Confidentiality of Health Care Information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, and transfer of "protected health information," defined as individually identifiable health information that relates to an individual's past, present, or future physical or mental health or condition, or to the provision of health care to the individual. The HIPAA applies to "covered entities," which are health care providers, health plans, and health care clearinghouses, and "business associates," which are entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.
Covered entities and business associates must have an individual's authorization to use or disclose protected health care information. The HIPAA permits use and disclosure of protected health information without an individual's authorization for specified purposes, including:
In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or written authorization by the patient. Statutory exceptions under the UHCIA are similar to those under HIPAA and include disclosures made for: the provision of health care; quality improvement; legal and administrative services; research purposes; public health and law enforcement activities; and judicial proceedings.
Washington Consumer Protection Act.
The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. The Attorney General is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state. A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees. The courts may increase awarded damages up to three times the actual damages sustained.
The Washington My Health My Data Act is adopted to define obligations of regulated entities that collect, use, or share consumer health data and to specify consumer rights with regard to consumer health data.
Key Definitions and Scope.
"Regulated entity" means any legal entity that:
"Regulated entity" does not include a government agency or a tribal nation.
"Consumer health data" means personal information relating to the past, present, or future physical or mental health of a consumer including any personal information relating to:
"Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws and is monitored or governed by an independent oversight entity.
The Washington My Health My Data Act does not apply to:
A regulated entity may not collect or share consumer health data except with the consumer's consent or to the extent strictly necessary to provide a product or service that the consumer requested from the regulated entity. A consumer's consent must be obtained prior to the collection or sharing of any consumer health data and must disclose:
A consumer's consent for the sharing of consumer health data must be separate and distinct from the consumer's consent for the collection of consumer health data.
Consumer Rights Concerning Consumer Health Data.
A consumer has rights with regard to consumer health data concerning the consumer, including the right to:
Within 30 calendar days of receiving a consumer's request to delete consumer health data concerning the consumer, a regulated entity must delete the consumer health data from its records and notify all affiliates, service providers, and other third parties with whom the regulated entity has shared the consumer health data of the consumer's deletion request. All notified affiliates, service providers, and other third parties must honor the consumer's deletion request and delete the consumer health data from all records.
Data Security Requirements.
A regulated entity must restrict access to consumer health data by the regulated entity's employees, service providers, and contractors to only as is necessary to further the purposes for which a consumer provided consent or to provide a product or service the consumer has requested. A regulated entity must establish and maintain administrative, technical, and psychical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's industry to protect confidentiality, integrity, and accessibility of consumer health data.
Obligations of Service Providers.
A service provider may process consumer health data only pursuant to a binding contract between the service provider and the regulated entity. The contract must set forth the processing instructions and limit the actions a service provider may take with respect to consumer health data. A service provider may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract.
If a service provider fails to adhere to the regulated entity's instructions or processes consumer health data in a manner that is outside the scope of the service provider's contract with the regulated entity, the service provider is considered a regulated entity.
Prohibition on Sale of Consumer Health Data.
It is unlawful for any person to sell consumer health data. To "sell" means to share consumer health data for monetary or other valuable consideration. "Selling" does not include sharing:
Prohibition on Geofencing of Certain Health Care Entities.
It is unlawful for any person to implement a geofence around any entity that provides in-person health care services where the geofence is used to identify, track, collect data from, or send notifications or messages to a consumer that enters the virtual perimeter. "Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and any other form of location detection to establish a virtual boundary around a specific physical location.
Violations of the Washington My Health My Data Act are enforceable under the Consumer Protection Act.