Staff: Yelena Baker (786-7301).

Background:

Confidentiality of Health Care Information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, and transfer of "protected health information," defined as individually identifiable health information that relates to an individual's past, present, or future physical or mental health or condition, or to the provision of health care to the individual.  The HIPAA applies to "covered entities," which are health care providers, health plans, and health care clearinghouses, and "business associates," which are entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.

 

Covered entities and business associates must have an individual's authorization to use or disclose protected health care information.  The HIPAA permits use and disclosure of protected health information without an individual's authorization for specified purposes, including:

• treatment, payment, and health care operations;
• research and public health activities, or health oversight activities;
• to prevent or lessen a serious and imminent threat to a person or the public;
• law enforcement purposes and judicial and administrative proceedings; and
• as required by law, including by statute, regulation, or court orders.

 

In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees.  The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or written authorization by the patient.  Statutory exceptions under the UHCIA are similar to those under HIPAA and include disclosures made for:  the provision of health care; quality improvement; legal and administrative services; research purposes; public health and law enforcement activities; and judicial proceedings.  
 
Washington Consumer Protection Act.
The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce.  The Attorney General is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state.  A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees.  The courts may increase awarded damages up to three times the actual damages sustained.

Summary of Engrossed Substitute Bill:

The Washington My Health My Data Act is adopted to define obligations of regulated entities that collect, use, or share consumer health data and to specify consumer rights with regard to consumer health data.

 

Key Definitions and Scope.
"Regulated entity" means any legal entity that:

• conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
• alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

 
"Regulated entity" does not include a government agency, a tribal nation, or a contracted service provider processing consumer health data on behalf of a government agency.
  
"Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health.  Consumer health data includes: 

• individual health conditions, treatment, status, diseases, or diagnoses;
• social, psychological, behavioral, and medical interventions;
• health-related surgeries or procedures, diagnostic testing, and treatment;
• use or purchase of medication;
• bodily functions, vital signs, symptoms, or related measurements;
• gender-affirming care information;
• reproductive or sexual health information;
• biometric and genetic data related to consumer health data;
• precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; and
• any consumer health data information that is derived or extrapolated from non-health information, such as proxy, derivative, inferred, or emergent data.

 

"Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws and is monitored or governed by an independent oversight entity.
 

Privacy Policy Requirement.
A regulated entity must maintain and prominently publish a consumer health data privacy policy that discloses:

• the categories of consumer health data collected and the purposes of collection;
• the categories of sources from which consumer health data is collected;
• the categories of consumer health data that is shared and the categories of third parties and affiliates with whom the regulated entity shares consumer health data; and
• how a consumer may exercise consumer rights with regard to consumer health data.

 
A regulated entity must make additional privacy policy disclosures and obtain consumer consent before collecting or sharing categories of consumer health data not disclosed in the privacy policy, and before collecting or sharing consumer health data for additional purposes.  
 
Consent Requirement.
A regulated entity may not collect or share consumer health data except with the consumer's consent or to the extent necessary to provide a product or service that the consumer requested from the regulated entity.  A consumer's consent must be obtained prior to the collection or sharing of any consumer health data and must disclose:

• the categories of consumer health data collected or shared;
• the purpose of the collection or sharing;
• the categories of entities with whom the consumer health data is shared; and
• how the consumer can withdraw consent.

 
A consumer's consent for the sharing of consumer health data must be separate and distinct from the consumer's consent for the collection of consumer health data.
 
Consumer Rights Concerning Consumer Health Data.
A consumer has rights with regard to consumer health data concerning the consumer, including the right to:

• confirm whether a regulated entity is collecting, sharing, or selling consumer health data;
• access consumer health data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data;
• withdraw consent from the regulated entity's collection and sharing of consumer health data; and
• have consumer health data deleted.

 

If a regulated entity is unable to authenticate a consumer request to exercise consumer rights using commercially reasonable efforts, the regulated entity is not required to comply with a request and may request additional information from the consumer. 

