Washington’s health data bill explained: ‘strongest protections outside of HIPAA’
Washington state is on the brink of enacting a sweeping law that would upend how businesses collect, share and sell consumer health-related data.
Washington's My Health My Data Act could upend how businesses collect, use, share and sell consumer health data / Adobe Stock
A Washington state bill designed to establish new privacy protections for consumer health data passed this week in the state Senate by a 27-21 vote after advancing through the House.
The development could have serious implications for the sharing and sale of consumer health data for advertising purposes.
If signed into law, HB1155 (or the My Health My Data Act) would create new regulations on the collection, sharing and sale of consumer data concerning health. Broadly, the bill seeks to expand protections beyond specific data that is already protected under the federal Health Information Portability and Accountability Act (HIPAA) – which applies only to certain healthcare entities. My Health My Data Act would encompass data outside of that outlined in HIPAA and would apply to non-healthcare entities such as web and mobile publishers and operators and other businesses.
“If enacted, it will provide for the strongest protections for health related data outside of the HIPAA context in the United States,” says Cobun Zweifel-Keegan, the Washington, DC managing director of the International Association of Privacy Professionals.
Many policy experts predict that the bill will be enacted in the near future.
Here are HB1155’s topline takeaways.
1. An expanded definition of health data
My Health My Data is the first of its kind in its breadth and scope.
For one, Zweifel-Keegan says, “it provides very expansive definitions of health-related data.” Beyond simply encompassing data on specific medical conditions and diagnoses, it covers biometric information and location data that can be used to make conjectures related to health.
“It includes any kind of inference that companies may come up with that falls into any of the health-related categories, even coming from non-health data, but just regular personal information,” says Zweifel-Keegan. “Because of that, it could apply to a lot of companies that don't really think of themselves as processing health data.”
He gives an example concerning location data – information that many businesses monitor for targeted advertising purposes. “Location information could reveal that you visited a healthcare service – not just for reproductive health, but for any kind of health-related service or product. So potentially going to CVS would be something that couldn't be a targetable parameter. This [law] would ask location data providers to scrub not just particularly sensitive health decisions, but all [kinds of data that might be used to make health inferences about consumers] just to be sure.”
According to the bill in its current form, health data under HB1155, consumer health data may entail personal information linkable to an individual Washington resident or person whose data was gathered in Washington as well as information that can identify a consumer’s past, present or future physical or mental health.
Data subject to the law, if enacted, includes “individual health conditions, treatment, status, diseases or diagnoses; social, psychological, behavioral and medical interventions; health-related surgeries or procedures; use or purchase of medications; bodily functions, vital signs and symptoms; diagnoses or diagnostic testing, treatment or medication; gender-affirming care information; reproductive or sexual health information; biometric data; genetic data; precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and information that is derived or extrapolated from nonhealth information.”
Some critics have pointed out that such a far-reaching definition of health-related data may create unnecessary ambiguity. But privacy advocates like Arielle Garcia, chief privacy officer at IPG-owned agency UM Worldwide, say that the definition should incentivize players in the information brokering and advertising spaces to tighten the ropes on their data practices. “All sides of the online marketing and advertising ecosystem would be well-served to heed these signals by proactively limiting the collection and use of health information to what is necessary and aligned with the expectations and interests of consumers. Failure to do so will undoubtedly serve to accelerate the broader regulatory scrutiny of commercial data collection and use…” she says.
2. More explicit consent requirements
The My Health My Data Act aims to give consumers more control and transparency over how their personal information is used. One means of doing so is through an opt-in mechanism.
If signed into law, the bill forbids the collection of any consumer health data except with consumer consent for data collection for a specified purpose or only “to the extent strictly necessary to provide a product or service that the consumer … has requested from such regulated entity.” The same requirements stand for sharing consumer health data.
The bill employs a definition of consumer consent taken directly from the EU’s General Data Protection Regulation (GDPR), calling it “a clear affirmative act by a consumer that openly communicates a consumer’s freely given, informed, opt-in, voluntary, specific, and unambiguous written consent, which may include written consent provided by electronic means.”
Further, if an entity intends to sell a consumer’s health-related data, it would have to obtain a written authorization from the consumer themself. The entity would need to specify the purpose of the sale and provide contact information of the entity purchasing the data.
