Washington Governor Jay Inslee has signed the My Health, My Data Act into law.

Here are some key takeaways.

Approach to privacy: The people of Washington regard their privacy as a fundamental right and an essential element of their individual freedom. Since not all health data is covered by HIPAA, this law aims to address Non-HIPAA health data.

Effective date: March 31, 2024,, but small businesses mostly have until June 30, 2024.

Scope: No fancy thresholds. Applies to ANY LEGAL ENTITY that that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; (b) collects, shares, or sells consumer health data; and (c) determines the purpose and means of the processing of consumer health data.

Biometric data: Broad definition that doesn’t require that the data actually be used to identify a person.

Collect: Basically “process” like in GDPR.

Consent: GDPR definition. You can’t put it in Section 47 of your notice.

Consumer: Same as other privacy laws, and carves out employees.

Consumer health data: Broad. Any personal information that identifies the consumer’s past, present, or future physical or mental health status, are broadly defined to include things like use of prescriptions, bodily functions, vital signs, diagnostic testing, reproductive health and precise location information that could reasonable indicate a health condition. It also covers “any information a business processes to associate or identify a consumer with health data even if extrapolated from nonhealth information.”

Deidentification: CPRA et al definition of deidentification.

Sale: Including for non monetary consideration.

Enforcement: A violation of the law is an unfair or deceptive act in trade or commerce and an unfair method of competition under Washington’s Consumer Protection Act. It is enforceable both by the Attorney General and through a private right of action.

Do’s and Don’ts:

  • Do collect health information if strictly necessary for the service, or if you got consent.
  • Do have a detailed privacy notice (CPRA-like but additional things)
  • Don’t collect use or share information for an additional purpose without first disclosing and getting consent
  • Don’t process sensitive information without consent, unless necessary to provide the product/service
  • Don’t share health data without consent or if necessary to provide the product/service
  • Do give your consumers rights: access, consent withdrawal, deletion
  • Do establish protections and access restrictions to the information
  • Do develop and enter into data processing agreements with all your processors
  • Don’t sell health data without authorization (which expires in 1 yr)
  • Don’t geofence around an entity that provides in person health services to identify or track consumers, collect health data from them or send the messages or advertisements related to health data or services.