My Health, My Data Act: Frequently Asked Compliance Questions
On April 27, 2023, Washington State Governor Jay Inslee signed the My Health, My Data Act. Below is a list of frequently asked questions related to this groundbreaking law.
What is the Purpose of the My Health, My Data Act?
According to the Washington State Legislature, the purpose of the My Health, My Data Act (the “Act”) is to provide stronger privacy safeguards for the health data of all Washington State consumers. While laws like HIPAA require certain health care entities to protect health data, entities that are not subject to HIPAA (for example, tech companies) lack the same obligations. To fill this gap, the Act imposes privacy and security requirements on businesses that are not currently subject to health information privacy or security laws.
What Businesses Are Subject to the Act?
The Act applies to “regulated entities” and "small businesses."
A “regulated entity” means a legal entity that meets two criteria: (a) It conducts business in Washington or offers products or services specifically aimed at Washington consumers, and (b) it independently or in collaboration with others determines the purpose and methods of collecting, processing, sharing, or selling consumer health data.
A "small business” means a regulated entity that meets one or both of the following criteria: (a) It collects, processes, sells, or shares consumer health data for fewer than 100,000 consumers in a calendar year, or (b) It earns less than 50% of its gross revenue from the collection, processing, selling, or sharing of consumer health data, and it controls, processes, sells, or shares consumer health data for fewer than 25,000 consumers.
The requirements on regulated entities and small businesses are generally the same under the Act, but the compliance date for small businesses is June 30, 2024, versus March 31, 2024, for other regulated entities. This article will refer to regulated entities and small businesses collectively as “regulated entities.”
What Businesses and Information are Exempt from the Act?
The Act does not apply to certain types of information, including:
- Protected health information maintained by covered entities or business associates under HIPAA
- Substance use disorder information under 42 CFR Part 2
- Health care information collected under specific statutes, including information maintained by health care facilities or providers under the Washington State Uniform Health Care Information Act or the Washington State quality assurance privilege statutes
- Identifiable private information for research purposes
- Information created and maintained for the purposes of the federal Health Care Quality Improvement Act or the federal Patient Safety Quality Improvement Act
- De-identified information
- Information used for public health activities, and
- Personal information governed by other laws.
In addition, the Act does not apply to government agencies, tribal nations, and contracted service providers that process consumer health data on behalf of a government agency.
Please contact us for a more complete analysis of the various entities and information that are exempt from the Act.
What are the Basic Requirements of the Act?
A regulated entity is prohibited, except as permitted under the Act, from collecting consumer health data unless:
- The consumer has provided consent for the specific purpose of collection; or
- The collection of consumer health data is necessary to provide a product or service requested by the consumer.
Similarly, a regulated entity cannot share consumer health data unless:
- The consumer has provided separate and distinct consent for such sharing; or
- The sharing of consumer health data is necessary to provide a product or service requested by the consumer.
In addition, regulated entities must maintain a Privacy Policy that clearly discloses how the entity collects and shares consumer health data and the consumer’s rights related to such data.
What Does “Consumer Health Data” Mean?
"Consumer health data" refers to personal information that is connected or reasonably linkable to a consumer, identifying their past, present, or future physical or mental health status. This includes various information such as health conditions, treatment, diseases, diagnoses, interventions, surgeries, medications, vital signs, gender-affirming care, reproductive or sexual health information, biometric and genetic data, location information indicating the attempt to acquire health services, and other related information. It also encompasses data derived from non-health information that can associate or identify a consumer with the aforementioned health data, including through algorithms or machine learning.
"Consumer health data" does not include personal information used for public or peer-reviewed scientific, historical, or statistical research that adheres to ethics and privacy laws, approved by oversight entities ensuring privacy safeguards, and mitigating risks associated with reidentification.
The "personal information" term in the definition of consumer health data generally includes data associated with a persistent unique identifier like a cookie ID, IP address, or device identifier. Personal Information does not include publicly available information and deidentified data.
What are the Requirements for Consumer Consent under the Act?
The consent signed by each consumer must clearly disclose the categories of data collected or shared by the regulated entity, the purpose of collection or sharing, the entities with whom the data is shared, and how the consumer can withdraw consent in the future.
"Consent" is defined as an explicit and affirmative action that demonstrates a consumer's voluntary, specific, informed, opt-in, and unambiguous agreement. A consumer’s agreement can be obtained through various means, including written consent provided electronically.
However, certain methods cannot be used to obtain consumer consent, including:
- Acceptance of a general or broad “terms of use” agreement or a similar document that includes descriptions of personal data processing along with unrelated information.
- Consumer actions such as hovering over, muting, pausing, or closing a particular piece of content.
- Consumer agreement obtained through the use of deceptive designs, which manipulate or mislead the consumer.
What are the Requirements of the Privacy Policy?
