New Washington Law Has Broad Implications For Protecting Consumer Health Data

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the "Act"), which will regulate the collection, use, and disclosure of "consumer health data" ("Consumer Health Data" or "CHD"). The Act is intended to provide stronger privacy and security protections for health-related information not protected under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), but a significant gap remains. In spite of its title and purported focus on the health information of Washington residents, a careful reading of the Act shows that it will have a much broader reach – both geographically and substantively. Most provisions of the Act come into effect on March 31, 2024, with small businesses required to comply by June 30, 2024. Some sections (e.g., Section 10 prohibition against "geofencing") do not provide effective dates. It is unclear whether those sections become effective on July 22, 2023, which would be 90 days after the end of the legislative session, as provided under Washington law, or whether failure to include an effective date for all sections of the Act was an oversight.

Whom the Act Covers

The Act applies to entities that conduct business in Washington, or that "produce" or "provide" products or services that are targeted to consumers in Washington, and that determine the purpose and means of collecting or using CHD ("regulated entities"). This includes "small businesses," which are regulated entities that: (a) collect, process, sell, or share the consumer health data of fewer than 100,000 consumers in a calendar year; or (b) derive less than 50% of gross revenue from collecting, processing, selling, or sharing CHD, and control, process, sell, or share the CHD of fewer than 25,000 consumers. Unlike other state privacy laws, the Act does not exempt these smaller businesses but merely postpones by three months the date by which small businesses must come into compliance.

Also unlike other state privacy laws that protect that state's residents, the Act defines "consumers" broadly to include not just Washington residents but also any natural person whose CHD is "collected" in Washington. And because the Act defines "collect" to mean "buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner," any regulated entity located anywhere – including outside of the U.S. – that retains or processes CHD in Washington, or that contracts with a "processor" (as defined in the Act, and including a cloud or other service provider) that retains, processes (e.g., stores) or allows access to CHD in Washington, will be subject to the Act with respect to the CHD of any natural person, regardless of where that natural person resides.

What Data the Act Covers

"Consumer health data" is broadly defined as personal information[1] that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The Act includes a long, non-exhaustive list of data elements that comprise CHD (CHD "includes, but is not limited to" the elements listed) and covers some information that is not typically thought of as health-related. The list of CHD includes the following:

• Individual health conditions, treatments, diseases, or diagnoses
• Social, psychological, behavioral, and medical interventions
• Health-related surgeries or procedures
• Use or purchase of prescribed medication
• Bodily functions, vital signs, symptoms, or measurements of the information described in this listing
• Diagnoses or diagnostic testing, treatment, or medication
• Gender-affirming care information
• Reproductive or sexual health information
• Biometric data
• Genetic data
• Precise location information (within a radius of 1,750 feet) that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies
• Data that identifies a consumer seeking health care services (including gender-affirming care and reproductive or sexual health information)
• Any other information that a regulated entity or their processor processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

While some of these data elements describe information that typically is associated with health-related conditions or treatment, some go far beyond that. For instance, the definition of CHD could capture grocery items purchased that might indicate someone is diabetic. Or it could be broadly interpreted to encompass a consumer's online browsing history showing a search for information about yoga studios or other wellness activities. An open question is when precise location information would reasonably indicate that a consumer has attempted to acquire – or has acquired – health care services or supplies. For example, it is not clear whether precise location information showing that someone went to a hospital is CHD because someone could visit a hospital for treatment or to visit a friend or family.

Most important, because "consumers" include any natural person whose CHD is "collected" (e.g., "retained" or "processed") in Washington, this could include the CHD of, for example, a New York resident whose search request is initially collected and analyzed by a company in California but later stored on or accessed from a server in Washington—including by a cloud services provider that hosts some of its customers' data in Washington.

