Takeaways from Washington's Sweeping Health Privacy Bill - Data, Privacy & Cybersecurity Insights

On April 27, Washington Gov. Jay Inslee signed into law the state’s sweeping health privacy bill – the My Health Data Act.[1]

The act, which establishes a comprehensive privacy framework for entities that do business in the state and that handle consumer health data, will take effect less than a year from now on March 31, 2024.[2]

The act presents a daunting challenge for covered businesses that must comply with its requirements, given its broad reach, substantial obligations and ambiguous language.

Furthermore, its strict biometric privacy rules as well as the fact that it conveys a private right of action for consumers to sue companies for violating the act all but guarantee that the new act will be a very significant development in the consumer health space.

Background

Washington was among the earliest states to propose a comprehensive consumer privacy law when lawmakers introduced the Washington Privacy Act in January 2020.[3]

This bill shared many similarities with the California Consumer Privacy Act. However, the bill has been stuck in legislative limbo while other states — including Virginia,[4] Colorado,[5] Connecticut,[6] Utah,[7] Iowa[8] and Indiana[9] — have passed laws on consumer privacy that in many ways mimic the CCPA but do not go as far in certain important respects.

The primary cause of the failure of the Washington Privacy Act to pass was lawmakers’ disagreement over the inclusion of a private right of action.

Years later, in response to concerns about the perceived inadequate protections for consumer health data privacy that were amplified in 2022, Washington passed the act that purports to fill the gap in privacy protections for information broadly related to an individual’s health held by any business — not just entities regulated by the Health Insurance Portability and Accountability Act.[10]

According to its sponsors, the law has a broad intent to “close an egregious legal loophole that allows nonhealth care organizations to collect, share or sell private health information,” including “collecting data on specific locations related to reproductive and gender-affirming care.”[11]

Key Requirements

Scope and Applicability

The act applies to regulated entities, a term that includes any legal entity that conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington.

Under the act, a regulated entity also determines the purposes and means of collecting, processing, sharing or selling consumer health data — akin to a “controller” under the European General Data Protection Regulation, or a “business” under the CCPA.

Unlike current comprehensive state privacy laws, the act does not establish a minimum number of data subjects or revenue threshold that companies must meet in order to fall within the act’s scope.

“Consumer” is defined to include not only Washington residents, but also individuals whose consumer health data is collected in Washington.

The act’s definition of consumer excludes individuals acting in an employment or business-to-business context.

Covered Data

The act protects consumer health data, broadly defined to include any personal information that is reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.

The act provides 13 nonexhaustive categories that count as physical or mental health status of the consumer, such as information about health diagnoses, medication purchase or use, biometric data, gender-affirming care information, reproductive and sexual health information.

This also includes any data derived from nonhealth related information, such as inferences, proxies or algorithms, used to identify consumers with the physical or mental health data points listed in the act.

Consumer health data also includes location data indicating a consumer’s attempt to receive certain health care services, defined to mean any service provided to a person to assess, measure, improve or learn about a person’s mental or physical health.

In taking such a broad interpretation of the definition of consumer health data, the act embraces information not traditionally thought of as health data under existing privacy regimes — such as location data — under its newly established protections.

In this way, the act reflects a regulatory trend to enhance safeguards for sensitive health-related data not historically protected by laws such as HIPAA.

For example, the Federal Trade Commission‘s complaint issued against BetterHelp Inc. in March recognized the sensitivity of health information that broadly included not only information about a consumer’s past use or current enrollment in the company’s therapy services, but also the consumer’s general interest in obtaining these services. [12]

Key Obligations for Regulated Entities

Under the act, a regulated entity must maintain and publish a consumer health data privacy policy. It is unclear if the law will require this policy to be separate from a company’s existing privacy policies.

The policy must disclose:

The categories of consumer health data collected;
The purpose and use of collection;
The sources from which data is collected;
The categories of data that may be shared
The entities with which data may be shared; and
A consumer’s rights under the law.

Regulated entities are barred from collecting, using or sharing consumer health data, or additional categories of such data, for purposes not disclosed in the consumer health data privacy policy without first disclosing the additional purposes and obtaining the consumer’s affirmative consent.

The act requires a regulated entity to obtain a consumer’s affirmative opt-in consent to collect consumer health data, unless the collection is necessary to provide a product or service that the consumer has requested from that entity.

It should be emphasized that “collect” is defined broadly to include buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving or otherwise processing consumer health data in any manner.

Regulated entities must obtain a separate consent for sharing the data, unless the sharing is necessary to provide a product or service the consumer requested.

The act prohibits any person, not just regulated entities, from selling or offering to sell consumer health data without first obtaining a valid authorization signed by the consumer. Such authorization is distinct from the consent that regulated entities must obtain to collect or share consumer health data.

Additionally, the act prohibits any person or entity from implementing a geofence around facilities that provide in-person health care services, if the geofence is used to:

Identify or track consumers seeking health care services;
Collect consumer health data from consumers; or
Send notifications, messages or advertisements to consumers concerning their consumer health data or health care services.

Consumer Rights

The act provides consumers with a series of rights that are similar to the rights granted under the CCPA, GDPR and other omnibus privacy laws.

