Written by: Sarah Johnson | May 31, 2023

This week we'll take a look at a very interesting bill out of Washington, the My Health My Data Act. This bill continues in a trend of states passing legislation to give their residents more control over their data. A look at some background, the Washington My Health My Data Act, how it relates to Roe v. Wade, and other similar legislation.

Some Background We've Covered

In 2018 Europe passed the General Data Protection Regulation (GDPR) - the first big bill in the world covering a wide array of consumer data privacy rights. The GDPR gives individuals more control over their personal information and has forced companies to reframe how they think about data privacy. Since GDPR passed, “privacy by design” has become a leading design principal for for the future of business.

In June of 2018, California passed the California Consumer Privacy Act (CCPA), putting in place similar protections to the GDPR. After the CCPA took effect in 2018, Nevada passed SB220. This bill provided Nevada state residents a limited right to opt out of sale of their "covered information". In June 2021, we then took a look at NV SB260. This second bill expanded and improved upon Nevada’s previously existing right to opt-out of the sale of “covered information”, among other privacy related provisions.

In 2019, we took a look at the American Data Dissemination (ADD) Act. This bill, which did not pass, would have required the FTC to submit detailed recommendations for privacy requirements. Congress would then take these recommendations into consideration and impose them on tech companies who handle massive amounts of our personal data (think Apple, Facebook, Google, Twitter). We also shared a press release from citizen.org in 2019 titled Curbing Companies’ Bad Behavior Will Require Stronger Data Privacy Laws and a New Federal Data Privacy Agency.

In 2022, we took a deep dive examining what many states have done since the passage of GDPR and CCPA around the US. We started with the Oklahoma Computer Data Privacy Act. This bill created consumer privacy rights for Oklahoma residents and required consumer opt-ins and consent of collection, use, and retention of their personal data. Importantly, it allowed for right to deletion of their data and the right for an individual to not to be discriminated against for exercising these rights.

Next we looked at the Virginia Consumer Data Protection Act (VCDPA). At a high level, all companies doing business in Virginia or utilizing data to market to Virginians now have to audit their collection processes and use of consumer personal information to ensure their practices comply with the new protections afforded to consumers. Under the VCDPA, Virginia residents have the right to access, correct, delete, move, and opt-out of the sale and processing of their personal information within certain outlined circumstances.

Finally, we looked at the Colorado Privacy Act. This act made Colorado the third state to enact comprehensive privacy legislation and provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling.

All of these acts have very much to do with online collection of personal information, but what happens when personal information meets health data? Enter the Washington My Health My Data Act.

The Washington My Health My Data Act

The bill we're diving into today is a variation on the consumer data privacy theme, but focused on consumer health data. The Washington My Health My Data Act, WA HB155, points out that the usual health data privacy protection we think of, HIPAA, only covers data collected by certain health care entities, but notably does not cover data collected by apps and websites. Between COVID-19 forcing so much of healthcare to get online and market demand to have these services accessible to patients via apps and websites, this is a huge missing piece of protecting our data. The new reality of what our healthcare system has turned into means there is a serious need for some modernization of how data is collected, stored, and protected.

People assume their health care data is private. This bill "works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections” with some GDPR flavored protections. The bill mirrors GDPR in ways like requiring consumer consent for the collection, sharing, and use of health data, giving customers the right to have that data deleted if they want, and prohibiting selling health related data without authorization.

"Covered entities" are now required to obtain the consent of Washington consumers before collecting or sharing the consumers’ health data. In addition, covered entities must maintain a detailed consumer health data policy, and post a “Consumer Health Data Privacy Policy” notice. The bill also throws in an interesting wrinkle, making it unlawful to utilize a geofence around a facility that provides health care services.

“Consumer health data” is defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Consumer health data in the bill specifically includes:

  • Individual health conditions, treatment, diseases or diagnoses
  • Social, psychological, behavioral and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medication
  • Bodily functions, vital signs, symptoms or measurements of the information expressly identified in the definition of consumer health data
  • Diagnoses or diagnostic testing, treatment or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies
  • Data that identifies a consumer seeking healthcare services
  • Any information that a regulated entity, or its respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred or emergent data by any means, including algorithms or machine learning).