The Act does not apply to such data in an employment (e.g., HR-related records) or commercial (i.e., B2B) context. De-identified data and publicly available data are excluded from the definition of "personal information" and therefore are not CHD. The Act includes a long list of other exemptions:

• Protected health information (PHI) as defined by HIPAA
• Health care information under Washington's Uniform Health Care Information Act
• Substance use disorder records collected, used, or disclosed pursuant to 42 C.F.R. Part 2
• Identifiable private information for purposes of certain federal laws governing human subjects research
• Certain peer review and health care quality improvement information and documents and HIPAA de-identified information
• Information originating from and intermingled with the above information that is maintained by a HIPAA-covered entity or business associate, a health care facility or health care provider under Washington's Uniform Health Care Information Act, or a substance use disorder program or its qualified service organization under 42 C.F.R. Part 2
• Information used only for public health activities or that is part of a limited data set (as defined under HIPAA)
• Certain claims and drug information collected as part of Washington State health care programs
• Personal information that is governed by and collected, used, or disclosed pursuant to:
  
  • The Gramm-Leach-Bliley Act
  • HIPAA (it is not clear why HIPAA is referenced both here and above)
  • The Fair Credit Reporting Act
  • The Family Educational Rights and Privacy Act
  • The Washington health benefit exchange and applicable statutes and regulations
  • Washington privacy rules adopted by the Washington insurance commissioner

  Regulated entities will need to carefully evaluate the information that they "collect" to determine what information could be deemed covered CHD, and they will need to be mindful of how such information is handled by the business and its cloud services provider or other processors to determine whether it has a nexus to Washington, however tenuous. One consequence of the Act may be that companies will implement data localization provisions, including in their contracts with cloud service providers and other processors, to prevent data from being stored, handled or otherwise "collected" in Washington.

  Key Provisions

  The Act imposes some of the most rigorous obligations in any state privacy law thus far, including:

  • Transparency: Regulated entities must maintain a specific "consumer health data privacy policy" containing certain disclosures about their collection, use, and disclosure of CHD and the consumer's rights with respect to CHD. Regulated entities must post a link to this policy on their homepage. While the Act does not expressly prohibit this policy from being combined with a regulated entity's general privacy policy, the requirement to include a separate link to the CHD policy on the homepage suggests that this is intended to be a standalone policy. In any event, it is clear that regulated entities must add yet another link to their homepage.
  • Consumer Consent: The Act requires regulated entities to obtain consent before collecting or sharing (which is distinct from selling) CHD. Requests for consent must include the following information: (1) the categories of CHD to be collected or shared; (2) the purposes for which such CHD will be collected or shared; (3) the categories of entities with whom the information will be shared; and (4) how a consumer can withdraw consent to future collection or sharing. As described below, when regulated entities sell—or even offer to sell – CHD, they must go through an even more rigorous process to obtain consent.
    • Collection: Consumers must grant a regulated entity opt-in consent for the "collection" of their CHD except when collection is necessary to provide a product or service that the consumer requests, and must grant new consent before a regulated entity may collect (or share, or use) additional categories of CHD not disclosed in the consumer health data privacy policy. Because "collection" is so broadly defined, this likely means that regulated entities will need to obtain opt-in consent for any processing (including analysis or retention) of CHD that is not required to provide the product or service requested, including – for instance – when CHD is used to offer coupons for previously purchased products or services.
    • Sharing: The Act defines "sharing" to mean releasing, disclosing, making available, providing access to, licensing, or otherwise communicating CHD to a "third party" or an "affiliate." As with "collection," a regulated entity must obtain consent from a consumer before "sharing" the consumer's CHD. Certain Disclosures are Exempt: The following disclosures are excluded from the definition and therefore do not require opt-in consent: (1) to a processor to provide a product or service that the consumer requests and in a manner consistent with the purpose for which the data was collected, as disclosed to the consumer; (2) to a third party with whom the consumer has a direct relationship so long as the sharing is: (i) for the purpose of providing the product or service requested; (ii) the regulated entity retains control and ownership over the CHD; and (iii) the third party uses the CHD only at the direction of the regulated entity consistent with the purpose for which the consumer gave consent at collection; and (3) to a third party as an asset in connection with a merger, acquisition, or similar transaction involving a change in corporate control, so long as the third party complies with the Act. No Bundling of Consent Requests: The consent for "sharing" must be "separate" and "distinct" from the consent obtained for "collection." Therefore, regulated entities cannot bundle consents to collect and share CHD.
    • Sales: A "sale" of CHD means any disclosure of such data in exchange for monetary or "other valuable consideration." The Act requires not only regulated entities but also any person to obtain a "valid authorization" from the consumer before selling or offering to sell the consumer's CHD. This "valid authorization" must be both "separate" and "distinct" from consents to collect or share and must be written in plain language and include the following:
      • The specific CHD concerning the consumer to be "sold"
      • The name and contact information of the person collecting and selling the CHD
      • The name and contact information of the purchaser of the CHD
      • A description of the purpose for the "sale," including how the CHD was gathered and how it will be used by the purchaser
      • A statement that the provision of goods and services may not be conditioned on signing the valid authorization
      • A statement that the consumer has the right to revoke the valid authorization at any time (and how to do so)
      • A statement that CHD sold may be subject to redisclosure by the purchaser and may no longer be protected by the Act
      • Signature of the consumer and date of signature
      • A statement that the valid authorization expires one year from the date of the consumer's signature