 

A regulated entity must respond to a consumer request within 45 days of receipt.  This response period may be extended once by another 45 days when reasonably necessary.  Information provided in response to a consumer request must be provided free of charge up to two times a year.
 
Within 30 calendar days of authenticating a consumer's request to delete consumer health data concerning the consumer, a regulated entity must delete the consumer health data from its records and notify all affiliates, processors, and other third parties with whom the regulated entity has shared the consumer health data of the consumer's deletion request.  All notified affiliates, processors, and other third parties must honor the consumer's deletion request and delete the consumer health data from all records.  If a consumer requests deletion of consumer health data stored on archived or backup systems, the deletion may be delayed for up to six months to enable restoration of the archived or backup systems. 

 

A regulated entity must establish a process for a consumer to appeal the regulated entity's refusal to take action on a request.  Within 45 days of receipt of an appeal, a regulated entity must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.  If the appeal is denied, the regulated entity must also provide the consumer with an online mechanism or other method through which the consumer may contact the Attorney General to submit a complaint.

Data Security Requirements.
A regulated entity must restrict access to consumer health data by the regulated entity's employees, processors, and contractors to only as is necessary to further the purposes for which a consumer provided consent or to provide a product or service the consumer has requested.  A regulated entity must establish and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's industry to protect confidentiality, integrity, and accessibility of consumer health data.
 
Obligations of Processors.
A processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity.  The contract must set forth the processing instructions and limit the actions a processor may take with respect to consumer health data.  A processor may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract. 

 

If a processor fails to adhere to the regulated entity's instructions or processes consumer health data in a manner that is outside the scope of the contract with the regulated entity, the processor is considered a regulated entity with regard to such data.
 
Prohibition on Sale of Consumer Health Data Without Valid Authorization.
It is unlawful for any person to sell consumer health data concerning a consumer without first obtaining a valid authorization from the consumer.  A valid authorization must be written in plain language and must contain specified information, including:

• the specific consumer health data that the person intends to sell;
• the name and contact information of the seller and the purchaser;
• the purpose for the sale;
• a statement that the provision of goods or services may not be conditioned on the consumer's signing of the authorization; and
• an expiration date of one year from the date of signing.

 
A copy of the signed valid authorization must be provided to the consumer.  The seller and purchaser of consumer health data must retain a copy of all valid authorizations for six years from the date of its signature or the date when it was last in effect, whichever is later.

 
Prohibition on Geofencing of Certain Health Care Entities.
It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to:  identify or track consumers seeking health care services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
 
"Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and any other form of location detection to establish a virtual boundary of 2,000 feet or less from the perimeter of a specific physical location. 
 
Enforcement.

Violations of the Washington My Health My Data Act are enforceable under the CPA.  In actions brought by the Attorney General, a violation of the bill's requirements is a per se violation of the CPA.  Any consumer injured by a violation may bring an action, but must establish all required elements of a CPA action before relief may be granted.

 

Exemptions.
The Washington My Health My Data Act does not apply to personal information that is collected, used, or disclosed pursuant to specified federal and state laws, including:

• protected health information for the purposes of the HIPAA;
• health care information collected, used, or disclosed in accordance with the state UHCIA;
• patient identifying information collected, used, or disclosed in accordance with federal law relating to confidentiality of substance use disorder records; and
• personal information governed by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and statutes and regulations applicable to the Washington Health Benefit Exchange.

 

The obligations imposed on regulated entities and processors do not restrict a regulated entity's or processor's ability for collection, use, or disclosure of consumer health data to:  prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such actions.

