on the scope of such laws. For example, the Act exempts PHI, as defined under HIPAA. But HIPAA only applies to HIPAA-covered entities and business associates and therefore only protects PHI when held by covered entities or business associates. Because the Act's exemption is tied to the type of information (e.g., PHI) – and not to who maintains it (i.e., PHI held by covered entities and business associates) – it appears to leave PHI that is unprotected by HIPAA also unprotected by the Act when such data is no longer in the hands of a covered entity or business associate.
This gap will likely have consequences for consumers. For example, the federal government has been engaged in a years-long effort to improve interoperability and exchange of health information. This includes requiring certain health care providers to make PHI available through application programming interfaces ("APIs") so that consumers can readily download their health information to the consumer application of their choice. After the information is downloaded on the consumer's app, it still technically qualifies as PHI under HIPAA because it is individually identifiable health information that was created by a health care provider. But it will no longer be protected by HIPAA, and based on the Act's exemption, this highly sensitive health information arguably will be exempt from – and therefore unprotected by – the Act as well. In this case, a consumer would need to rely on other laws, such as Section 5 of the Federal Trade Commission Act, with respect to the privacy and security of such sensitive health data.
Law Enforcement Access
Unlike other states that have taken steps since the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization to prohibit health care providers from releasing certain medical information related to reproductive care to law enforcement,[2] the Act does not specifically address law enforcement access to CHD. However, when Governor Inslee signed the Act, he also signed HB 1469, which prohibits Washington recipients from complying with out-of-state subpoenas, court orders, warrants, and extradition requests regarding gender and reproductive health care for in-state residents as well as those from other states who come to Washington to obtain "protected health care services," which is defined to include gender-affirming treatment and reproductive health care services. In addition, Washington providers of electronic communications services (such as ILECs and ISPs) are also prohibited from providing records or information in response to subpoenas, warrants, court orders, or other civil or criminal legal process that relates to an investigation into, or the enforcement of, another state's law that asserts criminal or civil liability for the provision, receipt, attempted provision or receipt, assistance in the provision or receipt, or attempted assistance in the provision or receipt of protected health care services that are lawful in the state of Washington.
This may fill the gap in the Department of Health and Human Services Office for Civil Rights (OCR) proposed amendments to HIPAA that would further safeguard the privacy of reproductive health care information in the wake of Dobbs but that would apply only to PHI and therefore would not apply to CHD.
Enforcement by the Attorney General and Consumers
A violation of the Act is an "unfair or deceptive act in trade or commerce and an unfair method of competition" subject to and actionable under Washington's consumer protection act, RCW 19.86 ("WCPA"). The WCPA allows any person[3] "injured in his or her business or property" by a violation of the WCPA to bring a civil action for injunctive and monetary relief to recover "actual damages sustained," which may be trebled but not to exceed $25,000, plus costs and attorney's fees. This privacy-related private right of action is similar to the Illinois Biometric Privacy Act ("BIPA"), although the Act here does not provide for statutory damages, only for actual damages sustained. Some precedent suggests that plaintiffs may not assert WCPA claims for "personal injuries," while other precedent suggests that information privacy violations may constitute an injury to property, so courts will need to determine the nature of violations related to CHD that constitute a violation of the Act, as it is clear that the legislature intended violations of the Act to be actionable under the WCPA.
But beyond a BIPA-like private right of action, "claimants" (not defined in the Act) in a "private action" (suggesting only those injured in their "business or property") alleging "an unfair or deceptive act or practice … may establish that the violation is injurious to the public interest" because it violates a statute that incorporates the WCPA (like the Act) or the violation "(a) injured other persons; (b) had the capacity to injure other persons; or (c) has the capacity to injure other persons." While there is no separate provision for injunctive or declaratory relief under this provision, and the private right of action provision does allow for injunctive relief where there is an injury to a consumer's business or property, this section might allow for an injured consumer to seek a declaratory ruling that could thereafter be used by others to establish their own claim for damages. In addition to the private right of action, and similar to the other state privacy laws that allow for enforcement by the state attorney general, the Washington attorney general may investigate violations of the WCPA and bring an action "in the name of the state, or as parens patriae on behalf of persons residing in the state," for injunctive and monetary relief, "as may be necessary to restore to any person in interest any moneys or property, real or personal, which may have been acquired, regardless of whether such person purchased or transacted for goods or services directly with the defendant or indirectly through resellers."
Takeaways
- Regulated entities will need to review whether they have any information that may fall under the broad definition of CHD and, if so, whether they have a potential nexus with Washington State (either because they collect CHD of Washington residents or because they or their processors retain, process, or otherwise "collect" CHD in Washington).
- Even if an entity is unlikely to target its products and services to Washington residents, the entity should consider whether it can take data localization steps to control where any CHD is collected (i.e., stored, analyzed, or otherwise processed) to minimize the risk of triggering the Act.
- To account for the broad reach of the Act, regulated entities should consider whether to put in place national or even international compliance programs. For example, a regulated entity's limitations on geofencing may need to be applied outside of the state of Washington to avoid risk related to Washington residents traveling out of state or data related to non-Washington residents becoming processed within Washington.
- Regulated entities will need to create new notices and policies for CHD and implement mechanisms to address consumer rights under the Act.
- Regulated entities (and ISPs and ILECs) will need to assess whether a subpoena, order, or warrant served by law enforcement relates to reproductive health services.
- Regulated entities will need to implement additional consent mechanisms if they are collecting or sharing CHD for any purpose other than as necessary to deliver the product or service.
- Regulated entities may need to implement additional tracking mechanisms with respect to CHD that is disclosed to third parties, especially if such a disclosure could be categorized as a sale, including maintaining a list of third-party recipients of CHD, contact information for each third party, and notification procedures to notify them of a deletion request.
[1] "Personal information" means "information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer."
[2] See Cal. Civ. Code § 56.108 (prohibiting a health care provider from releasing, in response to a subpoena or request under another state's laws, medical information related to an individual seeking or obtaining an abortion).
[3] For the purpose of the section authorizing a private right of action for violations of the WCPA for unfair or deceptive acts or practices (among other violations), a "person" authorized to bring suit "includes the counties, municipalities, and all political subdivisions of this state."