This rule has widespread implications for the information economy (and advertising in particular) because it will, as Zweifel-Keegan puts it, “have an impact on any kind of companies like data brokers that might be purchasing data from a variety of sources.”
Consumers’ right to revoke consent is also included in the bill, along with rights to confirm processing and deletion of data.
3. A focus on reproductive health and women’s privacy
Part of the reason for HB1155’s expanded definition of health data – which can encompass even location data – is the protection of women’s health data privacy. It’s an especially salient topic for Washington state – neighboring state Idaho recently made it illegal for its residents to seek abortion care across state lines in Washington. (Informational privacy as a concept is deeply integrated in the fabric of America’s regulatory debate about abortion).
Washington Attorney General Bob Ferguson made it clear that the new bill is specifically meant to create privacy protections for residents’ reproductive health choices. “The intent and mission is to protect very private information that women often place on things like apps that they think are protected but actually there’s no protections under the law,” Ferguson told King 5 News, a Seattle cable news provider. “As one example, if you are tracking your period under an app, you may think that there is some law that protects you from that owner of that app from selling your information or turning it over to law enforcement, but in fact, [there are] no protections at all.”
Ferguson also told King 5 that his office has asked lawmakers to expand HIPAA-like protections about personal health decisions to other contexts as well. Due to the increasing pressure on Washington to safeguard reproductive rights in the region, Zweifel-Keegan predicts that the state's governor, Democrat Jay Inslee, will be unlikely to veto the bill when it reaches his desk.
4. A range of requirements
Outside of the strong focus on obtaining consumer consent, entities subject to the My Health My Data Act would also be required to adhere to a handful of other rules.
They would also need to implement an appeal mechanism for consumer health data requests and would be required to respond to certain consumer requests relating to their health information, including requests for access, consent withdrawal, deletion and more.
Entities would also be required to restrict access to consumer health data solely to those whose access is necessary to provide the product or service to the consumer.
5. A strong private right of action
My Health My Data also includes a private right of action, empowering consumers in Washington to take legal action against entities for violating their health data privacy rights.
Washington consumers who are able to show harm can get damages under general consumer protection laws – something Zweifel-Keegan says is “potentially very impactful” for both consumers and businesses dealing in consumer data.
The bill’s private right of action is broader than some comparable protections in other state-level data privacy laws in the US.
6. A broad scope of applicability
If signed into law, My Health My Data would be applicable to any legal entity that conducts business in Washington state or targets its products or services to Washington residents and determines the purpose and methods for collecting consumer health data.
Unlike many other data privacy and protection laws in the US, the My Health My Data Act does not include specific revenue or size thresholds for applicability.
What it means for adland
The bill’s expanded definition of health data, far-reaching protections and private right of action are likely to put the data brokering and advertising industries on high alert.
“This effort by Washington should serve to further underscore that health-related data, including derived data and behavioral data that can enable inferences about a person's health, warrants heightened protection by all companies,” says UM Worldwide’s Garcia.
Organizations of all kinds should take the opportunity to scrutinize their own business practices as they relate to consumer health data, she says. “Retailers, for example, should consider how they are safeguarding health-related purchase data, and whether their customers are provided with sufficient transparency and choice in how this data is collected, shared and used. Marketers of health and wellness-related goods and services, along with digital platforms and publishers of health-related content, should consider the data that they collect and share – whether via pixel, SDK, API, in the form of customer lists used for audience activation. Platforms and providers of audience data should similarly evaluate whether they are making available or enabling use of health data for ad targeting, to the extent they are not already doing so in light of [other regulations like] the EU Digital Services Act package.”
The My Health My Data Act has already gained more momentum than some of its predecessors did. For three consecutive years from 2019 to 2021, the Washington Legislature failed to pass a comprehensive general data privacy bill – with enforcement of the private right of action being a key stumbling block.
The My Health My Data Act, having already passed in both chambers of the state legislature, stands a stronger chance of being enacted. It's currently being reviewed in the House for review of Senate amendments – and it's widely expected to pass. If it does, it will then make its way to the desk of governor Jay Inslee.
“From one of the state tracking people that I've talked to, and people on the ground in Washington, it seems likely to [advance],” says Zweifer-Keegan.
For more, sign up for The Drum’s daily US newsletter here.