      Invalid Authorizations: The authorization will not be valid if the expiration date has passed, if it lacks all of the required information, has been revoked by the consumer, has been combined with one of the other documents to create a compound authorization, or if it conditions the provision of goods and services on the signing of the authorization.

      Recordkeeping: The seller and purchaser must retain copies of all valid authorizations for six years from the date of signature or the date when the valid authorization was last in effect, whichever is later. A copy of the signed valid authorization must be provided to the consumer as well.

      • Confirmation: Consumers have the right to confirm whether a regulated entity is collecting, sharing, or selling their CHD.
      • Access: Consumers may request access to their CHD and are also entitled to a list of all third parties and affiliates with whom CHD was shared or sold as well as an active email address or other online mechanism that the consumers may use to contact the third parties.
      • Withdrawal of Consent: Consumers may withdraw consent from collection or sharing of their CHD at any time (note that collection is defined broadly to include processing, accessing, and inferring).
      • Deletion: A regulated entity that receives a request from a consumer to delete the consumer's CHD must delete such information not just from its "records," but also "from all parts" of its "network, including archived or backup systems," except that it may delay deletion of CHD stored on such archived or backup systems for up to six months after authenticating the request. Regulated entities must also notify all affiliates, processors, contractors, and other third parties with whom the CHD was shared, and those entities also must delete such data.

      A Swing and a Miss? The Act Appears to Leave a Large Gap in Health Data Protection

      The Act's exemptions appear to leave a large regulatory gap related to health information that the Washington legislature likely did not intend. Specifically, the Act generally exempts categories of information from other data privacy laws, without regard to limitations on the scope of such laws. For example, the Act exempts PHI, as defined under HIPAA. But HIPAA only applies to HIPAA-covered entities and business associates and therefore only protects PHI when held by covered entities or business associates. Because the Act's exemption is tied to the type of information (e.g., PHI) – and not to who maintains it (i.e., PHI held by covered entities and business associates) – it appears to leave PHI that is unprotected by HIPAA also unprotected by the Act when such data is no longer in the hands of a covered entity or business associate.

      This gap will likely have consequences for consumers. For example, the federal government has been engaged in a years-long effort to improve interoperability and exchange of health information. This includes requiring certain health care providers to make PHI available through application programming interfaces ("APIs") so that consumers can readily download their health information to the consumer application of their choice. After the information is downloaded on the consumer's app, it still technically qualifies as PHI under HIPAA because it is individually identifiable health information that was created by a health care provider. But it will no longer be protected by HIPAA, and based on the Act's exemption, this highly sensitive health information arguably will be exempt from – and therefore unprotected by – the Act as well. In this case, a consumer would need to rely on other laws, such as Section 5 of the Federal Trade Commission Act, with respect to the privacy and security of such sensitive health data.

      Law Enforcement Access

      Unlike other states that have taken steps since the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization to prohibit health care providers from releasing certain medical information related to reproductive care to law enforcement,[2] the Act does not specifically address law enforcement access to CHD. However, when Governor Inslee signed the Act, he also signed HB 1469, which prohibits Washington recipients from complying with out-of-state subpoenas, court orders, warrants, and extradition requests regarding gender and reproductive health care for in-state residents as well as those from other states who come to Washington to obtain "protected health care services," which is defined to include gender-affirming treatment and reproductive health care services. In addition, Washington providers of electronic communications services (such as ILECs and ISPs) are also prohibited from providing records or information in response to subpoenas, warrants, court orders, or other civil or criminal legal process that relates to an investigation into, or the enforcement of, another state's law that asserts criminal or civil liability for the provision, receipt, attempted provision or receipt, assistance in the provision or receipt, or attempted assistance in the provision or receipt of protected health care services that are lawful in the state of Washington.

