Washington My Health My Data Act: Obligations

Washington’s My Health My Data Act was signed into law on April 27, 2023, by Governor Jay Inslee and comes into effect on two key dates:

• March 31, 2024 – large businesses
• June 30, 2024 – small businesses

The Act requires all organizations defined as a ‘Regulated Entity’ to meet extensive obligations including a new privacy notice and processes for managing consumer consent (opt-in).

Consumer Health Data Privacy Notice

A major obligation under Washington’s My Health My Data law is for organizations to update their privacy policies and notices before the Act comes into effect. A separate Consumer Health Data Privacy Notice must be published by the effective dates of the Act (above).

The text of the Act does not give much guidance on how organizations should manage a distinct Consumer Health Privacy Policy, though the Consumer Health Data Privacy Notice must be separate from the standard Privacy Notice and a link clearly and prominently displayed on an organization’s website homepage.

This new privacy notice must state:

• categories of consumer health data collected – and the purposes for collection;
• categories of consumer health data shared – and the purposes for sharing, accompanied by a list of third parties and affiliates with whom the regulated
• entity shares consumer health data;
• data sources from which consumer health data is collected – categorized extensively, including by type and location; and
• information on how consumers can exercise their privacy rights – including legal requirements for organizations to get their opt-in consent for collection, sharing and/or sale of their consumer health data outside what is strictly necessary to deliver a product or service (and act on withdrawal of consent); and the right to know, access, correct or delete their personal health information.

Addressing Consumer Requests

Regulated entities must comply with consumer requests to exercise any or all of their privacy rights. The only delay accepted is when a consumer requests deletion of their health data stored in a backup system, and the delay must not exceed six months from the date of the request’s authentication.

TrustArc Lawyer, Andrew Scott, warns the right to delete is all-encompassing:

“We should interpret the right to deletion is absolute and an organization must delete the data even if they would violate tax reporting obligations (for example) and except for security. The right to delete covers all copies of data stored in backups, archives and third parties – there is no common exception to comply with consumers’ right to delete beyond a normal basis. Organizations will be required to make modifications to compliance programs and decide which law will be violated.”

Consumer Health Data Opt-In Consents for Collection and Sharing

Regulated entities must get separate opt-in consents from consumers before collecting or sharing any consumer health data for any purpose not directly related to providing a product or service requested by a consumer – these consents must be separate.

Organizations are allowed to collect and share some consumer health data without consent, but only what is strictly necessary to deliver a service or product – not any extra data for other purposes.

The My Health My Data Act text in Sec 2 (27 a) defines “share or sharing” as meaning: “to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate.”

Exclusions apply for some sharing of consumer health data:

• disclosure to a processor when the data shared is necessary to provide the goods or services requested by the consumer, in a manner consistent with the purpose of collecting the data that was disclosed to the consumer;
• disclosure to a third party with whom the consumer has a direct relationship – and only when:
  (a) the consumer health data disclosed is for purposes of providing the product or service requested by the consumer;
  (b) the regulated entity/small business maintains control and ownership of the consumer health data; and
  (c) the third party uses the consumer health data only at the direction of the regulated entity/small business and consistent with the purpose for which the data was collected and consented to by the consumer;
• disclosure or transfer of personal data to a third party as an asset in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity’s/small business’s assets and complies with the requirements and obligations for consumer health data in the Act.

Valid Authorization to Sell Consumer Health Data

Regulated entities must also get a more detailed form of consent – valid authorization – before selling (or making available for sale) any consumer health data.

A valid authorization must include:

• details of the consumer health data intended for sale;
• consumer’s signature (authorizing the sale);
• date the consumer authorized the sale – and a one-year expiration date; and
• contact information for each of the organization/s or person/s collecting, selling or buying the consumer health data.

The My Health My Data Act text in Sec 2 (26 a) defines “sell or sale” as meaning: “the exchange of consumer health data for monetary or other valuable consideration”.

Exclusions apply for consumer health data sold to:

• a third party as an asset in a merger, acquisition, bankruptcy or other transaction (and the same requirements and obligations for third parties as those for shared data in such cases); or
• a processor when the exchange is consistent with the purpose for which the data was collected and consented to by the consumer.

Binding Contracts with Service Providers

Regulated entities under the Act must enter binding contracts with any service providers, which must include:

• instructions for how a provider can process consumer health data consistent with the contract;
• limits on what actions a provider may take with the consumer health data; and
• a requirement for the processor to help fulfill the regulated entity’s obligations under the Act.

Note: Sec 8 (1 c) warns that if a service provider fails to correctly follow a regulated entity’s instructions in their contract, or processes data in a manner outside the scope of their contract, the service provider will be considered a regulated entity/small business under the Act and subject to the same obligations.

Prohibits on The Use of Geofences

The Act states in Sec 10: “It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to:

• identify or track consumers seeking health care services;
• collect consumer health data from consumers; or
• send notifications, messages, or advertisements to consumers.”

Data Security Measures

The Act requires regulated entities to “preserve the integrity or security of systems” and “protect against or respond to security incidents, identify theft, fraud, harassment, malicious or deceptive activities,” or any illegal activity under Washington state of federal law.

Data security policies, practices, and processes must be established and maintained to restrict access to consumer health data so it can only be used by employees, processors, or contractors for intended and declared purposes which the consumer has requested and consented to – or for purposes strictly necessary to provide a requested service or product.

My Health My Data Act (Sec 7 (1 b) states data security must “at a minimum, satisfy reasonable standard of care within the regulated entity’s/small business’s industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.”