What consumers need to know about this sweeping new legislation affecting your health data and how it’s collected, stored and shared — by everyone from your health care provider to FitBit, Peloton, Google and other major companies.
Hagens Berman’s Washington-based consumer protection legal team has reviewed the state’s newest legislation affecting you and your right to data privacy. The My Health My Data Act provides significant changes to your rights, and attorneys urge those affected to sign up for future updates concerning new legal action about your health care data.
What is the My Health My Data Act?
On April 17, 2023, Washington state passed the My Health My Data Act, following requests from WA Attorney General, Bob Ferguson, for legislation to “significantly expand privacy protections for personal health data” for those living in Washington state. Defined by the 68th state legislature, the My Health My Data Act is intended to serve as “an act relating to the collection, sharing, and selling of consumer health data,” based on the fundamental right of privacy, and Washington’s constitution explicitly providing the right of privacy.
Why was the My Health My Data Act enacted?
According to the Washington state legislature, “Washingtonians expect that their health data is protected under laws like the health information portability and accountability act (HIPAA). However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.”
The WA My Health My Data Act serves to “close the gap between consumer knowledge and industry practice” by providing stronger privacy protections for the health data of all consumers in the state.
The act intends to provide heightened protections for Washingtonians’ health data by:
- requiring additional disclosures and consumer consent regarding the collection, sharing and use of such information;
- empowering consumers with the right to have their health data deleted;
- prohibiting the selling of consumer health data without valid authorization signed by the consumer; and
- making it unlawful to utilize a geofence around a facility that provides health care services.
What health information does My Health My Data Act protect exactly?
Washington’s My Health My Data Act pertains to health care-related data, but also goes beyond what many may consider health-related. The consumer health data covered by My Health My Data Act is expansive and includes “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present or future physical or mental health status.”
“Health status” may include:
- individual health conditions, treatment, diseases or diagnosis; social, psychological, behavioral and medical interventions; health-related surgeries or procedures;
- use or purchase of prescribed medication;
- bodily functions, vital signs, symptoms or measurements of this information; diagnoses or diagnostic testing, treatment or medication;
- gender-affirming care information;
- reproductive or sexual health information;
- biometric data;
- genetic data;
- precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; data that identifies a consumer seeking health care services (this means the act prohibits location tracking information when consumers are at health care facilities);
- or any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
“Consumer health data” according to the act does not include personal information that is used to engage in public or peer-reviewed scientific, historical or statistical research in the public interest that adheres to all other applicable ethics and privacy laws.
What areas of consumers’ lives are affected by this?
The implications of this broad act are vast, considering that the vast majority of consumers — in one way or another — share what the act deems “consumer health data” about their “health status” with some third-party, likely several.
Third parties that use this data may include fitness tracking apps or connected fitness devices; smart watches and other mobile devices and their parent companies; gene and family ancestry data companies; entities that track and record biometric data; mobile apps that may track health data such as weight, prescriptions (such as GoodRx) menstrual cycle or other metrics; nutrition consultation businesses and more. Importantly, the act also prohibits maps on mobile devices from recognizing location data at health care facilities or sharing that data with marketers.
In today’s modern world, chances are you use one of these third parties to track or store or use your personal health data in some fashion.
Are all Washington residents protected under the My Health My Data Act?
Yes, all residents of Washington are protected, and the My Health My Data Act goes even further: it applies to any legal entity that does business in Washington or otherwise targets Washington consumers, and “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
Unlike most other state privacy laws, there are no minimum thresholds of business size, revenue or number of Washington consumers addressed.
What do I do if my consumer health data is being stored or used in violation of Washington’s My Health My Data Act?
Unlike some state consumer protection laws, the My Health My Data Act not only empowers the state’s Attorney General to take enforcement actions against those in violation of the act; it also empowers private actions for actual damages and/or injunctive relief.
This means that Washington state consumer rights lawyers, like those at Hagens Berman, are able to take up the fight for you through class-action litigation and pursue your rights for compensation for the illegal use and profit of your consumer health data. Private enforcement actions and lawsuits can also bring meaningful change under the My Health My Data Act, seeking a court to end their collection, storing, selling or other behavior deemed in violation of the act.
When will the My Health My Data Act take effect?
Certain provisions of the My Health My Data Act, including those prohibiting geofencing around health care facilities, took effect on July 23, 2023, while most of the act will take effect March 31, 2024, or June 30, 2024, for small businesses.
Where can I read the My Health My Data Act?
What next steps can I take?
Hagens Berman’s data breach and high tech legal team will likely continue investigating the rights of consumers under this new legislation. If you’d like to sign up for updates to stay informed about new investigations including rights to privacy, data protection and more, you may fill out the form here »
The office of Washington’s Attorney General has also published an FAQ to further assist you in gathering information about the My Health My Data Act.