On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act.
The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt.
The Act increases privacy protections and outlines several requirements, such as
- Entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates);
- Entities must obtain consent from consumers prior to collecting, sharing, and selling their health data;
- entities are restricted from geofencing particular locations to collect and sell data; and
- entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.
The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.