The Washington My Health My Data Act was passed in April 2023 to expand privacy protections for personal health data. So far, only the law's geofencing requirements are enforceable. On March 31, 2024, the remaining stringent requirements of this law will become fully effective for all organizations subject to this law, except for small businesses, which must comply by June 30, 2024. Masu. Unlike other privacy laws, this law does not set a minimum number of data subjects or a revenue threshold.
What is the law?
This law gives consumers certain privacy rights and protections regarding their health data. It targets consumer health data that falls outside the scope of the Health Information Portability and Accountability Act (HIPAA) and is intended to prevent such data from being collected and shared without consent. did. The law defines consumer health data as “personal information associated with, or reasonably capable of being associated with, a consumer that identifies the consumer's past, present, or future physical or mental health condition.” is broadly defined as
The Washington State Attorney General may enforce the law under the state's Consumer Protection Act, which also provides consumers with a private right of action to seek damages for alleged violations.
Who is covered by this law?
The Washington State Attorney General's website explains:
“Generally, all individuals and businesses doing business in (or providing services or products to) Washington that collect, process, share, or sell consumer health data are affected by this law.”
There are a number of important exceptions. For example, government agencies, tribal nations, and their contracted service providers are not subject to the law. Also outside of scope are employee data, B2B data, and certain health information that are subject to existing laws and regulations. However, note that HIPAA-covered entities and business associates may be subject to this law and should take care to understand how this law applies to them. please.
What are the requirements of this law?
Broadly speaking, a person subject to the law must:
- Maintain a prominent and easily accessible location Consumer Health Data Privacy Policy It includes various consumer rights disclosures and describes how your organization collects, uses, and shares consumer health data.
- Obtain information from consumers opt-in consent Before collecting, sharing, or using consumer health data unless processing is “necessary.” Such consent must be freely given, specific, informed, voluntary and unambiguous. This means, for example, that separate consent must be obtained for the collection of a consumer's health data and for the sharing of that consumer's health data.
- Obtain information from consumers valid permission Sell or offer to sell consumer health data and conduct such activities strictly in accordance with the law.
- show respect Consumer privacy rightsThis includes the right to access and delete your data and withdraw your consent without undue delay in accordance with the law.
- Implementation and maintenance Administrative, technical and physical data security practicesThis includes restricting access to consumer health data to key employees and third parties.
- Enter detailed and specific information and comply. Data processing agreement (1) Lawfully transfer consumer health data to a processor (or service provider) where directly regulated by law; (2) If you are a processor, lawfully process consumer health data under the Act; Deviations in performance can change a person's or organization's obligations under the law.
- set Geofencing limitations To prevent the tracking of individuals, transmission of communications, and collection of consumer health data where consumers receive in-person health care services.
How should companies respond?
For those covered by this law, now is the time to assess your preparedness. Review the law's requirements and identify compliance gaps that need to be addressed. If you are unsure about the applicability of this law or would like more information, please visit the Washington State Attorney General's website or consult an attorney. We will continue to track developments related to this law and other changes in the legal landscape that may impact the healthcare industry as a whole.