Confidentiality of Health Care Information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, and transfer of "protected health information," defined as individually identifiable health information that relates to an individual's past, present, or future physical or mental health or condition, or to the provision of health care to the individual. The HIPAA applies to "covered entities," which are health care providers, health plans, and health care clearinghouses, and "business associates," which are entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.
Covered entities and business associates must have an individual's authorization to use or disclose protected health care information. The HIPAA permits use and disclosure of protected health information without an individual's authorization for specified purposes, including:
In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or written authorization by the patient. Statutory exceptions under the UHCIA are similar to those under HIPAA and include disclosures made for: the provision of health care; quality improvement; legal and administrative services; research purposes; public health and law enforcement activities; and judicial proceedings.
Washington Consumer Protection Act.
The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. The Attorney General is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state. A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees. The courts may increase awarded damages up to three times the actual damages sustained.
The Washington My Health My Data Act is adopted to define obligations of regulated entities that collect, use, or share consumer health data and to specify consumer rights with regard to consumer health data.
Key Definitions and Scope.
"Regulated entity" means any legal entity that:
"Regulated entity" does not include a government agency, a tribal nation, or a contracted service provider processing consumer health data on behalf of a government agency.
"Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health. Consumer health data includes:
"Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws and is monitored or governed by an independent oversight entity.
Privacy Policy Requirement.
A regulated entity must maintain and prominently publish a consumer health data privacy policy that discloses:
A regulated entity must make additional privacy policy disclosures and obtain consumer consent before collecting or sharing categories of consumer health data not disclosed in the privacy policy, and before collecting or sharing consumer health data for additional purposes.
Consent Requirement.
A regulated entity may not collect or share consumer health data except with the consumer's consent or to the extent necessary to provide a product or service that the consumer requested from the regulated entity. A consumer's consent must be obtained prior to the collection or sharing of any consumer health data and must disclose:
A consumer's consent for the sharing of consumer health data must be separate and distinct from the consumer's consent for the collection of consumer health data.
Consumer Rights Concerning Consumer Health Data.
A consumer has rights with regard to consumer health data concerning the consumer, including the right to:
If a regulated entity is unable to authenticate a consumer request to exercise consumer rights using commercially reasonable efforts, the regulated entity is not required to comply with a request and may request additional information from the consumer.
A regulated entity must respond to a consumer request within 45 days of receipt. This response period may be extended once by another 45 days when reasonably necessary. Information provided in response to a consumer request must be provided free of charge up to two times a year.
Within 30 calendar days of authenticating a consumer's request to delete consumer health data concerning the consumer, a regulated entity must delete the consumer health data from its records and notify all affiliates, processors, and other third parties with whom the regulated entity has shared the consumer health data of the consumer's deletion request. All notified affiliates, processors, and other third parties must honor the consumer's deletion request and delete the consumer health data from all records. If a consumer requests deletion of consumer health data stored on archived or backup systems, the deletion may be delayed for up to six months to enable restoration of the archived or backup systems.
A regulated entity must establish a process for a consumer to appeal the regulated entity's refusal to take action on a request. Within 45 days of receipt of an appeal, a regulated entity must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the regulated entity must also provide the consumer with an online mechanism or other method through which the consumer may contact the Attorney General to submit a complaint.
Data Security Requirements.
A regulated entity must restrict access to consumer health data by the regulated entity's employees, processors, and contractors to only as is necessary to further the purposes for which a consumer provided consent or to provide a product or service the consumer has requested. A regulated entity must establish and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's industry to protect confidentiality, integrity, and accessibility of consumer health data.
Obligations of Processors.
A processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity. The contract must set forth the processing instructions and limit the actions a processor may take with respect to consumer health data. A processor may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract.
If a processor fails to adhere to the regulated entity's instructions or processes consumer health data in a manner that is outside the scope of the contract with the regulated entity, the processor is considered a regulated entity.
Prohibition on Sale of Consumer Health Data Without Valid Authorization.
It is unlawful for any person to sell consumer health data concerning a consumer without first obtaining a valid authorization from the consumer. A valid authorization must be written in plain language and must contain specified information, including:
A copy of the signed valid authorization must be provided to the consumer. The seller and purchaser of consumer health data must retain a copy of all valid authorizations for six years from the date of its signature or the date when it was last in effect, whichever is later.
Prohibition on Geofencing of Certain Health Care Entities.
It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications or messages to a consumer who enters an entity that provides in-person health care services.
"Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and any other form of location detection to establish a virtual boundary of 2,000 feet or less from the perimeter of a specific physical location.
Enforcement.
Violations of the Washington My Health My Data Act are enforceable under the CPA.
Exemptions.
The Washington My Health My Data Act does not apply to personal information that is collected, used, or disclosed pursuant to specified federal and state laws, including:
The obligations imposed on regulated entities and processors do not restrict a regulated entity's or processor's ability for collection, use, or disclosure of consumer health data to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such actions.
The substitute bill adds several definitions, including "precise location information" and "publicly available information," and modifies several existing definitions, such as "consumer health data," "geofence," "person," and "regulated entity."
The substitute bill modifies the privacy policy requirements and provides that a regulated entity's privacy policy with respect to consumer health data must disclose:
Additionally, the substitute bill makes several changes with regard to consumer rights and:
With respect to the right of access, the substitute bill provides that a consumer's right to access consumer health data includes the right to access the list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an email address or other online mechanism for contacting these third parties.
