INTRODUCTION
Companies may face class action lawsuits as early as July 2023 based on Washington’s new privacy law. Governor Jay Inslee recently signed House Bill 1155, the WA My Health, My Data Act (“MHMDA” or “the Act”), giving companies and non-profits a very short compliance window. MHMDA is part of “Washington State’s nation-leading effort to stem the attack on choice”1 in response to the Supreme Court’s 2022 decision in Dobbs that overturned Roe v. Wade. Lawmakers state that the new law was designed to “protect the independence and dignity of individuals when they make healthcare decisions”2 in the state of Washington by safeguarding the privacy of Consumer Health Data not previously covered by the Health Insurance Portability and Accountability Act (“HIPAA”). However, the MHMDA is much more comprehensive than it seems and covers more than health data. All companies, even those not traditionally associated with health or wellness, should assess whether they fall in scope of the MHMDA’s broad reach and if so, take immediate compliance steps.
SCOPE
Whereas the California Consumer Privacy Act (“CCPA”) and all other comprehensive state privacy laws contain a revenue threshold and/or minimum number of data subjects to fall within scope, the MHMDA applies to “Regulated Entities” and “Small Businesses”3 that “conduct business in Washington or produce or provide products or services that are targeted to consumers in Washington; and alone or jointly with others, determine the purpose and means of collecting, processing, sharing, or selling of Consumer Health Data.”4 In addition to the traditional definition of “Consumer” as a resident of Washington, the Act further defines Consumer to include any natural person residing anywhere whose Consumer Health Data is collected in Washington.5 Collection of Consumer Health Data under the Act includes buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing Consumer Health Data in any manner.6
Under this expansive language, the Act could be interpreted to apply to almost any entity with almost any contact with the state of Washington. For example, an in-scope company may include an East Coast e-commerce website that can be accessed by a resident of Washington, or the same East Coast e-commerce website accessed by a resident of anywhere if the website is hosted (and therefore “collects” Consumer Health Data) on a Washington-based cloud service provider.
Consumer Health Data is defined similarly broadly to encompass any “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.”7 The Act further provides a non-comprehensive list of major data categories that fall under the definition of Consumer Health Data. Most notably, Consumer Health Data may include:
- Generalized health data, such as:
- Individual health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or other health measurements;
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information; as well as
- Other data, such as:
- "Biometric Data" which includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted and keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.8 Examples may include any photo in which a face can be recognized, or any voice recording, such as a customer service call recording or voicemail;
- "Genetic Data” which includes, but is not limited to, self-reported health data that a consumer submits to a company to be analyzed with the Consumer's raw sequence data;
- “Precise Location Data” that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
- Data that identifies any Consumer seeking health care services; or
- Any information in the above categories extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning) to identify a consumer.
Companies that may not consider themselves to be collectors of health data might be surprised to learn that their regular business operations now bring them into scope of the Act based on this sweeping definition of Consumer Health Data. Non-intuitive examples may include:
- A corner store or gas station that sells over-the counter medications, bandages, or tampons;
- A fitness center or community recreational center that allows people to purchase memberships or sign-up for classes;
- A restaurant where a person goes to eat (and therefore digest) a meal; or
- Any product, company, or app that uses precise location data for any purpose, such as service delivery or advertising.
