By: Scott M. Lupiani, EQ.,Member

It is well known that the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security regulations have limitations on their reach. One such limitation is that HIPAA only applies to covered entities and their business associates, not health data in general. To address this issue, Washington’s legislature passed House Bill 1155 on April 17, 2022, also known as the My Health, My Data Act (the Act). The bill aims to regulate health data collected by entities not covered by HIPAA, (think apps and websites).

If signed into law, it will take effect on March 31, 2024, with certain parts of the legislation possibly taking effect earlier.

Under the Act, a “Regulated Entity” is defined as an entity that conducts business in Washington, produces or provides products or services targeted to consumers in Washington, and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. The law creates a subgroup of Regulated Entities called “small businesses” to provide additional time to comply. Small businesses collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year or derive less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data and control, process, sell, or share consumer health data of fewer than 25,000 consumers.

The Act is intended to protect “consumer health data,” defined as personal information that identifies a consumer’s past, present, or future physical or mental health status, linked or reasonably linkable to a consumer. Health status includes:

• Individual health conditions
• Treatment
• Diseases
• Diagnosis
• Social, psychological, behavioral, and medical interventions
• Health-related surgeries or procedures
• Use or purchase of prescribed medications
• Bodily functions, vital signs, symptoms, or measurements of health-related functions
• Diagnoses or diagnostic testing
• Treatment or medication
• Gender-affirming care information
• Reproductive or sexual health information
• Biometric data
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies, and data that identifies a consumer seeking health care services

Under the Act, a protected consumer is a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington. The law only protects consumers for actions taken as individuals or on behalf of a household and not actions taken by an individual in an employment context.

Consumers have several rights under HIPAA with respect to their protected health information (PHI). The Act provides consumers with the right to:

• Confirm whether their consumer health data is being collected, shared, or sold
• Consent to or deny the collection or sharing of health data
• Withdraw consent from a regulated entity or small business to collect or share health data
• Delete health data collected by a regulated entity or small business
• Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data

Regulated entities and small businesses must maintain a consumer health data privacy policy prominently on their homepages that includes categories of:

• Consumer health data collected and the purpose for which the data is collected
• Sources from which the consumer health data is collected
• Consumer health data that are shared
• A list of third parties and specific affiliates with whom consumer health data is shared

The Act also mandates contracts be in place with processors of consumer health data and codifies specific data security obligations for regulated entities and small businesses, including specific access management requirements. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They must also respond to requests from consumers to withdraw consent to collect or share health data and to delete their consumer health data.

The law makes it unlawful for any person (not merely Regulated Entities or Small Businesses) to implement geofence technology around an entity that provides in-person health care services used to:

• Identify or track consumers seeking health care services
• Collect consumer health data from consumers
• Send notifications, messages, or advertisements to consumers related to their consumer health data or health care services

The Act is enforceable either by the Washington’s State Attorney General or via a statutory private right of action by affected consumer(s).