EFFECT OF SENATE AMENDMENT(S):

The Senate amendment:

1. specifies that "consumer health data" means personal information that identifies a consumer's physical or mental health status, rather than a consumer's physical or mental health; provides examples of what is included in "physical or mental health status" for the purposes of the "consumer health data" definition, instead of providing examples of what is included as "consumer health data"; specifies that "physical or mental health status" includes use or purchase of prescribed medication, rather than any medication; and specifies that "consumer health data" includes data that identifies a consumer seeking health care services and any information that a regulated entity or small business processes to identify a consumer's physical or mental health status that is derived from nonhealth information;
2. requires a regulated entity or a small business in possession of deidentified data to contractually obligate any recipients of such data to satisfy all criteria set forth in the definition of "deidentified data";
3. revises the definition of "geofence" by including spatial detection as a form of detection to establish a virtual boundary; includes in the definition of "geofence" technology used to locate a consumer within a virtual boundary;
4. revises the definitions of "personal information" and "publicly available information" to provide that biometric data collected about a consumer by a business without a consumer's consent (rather than a consumer's knowledge) is not publicly available information;
5. specifies that "sharing" consumer health data does not include disclosures to a third party with whom the consumer has a direct relationship when the third party uses the consumer health data consistent with the purpose consented to by the consumer, rather than the purpose disclosed to the consumer;
6. adds the definition of "small business" to mean a regulated entity that meets specified thresholds;
7. removes the requirement for a regulated entity to respond to a request to delete consumer health data without unreasonable delay and no more than 30 calendar days from authenticating the deletion request;
8. requires a regulated entity to comply with a consumer's request to access the consumer's data, withdraw consent, or have data concerning the consumer deleted within 45 days, instead of requiring a regulated entity to respond to the consumer within 45 days; and specifies that authenticating a consumer's request to exercise a right does not extend the regulated entity's 45-day timeline for complying with a consumer's request;
9. specifies that an authorization to sell consumer health data must be separate and distinct from the consent obtained to collect or share consumer health data;
10. removes provisions that limit the application of legislative declarations making a violation of the bill a per se violation of the Consumer Protection Act (CPA) to enforcement actions brought by the Attorney General; and removes the requirement that any consumer injured by a violation and bringing an action under the CPA must establish all required elements of a CPA action before relief may be granted;
11. adds several exemptions and provides that the bill does not apply to:  information and documents created specifically for, and collected and maintained by, a federally regulated medical device manufacturer when collected, used, or disclosed for use in medical records; information that is part of a limited data set and is used, disclosed, and maintained in a manner required under the HIPAA; or identifiable data collected, used, or disclosed in the electronic sales tracking system implemented by the state pharmacy quality assurance commission and consistent with the federal combat meth act;
12. specifies that the exemption for responding to illegal activities or prosecuting those responsible for such actions applies to activities and actions that are illegal under Washington state law or federal law, rather than to any illegal activity;
13. requires the Joint Legislative Audit and Review Committee to review enforcement actions brought by the Attorney General and consumers to enforce violations of the bill, and to submit a report of its findings by September 30, 2030'
14. requires regulated entities to comply with the bill's requirements beginning on March 31, 2024; and requires small businesses to comply with the bill's requirements beginning on June 30, 2024; and
15. makes nonsubstantive technical corrections.

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) Health data is some of the most sensitive data collected from an individual, and most people expect this data to be protected or kept confidential by entities that collect it, but that is not always true.  The HIPAA applies to covered entities and their business associates, which leaves data collected by applications, websites, and other non-HIPAA entities unregulated.  Consumer health data is collected, shared, and sold with little to no oversight or transparency.  Period-tracking applications may sell sensitive information about a woman's reproductive health.  Pregnant individuals who visit crisis pregnancy centers seeking abortion care may unknowingly have their information shared with anti-abortion groups.  Digital advertising firms can set up geofences around health care entities, and once a person crosses that invisible barrier, the person is bombarded with text messages and advertisements, urging the person not to seek reproductive or gender-affirming care.  Recently, for just $160 a location data broker sold the aggregated location data of people who visited abortion clinics; the data showed where patients traveled from, how much time they spent at health care centers, and where they went afterwards.

The bill closes the gap between consumer expectations and current laws and gives Washingtonians more control over their data by requiring a distinct consumer health data privacy policy and prohibiting the collection or sharing of health data without consent.  The bill also requires compliance with strict HIPAA authorization standards to sell consumer health data.