EXCLUSIONS
The MHMDA includes both entity and data level exclusions. Notably, nonprofit organizations are not excluded from the Act, but government agencies, tribal nations, and government agency service providers are explicitly out of scope.9 Individuals acting in an employment context are exempt from the definition of Consumer, meaning that employee and business-to-business data are not covered by the Act.10 Consumer Health Data does not include personal information that is used to engage in public or peer-reviewed research so long as it is in the public interest and adheres to defined oversight standards.11 Furthermore, while many common entity-level exemptions are not included, the MHMDA does not cover data already covered by:
- HIPAA;
- Gramm-Leach-Bliley Act;
- Social Security Act, title XI;
- Fair Credit Reporting Act;
- Family Educational Rights and Privacy Act; and
- Various other Washington state and federal laws and regulations regarding medical research, the Washington health benefit exchange, peer review, quality improvement and quality assurance activities, and public health activities and reporting.12
EFFECTIVE DATE
Many parts of the MHMDA come into effect for Regulated Entities on March 31, 2024, while Small Businesses must comply three months later by June 31, 2024. The lack of a specific effective date in certain provisions, however, indicates that such provisions may come into effect much earlier. Under Washington state law, if a new act does not provide for an effective date, such act shall come into effect 90-days after the close of the legislative session.13 This year’s legislative session ended on April 23, 2023, therefore the Act’s blanket ban on geofencing14 will come into effect for all entities on July 23, 2023. In addition, the following provisions do not provide for a specific effective date, and could be interpreted to be effective for Regulated Entities on July 23, 2023:
- Obligation to publish a homepage link to a WA Consumer Health Data privacy policy;15
- Obligation to obtain consent for:
- collection, use, or sharing of categories of data not disclosed in the WA Consumer Health Data privacy policy;16
- collection, use, or sharing for purposes not disclosed in the WA Consumer Health Data privacy policy;17 and
- sharing Consumer Health Data for a secondary purpose;18
- Prohibition on:
- contracting with a processor to process Consumer Health Data in any manner inconsistent with the WA Consumer Health Data privacy policy;19
- unlawful discrimination against consumer exercising rights under MHMDA;20
- Consumer rights:
- to withdraw consent;21
- of deletion;22
- Procedural requirements related to Consumer rights requests;23
- Limitations on processors to process Consumer Health Data consistent with contractual instructions;24 and
- Obligations of processors to assist a Regulated Entity in meeting its obligations.25
THE GEOFENCING BAN
As of July 23, 2023, it will be
unlawful for any person to implement a geofence around an entity that provides in-person health care services (as broadly defined in the Act) where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
Here, a “Geofence” is a virtual boundary, that is 2,000 feet or less from the perimeter of the physical location, created by the use of global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary.26 “Health Care Services” include any service provided to a person to assess, measure, improve, or learn about a person's health, including but not limited to:
- Individual health conditions, status, diseases, or diagnoses;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of medication;
- Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection;
- Diagnoses or diagnostic testing, treatment, or medication;
- Reproductive health care services; or
- Gender-affirming care services.
PENALTIES AND ENFORCEMENT
Once in effect, violations of the MHMDA may be enforced by the Washington State Attorney General under Washington’s Consumer Protection Act (“CPA”). The Act also grants consumers a robust private right of action for any injury caused by unfair and deceptive trade acts and unfair competition that results from a MHMDA violation. The CPA allows for civil penalties of up to $7,500 per violation,27 as well as an additional allotment of up to $25,000 in treble damages, and attorney's fees.28 These consumer enforcement rights combined with the robust scope and definitions described above may open the door for large-scale class-action claims.
Class action activity under Illinois’ Biometric Information Privacy Act (BIPA) has been costly for business, and may indicate that similar cases will be brought under MHMDA. For instance, late last year, in Rogers v. BNSF Railway, a jury awarded $228 million in damages based on fingerprint scanning of truck drivers to verify their identities and non-compliance with BIPA through a fingerprint processing vendor.
KEY POINTS
- While the WA My Health My Data Act purports to close the current gap in consumer health data protection left by HIPAA, its broad scope and definitions will cover many more entities than expected.
- The Act applies to any entity doing business in Washington, providing products or services to Washington, or having its data hosted or processed in Washington, with few exceptions.
- The Act’s sweeping definition of Consumer Health Data could be interpreted to include almost ANY category of personal data collected by a business.
- The Act contains a robust consumer private right of action for any violation, which may lead to significant activity by plaintiff’s attorneys, similar to the BIPA enforcement currently taking place in Illinois.
- Companies that fall within scope of the MHMDA will need to address and re-evaluate their privacy compliance. Many of the data subject rights, consent and notice requirements, and substantive obligations go above and beyond anything previously required by state privacy laws.
3 MHMDA, §3(28).
4 MHMDA, §3(23).
5 MHMDA, §3(7).
6 MHMDA, §3(5).
7 MHMDA, §3(8)(a).
8 MHMDA, §3(4).
9 MHMDA, §3(23).
10 MHMDA, §3(7).
11 MHMDA, §3(8)(c).
12 MHMDA, §12.
14 MHMDA, §10.
15 MHMDA, §4(1)(b).
16 MHMDA, §4(1)(c).
17 MHMDA, §4(1)(d).
18 MHMDA, §5(1)(b).
19 MHMDA, §4(1)(e).
20 MHMDA, §5(1)(d).
21 MHMDA, §6(1)(b).
22 MHMDA, §6(1)(c).
23 MHMDA, §6(1)(d)-(h).
24 HMDA, §8(1)(a)(ii).
25 MHMDA, §8(1)(b).
26 MHMDA, §3(14).
27 RCW 19.86.140.
28 RCW 19.86.090.