With respect to the right of deletion, the substitute bill:
The substitute bill removes the prohibition on the sale of consumer health data and instead prohibits selling or offering for sale consumer health data without a valid authorization that meets specified requirements. The substitute bill also modifies the geofencing prohibition to provide that it is unlawful to implement a geofence to identify, track, or collect data from a consumer that enters any entity that provides in-person health care services, rather than prohibiting geofencing around any entity that provides in-person health care services in order to identify, track, or collect data from a consumer.
Lastly, the substitute bill adds several exemptions for health care information deidentified in accordance with the HIPAA standards and personal information collected, used, or disclosed pursuant to specified laws and regulations, including: the Gramm-Leach-Bliley Act; the Family Educational Rights and Privacy Act; state law governing Washington Health Benefits Exchange and Statewide Health Care Claims Database; privacy rules adopted by the Office of the Insurance Commissioner; and laws governing human subjects research, quality improvement and peer review committees, and reporting of health care-related infections and adverse events.
(In support) Health data is some of the most sensitive data collected from an individual, and most people expect this data to be protected or kept confidential by entities that collect it, but that is not always true. The HIPAA applies to covered entities and their business associates, which leaves data collected by applications, websites, and other non-HIPAA entities unregulated. Consumer health data is collected, shared, and sold with little to no oversight or transparency. Period-tracking applications may sell sensitive information about a woman's reproductive health. Pregnant individuals who visit crisis pregnancy centers seeking abortion care may unknowingly have their information shared with anti-abortion groups. Digital advertising firms can set up geofences around health care entities, and once a person crosses that invisible barrier, the person is bombarded with text messages and advertisements, urging the person not to seek reproductive or gender-affirming care. Recently, for just $160 a location data broker sold the aggregated location data of people who visited abortion clinics; the data showed where patients traveled from, how much time they spent at health care centers, and where they went afterwards.
The bill closes the gap between consumer expectations and current laws and gives Washingtonians more control over their data by requiring a distinct consumer health data privacy policy and prohibiting the collection or sharing of health data without consent. The bill also requires compliance with strict HIPAA authorization standards to sell consumer health data.
The overturning of the Roe v. Wade decision highlighted and exacerbated gaps in the protection of health care data generally, and reproductive and gender-affirming care in particular. As many states are moving rapidly to criminalize abortion care and gender-affirming care, Washington must take steps to bolster data privacy as part of its efforts to support access to abortion. Despite abortion remaining legal in Washington, patients traveling from other states are terrified of being criminally prosecuted for seeking legal health care in Washington. Patients are afraid to seek care because of privacy concerns and fear of surveillance. Women seeking reproductive services and transgender people seeking gender-affirming care are particularly at risk. Undocumented people seeking basic health care are concerned that their data will one day be shared with immigration authorities.
Crisis pregnancy centers are under no obligation to maintain patient-doctor confidentiality, which puts people's personal health information at risk. Currently available data management tools aggregate patient data to advance the anti-abortion agenda.
Some argue that this bill needs to be consistent with general data privacy bills enacted in other states. However, consumer health data is not the same as other data collected, and it should be afforded added protections, which is exactly what this bill does. The upcoming revised draft of the bill has undergone robust stakeholder process, and the input from the technology and health care industry has made the bill stronger. The amended version addresses concerns about the overly broad definitions.
The legislators should ignore claims that this bill will cause the sky to fall and resist any attempts to weaken the bill, for example, by narrowing the definition of "consumer health data." Good definitions are important, and companies should have no problem complying with this straightforward law and its requirements for opt-in consent before collecting or sharing health data. The bill could be strengthened by removing the exemption for deidentified data.
(Opposed) The bill should apply equally to all medical facilities, including not only pregnancy resource centers, but also abortion facilities, gender-affirming care hospitals, specialized outpatient clinics, and other medical facilities. The bill should not be used by bureaucratic agencies to protect abortion and gender-care facilities.
(Other) The overly broad definitions would negatively alter the consumer experience and fail to accomplish the legislative intent of the bill. Without changes to key definitions, virtually all data would be included, including the purchase of everyday consumer products like toilet paper, deodorant, and even shoes. The definition of geofencing should be clarified that it refers to a precise location rather than a broad unbounded area. The operational provisions would be impossible to comply with because of the definitions, such as "sale" and "share," which are used differently throughout the bill.
The definition of "consumer health data" should be focused on uses because otherwise it would apply to a wide range of consumer data, even when that data is not used to facilitate the inference of health information. More precise definitions focused on reproductive or gender-affirming care would better accomplish the intended goals of this legislation. The bill is essentially an omnibus privacy legislation that is entirely unaligned with other states' privacy laws and requires opt-in consent for consumers' normal everyday purchases.
The bill should provide regulated entities with the right to cure. If the bill is going to be enforced under the CPA, a consumer bringing a claim should be required to prove all five elements of a claim.
Today's passenger vehicles contain many complex safety features, including sensors that rely on facial detection technology, which is not the same as facial recognition technology, but the bill does not distinguish between these two different things. Additionally, the bill seems to require consent for auto companies to process data for the vehicle safety features.
The health care industry supports the goal of the bill to extend HIPAA-like protections to health care data that is not covered by the HIPAA. As currently drafted, there is a lack of clarity about what data is exempt. In addition to the HIPAA, there are other laws that protect health care data, and the bill should not duplicate that well-established regulatory framework.