Privacy & Information Security Law Blog

On April 27, 2023, Washington State Governor Jay Inslee signed the My Health My Data Act into law, making Washington the first state to establish a comprehensive health data privacy law in the United States.

Most of the law’s substantive provisions apply to “regulated entities” that (1) conduct business in Washington state or offer products or services targeted at consumers in the state, and (2) determine the purpose and means of collecting, processing, sharing, or selling of consumer health data. The term “consumer health data” is broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.” “Physical or mental health status” includes items such as individual health conditions, treatment, diseases, or diagnosis and use or purchase of prescribed medications (but does not explicitly exclude non-prescription medication).

The Act requires regulated entities to obtain the consent of Washington consumers before collecting or sharing the consumers’ health data unless the collection or sharing is necessary to provide a product or service requested by the consumer. In addition, the Act requires regulated entities to maintain a detailed consumer health data policy. The Act also grants consumers the right to access the health data the regulated entity collected, shared or sold about them. Consumers will have the right to delete information that concerns them and to withdraw consent for the covered entity’s collection or sharing of the consumer’s health data.

Other provisions of the Act apply to any “person” (i.e., not only regulated entities). First, under the Act, it is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer. Second, the Act prohibits any person from establishing a geofence around an entity that provides in-person health care services, where the geofence is used to (1) identify or track consumers seeking health care services, (2) collect consumer health data from consumers, or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. Notably, “health care services” is broadly defined to mean “any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health.” The term “health care services” specifically includes use or purchase of medication (i.e., not just prescription medication).

The Act is enforceable by the Washington Attorney General and via a private right of action under Washington’s Consumer Protection Act. The Act’s effective date is July 23, 2023. Most of the law’s substantive provisions will not apply until March 31, 2024. Notably, the law’s geofencing prohibition will become effective on July 23, 2023.