Under the act, consumers have the right to confirm whether a regulated entity is collecting, sharing or selling their consumer health data and the right to access this data.

The right to information under the act is extensive, providing a consumer with the right to know all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and requires the regulated entity to provide the consumer with a means to contact those third parties.

Additionally, the act provides consumers with the right to request deletion of their health data and the right to withdraw consent to collection or sharing at any time.

If a consumer requests to have their health data deleted, the regulated entity must also delete it from archived or backup systems, and notify all affiliates, processors and other third parties with whom the regulated entity has shared the data, who must honor the deletion request as well.

Processor Obligations

The act imposes relatively few obligations on processors — defined as “a person that processes consumer health data on behalf of a regulated entity.”

Processors are required to only process consumer health data pursuant to a contract with regulated entities and in accordance with their instructions and must assist regulated entities in meeting their obligations.

Exemptions

Similar to other state consumer privacy laws, the act recognizes several entity-based and data-type exemptions.

For example, the act does not apply to protected health information governed by HIPAA or data regulated by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act or the Family Educational Rights and Privacy Act.

Moreover, the act does not apply to government agencies or contracted service providers when processing consumer health data on behalf of a governmental agency, nor does the act apply to deidentified data.

Enforcement

The act will be enforced by the Washington attorney general’s office and through a private right of action by way of the Washington Consumer Protection Act.

Significantly, the act’s private right of action applies to any violation, a much broader right than granted by the CCPA that arises only from certain security breaches.

What Makes the Act Unique

While the act shares a considerable number of similarities with other state and sectoral privacy laws, there are aspects that are unique to the legislation and that suggest that the act will have a significant impact.

First, unlike other health and consumer privacy legislation, the act includes definitions for gender-affirming care information and reproductive or sexual health information and, as described above, includes those terms under the umbrella of consumer health data.

The explicit inclusion of these concepts reflects the fact that the Legislature intended to leave no ambiguity as to whether information related to abortion care and transgender health matters is subject to the privacy protections afforded by the law.

Second, these terms explicitly encompass “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive” the respective services. Unlike other privacy laws, the act prohibits any person or entity from geofencing health care facilities for the purpose of identifying or collecting data from consumers.

The legislation’s focus on geolocation data not only highlights the inherent sensitivity surrounding an individual’s whereabouts, but also reflects the desire of Washington lawmakers to prevent inferences that an individual received care that may be stigmatized or criminalized in other jurisdictions.

Third, while statutes like the CCPA and Virginia’s Consumer Data Protection Act explain that those laws shall not be construed to restrict a regulated entity’s ability to comply with federal, state and local laws, the act contains an exception solely for compliance with Washington state and federal law, conspicuously narrowing the qualification by omitting reference to other states’ laws.

This may reflect the Legislature’s attempt to account for laws in other jurisdictions that may be antithetical to the act’s goals of safeguarding certain categories of health data.

Lastly, the act’s broad private right of action is seldom found in other pieces of privacy legislation.

One of the few state laws that does contain a private right of action — the Illinois Biometric Information Privacy Act — has spawned significant litigation since its enactment, which suggests that businesses regulated by the Washington law can expect to be in the crosshairs of the plaintiffs class action bar.

Conclusion

Although the act is the first consumer health privacy law to pass, it reflects a growing trend of introducing new or additional privacy protections for consumer health information beyond the scope of HIPAA.

For example, health data privacy bills have been introduced in New York;[13] Illinois;[14] Virginia, via companion bills HB2219[15] and SB1432;[16] Massachusetts, via companion bills HD3855[17] and SD2118;[18] and Nevada.[19]

In addition, certain states are also considering legislation that is more narrowly designed to protect those seeking access to, or providing, reproductive health care services or gender-affirming care, such as Washington’s recently passed Shield Law,[20] and a new law proposed in New York.[21]

Whether the act and other state legislative activity in this area ultimately prompts federal privacy legislation governing health care data beyond what is protected by HIPAA remains to be seen.

However, for now, businesses in the state of Washington must nevertheless prepare to strengthen protections for a broad array of consumer health data in a relatively short timeframe.

This article was originally published on Law360 on May 9, 2023. Read the original article here.

[1] https://app.leg.wa.gov/billsummary?BillNumber=1155&Initiative=false&Year=2023.

[2] https://lawfilesext.leg.wa.gov/biennium/2023-24/Pdf/Bills/House%20Passed%20Legislature/1155-S.PL.pdf.

[3] https://app.leg.wa.gov/billsummary?BillNumber=6281&Initiative=false&Year=2019.

[4] https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/.

[5] https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf.

[6] https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF.

[7] https://le.utah.gov/~2022/bills/sbillenr/SB0227.pdf.

[8] https://www.legis.iowa.gov/legislation/BillBook?ga=90&ba=SF%20262.

[9] https://iga.in.gov/legislative/2022/bills/senate/358#document-94d6d82c.

[10] https://lawfilesext.leg.wa.gov/biennium/2023-24/Pdf/Bills/House%20Passed%20Legislature/1155-S.PL.pdf.

[11] https://www.governor.wa.gov/news-media/inslee-and-legislators-begin-rolling-out-reproductive-freedom-policies-2023-legislative.