Washington Gov. Jay Inslee signed the My Health, My Data Act into law on Thursday morning, making the state the first in the nation to codify into law broad protections for consumer health data.
The law requires companies to get consent from consumers to collect, share or sell health data, which is defined broadly as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
It prohibits advertising companies from using geofence technology in particular locations, such as health care facilities, to collect and sell data. It also provides for a private right of action that enables consumers to sue companies that don’t get their explicit consent to use their data. The state’s attorney general can take civil action on behalf of consumers under the act.
Washington Attorney General Bob Ferguson and three state lawmakers introduced the My Health, My Data act last October in response to the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade. In a news release about the act, Ferguson cited concerns about apps used to track menstrual cycles, which can sell sensitive information to law enforcement agencies in other states where seeking abortion care is illegal or limited.
The act also seeks to fill gaps left by the federal Health Information Portability and Accountability Act, or HIPAA, as it only pertains to health data collected by health care providers.
“Health data collected by non-covered entities, including certain apps and websites, are not afforded the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data,” the law reads.
Felicity Slater, a policy fellow at the Future of Privacy Forum, told StateScoop in an email that by being the first of its kind, the Washington law sets new standards for the protection of personal health data not covered by HIPAA.
“The act’s broad scope and exacting requirements could create compliance hurdles for a wide range of covered entities, and its private right of action provides a private enforcement mechanism not usually available under U.S. privacy laws,” Slater wrote.
Lawmakers in other states — including Illinois, Massachusetts, New York and Nevada — are shopping around their own versions of legislation that would enforce data protections beyond HIPAA. Slater said Washington’s bill was used as the model for several of them, each of which are slightly different. Nevada’s bill, for instance, contains a tighter definition of “consumer health data” and Massachusetts‘ doesn’t contain geofencing restrictions.
Most of the provisions in Washington’s new law are set to take effect on March 31, 2024. However, for “small businesses,” or companies that collect, process, sell or share the data of fewer than 100,000 consumers per calendar year, the start date is June 30, 2024.