The overturning of the Roe v. Wade decision highlighted and exacerbated gaps in the protection of health care data generally, and reproductive and gender-affirming care in particular.  As many states are moving rapidly to criminalize abortion care and gender-affirming care, Washington must take steps to bolster data privacy as part of its efforts to support access to abortion.  Despite abortion remaining legal in Washington, patients traveling from other states are terrified of being criminally prosecuted for seeking legal health care in Washington.  Patients are afraid to seek care because of privacy concerns and fear of surveillance.  Women seeking reproductive services and transgender people seeking gender-affirming care are particularly at risk.  Undocumented people seeking basic health care are concerned that their data will one day be shared with immigration authorities.
 
Crisis pregnancy centers are under no obligation to maintain patient-doctor confidentiality, which puts people's personal health information at risk.  Currently available data management tools aggregate patient data to advance the anti-abortion agenda.
 
Some argue that this bill needs to be consistent with general data privacy bills enacted in other states.  However, consumer health data is not the same as other data collected, and it should be afforded added protections, which is exactly what this bill does.  The upcoming revised draft of the bill has undergone robust stakeholder process, and the input from the technology and health care industry has made the bill stronger.  The amended version addresses concerns about the overly broad definitions.

The legislators should ignore claims that this bill will cause the sky to fall and resist any attempts to weaken the bill, for example, by narrowing the definition of "consumer health data."  Good definitions are important, and companies should have no problem complying with this straightforward law and its requirements for opt-in consent before collecting or sharing health data.  The bill could be strengthened by removing the exemption for deidentified data.

(Opposed) The bill should apply equally to all medical facilities, including not only pregnancy resource centers, but also abortion facilities, gender-affirming care hospitals, specialized outpatient clinics, and other medical facilities.  The bill should not be used by bureaucratic agencies to protect abortion and gender-care facilities.

(Other) The overly broad definitions would negatively alter the consumer experience and fail to accomplish the legislative intent of the bill.  Without changes to key definitions, virtually all data would be included, including the purchase of everyday consumer products like toilet paper, deodorant, and even shoes.  The definition of geofencing should be clarified that it refers to a precise location rather than a broad unbounded area.  The operational provisions would be impossible to comply with because of the definitions, such as "sale" and "share," which are used differently throughout the bill.
 
The definition of "consumer health data" should be focused on uses because otherwise it would apply to a wide range of consumer data, even when that data is not used to facilitate the inference of health information.  More precise definitions focused on reproductive or gender-affirming care would better accomplish the intended goals of this legislation.  The bill is essentially an omnibus privacy legislation that is entirely unaligned with other states' privacy laws and requires opt-in consent for consumers' normal everyday purchases.
 
The bill should provide regulated entities with the right to cure.  If the bill is going to be enforced under the CPA, a consumer bringing a claim should be required to prove all five elements of a claim.
 
Today's passenger vehicles contain many complex safety features, including sensors that rely on facial detection technology, which is not the same as facial recognition technology, but the bill does not distinguish between these two different things.  Additionally, the bill seems to require consent for auto companies to process data for the vehicle safety features.
 
The health care industry supports the goal of the bill to extend HIPAA-like protections to health care data that is not covered by the HIPAA.  As currently drafted, there is a lack of clarity about what data is exempt.  In addition to the HIPAA, there are other laws that protect health care data, and the bill should not duplicate that well-established regulatory framework.

Persons Testifying: (In support) Representative Vandana Slatter, prime sponsor; Stanley Shikuma, Japanese American Citizens League and La Resistencia; Andrea Alegrett, Washington State Attorney General's Office; Nicole Kern, Planned Parenthood Alliance Advocates; Danni Askini, Gender Justice League; Jon Pincus, Indivisible; Anuj Khattar, Cedar River Clinics; Sasha Wasserstrom, Washington Immigrant Solidarity Network; Alicia Hupprich, Pro-Choice Washington; Yvette Maganya, Legal Voice; and Jen Lee, American Civil Liberties Union of Washington.

Persons Signed In To Testify But Not Testifying: Maya Morales, Washington People's Privacy; Cher Scarlett; Irene Knapp; Uma Raghavan; and Mary Lynne Courtney, League of Women Voters of Washington.