Washington State Enacts Landmark Privateness Legislation Geared toward Digital Well being Business


On April 27, 2023, the state of Washington enacted a landmark privateness legislation geared toward defending the privateness of well being information not coated by HIPAA. This legislation, named the “My Well being My Knowledge Act,” covers a really big selection of entities, customers, and information. It additionally incorporates a non-public proper of motion. Firms ought to quickly start evaluating the scope of this legislation and its necessities earlier than it comes into impact March 31, 2024 (for “small companies,” June 30, 2024).

There are numerous nuances and complexities to this legislation that transcend HIPAA or some other current state “complete” privateness legislation. We spotlight a few of the key components under:

  • Applicability. Not like different state client privateness legal guidelines, this legislation incorporates no income or quantity of processing thresholds. The legislation applies to “regulated entities” gathering “client well being information” from “customers.” Every of those key phrases is outlined broadly. Non-governmental entities, together with non-profits, that conduct enterprise in Washington or produce or present services or products focused to Washington customers, and alone or collectively with others, determines the needs and meanings of gathering, processing, sharing, or promoting client well being information are in scope.

“Customers” embody Washington residents in addition to any particular person whose well being information is “collected” in Washington (and “accumulate” doesn’t imply “accumulate” within the conventional sense of the phrase). The legislation doesn’t apply to people in an employment context or to worker information. The broad definition of “client well being information” consists of even information derived from non-health info that will point out a client’s try to obtain well being companies or provides. There are exceptions for information that’s topic to sure enumerated privateness legal guidelines corresponding to HIPAA, GLBA, FCRA, FERPA, and current Washington state legal guidelines associated to well being care and insurance coverage. For extra particulars on these key definitions and the scope of the legislation learn our put up right here.

  • Discover. Like different privateness legal guidelines, the legislation requires entities topic to the legislation to have a privateness coverage with sure content material necessities. It stays to be seen whether or not current web site privateness insurance policies can be utilized, or whether or not a separate discover will likely be required.
  • Rights. Whereas the kinds of rights and procedural necessities will likely be typically acquainted to corporations topic to different client privateness legal guidelines, there are specific elements that go additional than current US privateness legal guidelines. For instance, the main points that have to be offered in an entry request, and the shortage of typical exceptions to customers’ proper to delete will create burdensome operational challenges. For extra particulars on client rights requests, learn our put up right here.
  • Consent. The legislation requires opt-in consent for any assortment, use, disclosure, or different processing of information past what is important to supply a consumer-requested services or products. There are additionally necessities for “sharing” (although the definition doesn’t monitor CCPA’s definition). As well as, there’s an onerous authorization requirement for any “sale” of client well being information. The broad definition of “sale,” coupled with the requirement to have a written and signed authorization for any “gross sales” could impression how corporations interact in focused promoting actions. For extra particulars on the consent necessities, learn our put up right here.
  • Geo-fencing ban. Geo-fencing is to create a digital perimeter for a particular geographic space. The legislation prohibits corporations from utilizing a geofence to establish customers, accumulate client well being information, or ship adverts or notifications primarily based a client’s proximity to in-person well being care companies services.

The legislation could also be enforced by a non-public proper of motion, along with enforcement by the Washington Legal professional Normal. This legislation suits a rising development in direction of elevated scrutiny and protections for well being information not coated by HIPAA. (See right here for a dialogue on the FTC’s focus).


Please enter your comment!
Please enter your name here