Washington state is on the brink of enacting a new law that will considerably expand privacy protections for consumer health data in the state and will address the current gap in privacy protections for health data not covered by the Health Insurance Portability and Accountability Act (HIPAA).

The My Health My Data Act (HB1155) was proposed by Representative Vandana Slatter (D-WA) and advanced through the House and was recently passed by the Senate with a vote of 27-21. The bill has now been returned to the House for a review of Senate amendments and, if the second vote is passed, the bill will is expected to be signed into law by state governor, Jay Inslee.

“My Health, My Data protects the independence and dignity of individuals when they make healthcare decisions,” said. Rep. Slatter. “It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of [the] vast amount of data that everything from our watches and phones collect.” 

Data Covered by Washington My Health My Data Act

The My Health My Data Act applies to health data collected by non-HIPAA covered entities, including web and mobile publishers, and uses a broad definition of health data that includes diagnoses, conditions, treatment information, and biometric data, along with other data that is linkable to a state resident that can identify an individual’s past, present or future health or mental health.

The full definition of health data is any information that relates to “individual health conditions, treatment, status, diseases or diagnoses; social, psychological, behavioral and medical interventions; health-related surgeries or procedures; use or purchase of medications; bodily functions, vital signs and symptoms; diagnoses or diagnostic testing, treatment or medication; gender-affirming care information; reproductive or sexual health information; biometric data; genetic data; precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and information that is derived or extrapolated from non-health information.”

The bill covers location data, if that information can be used to make conjectures related to health. Location data is collected by many companies, even those that do not collect or process health data. Location data can reveal that an individual has visited a hospital, reproductive health clinic, pharmacy, or other healthcare location. Any company that collects location data for targeted advertising purposes will be required to comply with the requirements of the My Health My Data Act. The My Health My Data Act will apply to any entity that does business in the state of Washington that involves the collection of health data, regardless of revenue or size.

Consumer Consent and Control of Health Data

If passed, state residents will be given far greater control over how their health information is collected and used. Before any entity is able to collect health data, an individual must give their consent through an opt-in process, and the use of health data will be restricted to those specifically stated when obtaining consent. Those uses must also be strictly necessary to provide a product or service to the consumer.

When obtaining consent, it must be made clear to the consumer, in easy-to-understand, non-ambiguous language what they are consenting to, and consent must be obtained voluntarily. The same consent requirements apply to the sharing of health data and if the collecting entity intends to sell the data to a third party, written authorization will be required from the consumer. The reason for the sale must be stated when obtaining consent along with the entity or entities to which the data will be sold. The contact information of those entities must also be provided to the consumer. Consumers will also have the right to withdraw their consent, stop any processing of their data, and have that data deleted. Entities are also required to provide a clear privacy policy to consumers and implement a mechanism for processing consumer data requests, including requests for access to the collected data, withdrawal of consent, and data deletion.

Consumers Permitted to Take Legal Action for My Health My Data Act Violations

In order to get privacy legislation signed into law, protections are often put in place to protect businesses by preventing consumers from taking legal action over privacy violations. The My Health My Data Act does not have such restrictions and there is a private right of action that allows consumers to seek damages for My Health My Data Act violations. If a Washington resident is able to demonstrate that they have been harmed by a violation of the My Health My Data Act, they are permitted to take legal action to obtain damages under general consumer protection laws in the state.

The post Washington Close to Enacting My Health My Data Act to Protect Health Data Privacy appeared first on HIPAA Journal.