      This may fill the gap in the Department of Health and Human Services Office for Civil Rights (OCR) proposed amendments to HIPAA that would further safeguard the privacy of reproductive health care information in the wake of Dobbs but that would apply only to PHI and therefore would not apply to CHD.

      Enforcement by the Attorney General and Consumers

      A violation of the Act is an "unfair or deceptive act in trade or commerce and an unfair method of competition" subject to and actionable under Washington's consumer protection act, RCW 19.86 ("WCPA"). The WCPA allows any person[3] "injured in his or her business or property" by a violation of the WCPA to bring a civil action for injunctive and monetary relief to recover "actual damages sustained," which may be trebled but not to exceed $25,000, plus costs and attorney's fees. This privacy-related private right of action is similar to the Illinois Biometric Privacy Act ("BIPA"), although the Act here does not provide for statutory damages, only for actual damages sustained. Some precedent suggests that plaintiffs may not assert WCPA claims for "personal injuries," while other precedent suggests that information privacy violations may constitute an injury to property, so courts will need to determine the nature of violations related to CHD that constitute a violation of the Act, as it is clear that the legislature intended violations of the Act to be actionable under the WCPA.

      But beyond a BIPA-like private right of action, "claimants" (not defined in the Act) in a "private action" (suggesting only those injured in their "business or property") alleging "an unfair or deceptive act or practice … may establish that the violation is injurious to the public interest" because it violates a statute that incorporates the WCPA (like the Act) or the violation "(a) injured other persons; (b) had the capacity to injure other persons; or (c) has the capacity to injure other persons." While there is no separate provision for injunctive or declaratory relief under this provision, and the private right of action provision does allow for injunctive relief where there is an injury to a consumer's business or property, this section might allow for an injured consumer to seek a declaratory ruling that could thereafter be used by others to establish their own claim for damages. In addition to the private right of action, and similar to the other state privacy laws that allow for enforcement by the state attorney general, the Washington attorney general may investigate violations of the WCPA and bring an action "in the name of the state, or as parens patriae on behalf of persons residing in the state," for injunctive and monetary relief, "as may be necessary to restore to any person in interest any moneys or property, real or personal, which may have been acquired, regardless of whether such person purchased or transacted for goods or services directly with the defendant or indirectly through resellers."

      Takeaways

      • Regulated entities will need to review whether they have any information that may fall under the broad definition of CHD and, if so, whether they have a potential nexus with Washington State (either because they collect CHD of Washington residents or because they or their processors retain, process, or otherwise "collect" CHD in Washington).
      • Even if an entity is unlikely to target its products and services to Washington residents, the entity should consider whether it can take data localization steps to control where any CHD is collected (i.e., stored, analyzed, or otherwise processed) to minimize the risk of triggering the Act.
      • To account for the broad reach of the Act, regulated entities should consider whether to put in place national or even international compliance programs. For example, a regulated entity's limitations on geofencing may need to be applied outside of the state of Washington to avoid risk related to Washington residents traveling out of state or data related to non-Washington residents becoming processed within Washington.
      • Regulated entities will need to create new notices and policies for CHD and implement mechanisms to address consumer rights under the Act.
      • Regulated entities (and ISPs and ILECs) will need to assess whether a subpoena, order, or warrant served by law enforcement relates to reproductive health services.
      • Regulated entities will need to implement additional consent mechanisms if they are collecting or sharing CHD for any purpose other than as necessary to deliver the product or service.
      • Regulated entities may need to implement additional tracking mechanisms with respect to CHD that is disclosed to third parties, especially if such a disclosure could be categorized as a sale, including maintaining a list of third-party recipients of CHD, contact information for each third party, and notification procedures to notify them of a deletion request.

      [1] "Personal information" means "information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer."

      [2] See Cal. Civ. Code § 56.108 (prohibiting a health care provider from releasing, in response to a subpoena or request under another state's laws, medical information related to an individual seeking or obtaining an abortion).

      [3] For the purpose of the section authorizing a private right of action for violations of the WCPA for unfair or deceptive acts or practices (among other violations), a "person" authorized to bring suit "includes the counties, municipalities, and all political subdivisions of this state."