Each regulated entity needs to maintain a Privacy Policy with the following information:
- Categories of consumer health data collected, the purpose of collection, and how the data will be used.
- Categories of sources from which consumer health data is collected.
- Categories of consumer health data that is shared.
- List of third parties and specific affiliates with whom the regulated entity shares consumer health data.
- Information on how consumers can exercise their rights outlined in the Act.
Regulated entities are also required to prominently publish a link to their Privacy Policy on their homepage.
What Rights Do Consumers Have under the Act?
Consumers have the right to:
- Confirmation: Confirm if a regulated entity is collecting, sharing, or selling their health data.
- Access: Access their health data, including access to a list of third parties and affiliates with whom their data has been shared and an active email address that the consumer may use to contact the third parties.
- Withdraw Consent: Withdraw consent for the collection and sharing of their health data and request its deletion. If a deletion request is made, the regulated entity must delete the data from their records and notify third parties who received the data.
- Appeal: Appeal a regulated entity’s refusal to take action on their deletion request, and the regulated entity must inform them of the decision and provide an explanation.
Consumers can exercise these rights by submitting a request to the regulated entity, and the entity may require additional information to authenticate the request. The regulated entity must provide the requested information free of charge up to twice a year, but if requests are unfounded, excessive, or repetitive, a reasonable fee may be charged. The regulated entity must comply with the requests within 45 days, with a possible extension of 45 days if necessary.
Can a Regulated Entity Sell Consumer Health Data?
A regulated entity cannot sell or offer to sell consumer health data without valid authorization from the consumer, which must be separate from the consent given by the consumer to collect or share the data. The authorization must be in plain language and include details such as the specific consumer health data being sold, contact information of the seller and purchaser, purpose of the sale, consumer's right to revoke the authorization, and the expiration date.
The authorization is considered invalid if it has expired, lacks required information, has been revoked, combined with other documents, or conditioned upon receiving goods or services. A copy of the signed authorization must be provided to the consumer, and both the seller and purchaser of the consumer health data must retain copies of the authorization for six years.
Are there Additional Requirements on Regulated Entities?
A regulated entity must limit access to consumer health data to only those employees, processors, and contractors who require access for authorized purposes or to provide requested products or services. Additionally, regulated entities are obligated to establish and maintain data security practices that meet industry standards to ensure the confidentiality, integrity, and accessibility of consumer health data.
What are the Requirements on Service Providers of Regulated Entities?
The Act uses the term “processor” to refer to an individual or entity that performs any operation or set of operations on consumer health data on behalf of a regulated entity. Under this definition, a processor would include many different types of service providers that access or use consumer health data on behalf of a regulated entity, including a billing company.
Processors must have a binding contract with regulated entities. The contract must outline processing instructions and restrict the actions the processor can take regarding the consumer health data. Processors must comply with the instructions and support regulated entities in fulfilling their obligations under the Act. If a processor deviates from the contract, it will be treated as a regulated entity and be subject to all requirements of the Act.
What are the Geofence Requirements under the Act?
The Act defines a “geofence” as the use of technological methods, including global positioning, cell tower connectivity, cellular data, radio frequency identification, or Wi-Fi data, to establish a virtual boundary extending 2,000 feet around a specific physical location or to locate a consumer within that boundary.
Under the Act, it is illegal for anyone to create a geofence around a facility that offers in-person health care services if the geofence is used to: (1) track or identify consumers seeking health care services, (2) gather consumer health data from consumers, or (3) send notifications, messages, or advertisements to consumers regarding their health care data or services.
In Summary, What are the Compliance Steps Under the Act?
Prior to taking action to comply with the Act, your business should ask the following three questions:
- Is the business a “regulated entity”?
- Does the business collect, process, share, or sell consumer health data?
- Is the business exempt from the Act?
If the answer to the first two questions is “yes,” and the answer to the third question is “no,” the business needs to take the following actions by March 31, 2024 (or June 30, 2024, if the business is a “small business”):
- Consent Form: Draft and have consumers sign a consent form related to the ways in which the business collects, processes, or shares consumer health data.
- Privacy Policy: Draft and publish a Privacy Policy that discloses the ways in which the business collects, processes, or shares consumer health data.
- Internal Policies: Draft internal policies for: (1) limiting access to consumer health data to an “as needed” basis, (2) establishing and maintaining data security practices that meet industry standards; and (3) handling consumer requests related to consumer health data.
- Processor Contracts: Draft and enter into contracts with any individuals or entities that “process” consumer health data on behalf of the business.
- Authorization for Sale of Data: If the business sells consumer health data, draft and have consumers sign a separate authorization permitting the sale of consumer health data.
Who Can I Contact for More Information about the Act?
Please feel free to contact Casey Moriarty or Maddie Haller of the Ogden Murphy Wallace health care team for more information about the Act.