On Thursday (April 27), Democratic Washington Governor Jay Inslee signed the My Health, My Data Actopens in a new tab or window, which will take effect on March 31, 2024, giving businesses about a year to prepare for the new regulations.
According to a statement on Inslee’s blog, where he routinely publishes on recent legislation, Inslee signed the law along with four others that “protect the right to abortion, gender-affirming care, and other health freedoms” in Washington state.
The legislation package, he stated in a news release, “will keep the tentacles of oppressive and overreaching states out of Washington.”
This bill opens a new window or tab. It claims it “works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data.” Businesses in the state of Washington and any other organization that handles the medical records of Washington residents must comply with the new legislation.
According to Democratic state representative Vandana Slatter, “My Health, My Data protects the independence and dignity of individuals when making healthcare decisions.” As the authors put it, “It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of the vast data that everything from our watches and phones collects.”
Forbidding the sale of health data, mandating notice of data collection and sharing, permitting consumers to have their health data destroyed, and prohibiting geofences surrounding establishments providing in-person healthcare services are all new protections open in a new tab or window.
According to Alya Sulaiman, JD, a partner at McDermott Will & Emery in Chicago and a certified information privacy practitioner, health information is protected by law.
“The law includes exceptions for HIPAA-regulated entities handling PHI [protected health information] consistent with their responsibilities under HIPAA. So, in that case, doctors and provider organizations are actually in a good spot,” she said. “It’s a common misconception that HIPAA protections flow with data.”
Sulaiman said that the expansive nature of the My Health, My Data Act is partly due to the broad terminology used to identify health information.
“This, to me, is like one of the most significant privacy bills that we’ve seen out of any state legislature and I say that because of the breadth of information it seeks to protect,” she said. Entities may only use health information for the purposes they have secured consumer permission.
New York City attorney Aaron Burstein, JD, a partner at Kelley Drye & Warren, agrees with Sulaiman that the grouping is too inclusive. “Well, I think one important thing is that there aren’t any different categories or tiers of consumer health data, and it’s all afforded the same level of protection, regardless of how sensitive it might be,” he added.
“When companies look at this law, it’s important to remember that once data is consumer health data, it’s subject to all these protections. It doesn’t matter at that point how sensitive you might reasonably think a piece of information is.”
Put another way, personal information as delicate as biometric data or test results may be handled in the same manner as fitness trackers or purchases connected to physiological functions like deodorant, menstruation products, and toilet paper.
While HIPAA-covered entities can carry on with most of their operations as usual, Burstein cautions that there are some factors to consider when using data in light of the new law.
Here is what you need to know now about recent events in Washington State:
- Washington State Lost 14,000 Residents but Gained $200 Million.
- As DC’s Murder Rate Rises, A Man is Sh0t and K!lled on 4th Street.
“Entities subject to HIPAA, whether healthcare providers, hospitals, or similar institutions, are not properly carved out. So if they’re handling health information outside of HIPAA, for example, anything that might be connected with their websites or apps or things of that nature, then they are subject to My Health, My Data, at least for Washington residents,” Burstein said.
According to Burstein, Inslee’s explicit linking of My Health, My Data to other initiatives safeguarding gender-affirming and abortion treatment is reflected in the text of the legislation.
“It’s an influence that I think is motivating some states, such as Washington, to create stronger protections through statutes. But I would emphasize again that My Health, My Data sweeps much more broadly than that. So it’s not limited to reproductive health or any specific area of health information,” he added.