The Act applies to any legal entity that (1) conducts business in Washington state or offers products or services targeted at consumers in the state, and (2) determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

The Washington My Health My Data bill was signed by Governor on April 27th and will become effective March 31, 2024. The Act is enforceable by the Washington Attorney General and via a private right of action under Washington’s Consumer Protection Act.

How does the My Health My Data Bill Tie back to the Dobbs SCOTUS Decision?

News Release from Washington State Attorney General on October 21, 2022 -- Attorney General Bob Ferguson announced today that he is partnering with Rep. Vandana Slatter, D-Bellevue and Sen. Manka Dhingra, D-Redmond, to propose legislation in the 2023 legislative session to increase data privacy protections in the wake of the Dobbs Supreme Court decision and empower Washingtonians with more control over their health data.

This release describes a piece of legislation that directly mirrors the My Health My Data Act. So the legislation is directly tied to the SCOTUS decision on Dobbs v. Jackson Women's Health Organization, but why?

After Dobbs overturned Roe v. Wade, many states have been scrambling to figure out what that means for the future of abortion access in their state. States are generally either banning abortion, enacting aggressive civil and/or criminal laws related seeking an abortion, or codifying the legal access to abortive care within the state. Some states have passed laws which would penalize those who travel to other states to receive reproductive health care services banned (like abortions) within their state.

In April, Idaho passed a bill which prohibits people in Idaho from helping pregnant minors leave the state to obtain abortions. Texas’s six-week abortion ban, passed in 2021, incentivizes private citizens to bring civil lawsuits against those suspected of helping to facilitate an out-of-state abortion for a Texas resident. Missouri also proposed a bill aimed at allowing private citizens to sue anyone who helps a Missouri resident obtain an abortion out of state, but it failed.

In order for these legislative bans or civil lawsuits related to out of state abortions to move forward, the state/private citizens would have to have some way of knowing whether or not someone did leave the state with the purpose of seeking an abortion, and then had one. Based upon that fact, many states looking to protect abortion access have become concerned that law enforcement agencies and anti-abortion private litigants could/would gain access to personal health information held by private entities (for example, by means of website or application data). This data could reveal details about an individual’s pregnancy or attempts to obtain banned reproductive health care services. Examples range from a phone application allowing you to check-in for a visit where clinic also provides reproductive health care services to a period tracking application's data on a user.

As stated in the release this bill will:

  • Prohibit organizations from selling Washingtonians’ health data
  • Block apps and websites — like health tracking apps, search engines and advertisers — from collecting and sharing Washingtonians’ health data without their consent
  • Prohibit “geofences” from being used at reproductive and gender affirming health care facilities. Geofences are a virtual perimeter around a physical location that can be used to send messages to a person who enters a specific location

For more about the Dobbs decision and abortion trigger laws, check out this post.

Similar Legislation

There are a few bills of note with similar language related to health data and geofencing currently in progress, including CT SB3IL HB3603NV SB370, and NY A4983, all of which are in currently in committee waiting to be heard.

Connecticut's SB3 is getting the most press around the fact that it would require social media platforms get parental consent before allowing minors to open accounts, but that is just one of seven objectives outlined in the bill. The bill would also set out standards concerning the provision of access to, and sharing of, consumer health data, prohibit geofencing of certain health data, establish additional requirements concerning minors' personal data and social media platform accounts, revise disclosure requirements relating to warrants directed to providers of electronic communication services and remote computing services, and more. The bill also states that "reproductive or sexual health information" is included in the definition of "Consumer health data". "Reproductive or sexual health information" in the bill means "any personal information concerning seeking or obtaining past, present or future reproductive or sexual health services", including having an abortion or seeking medical or nonmedical services provided in conjunction with an abortion. Nevada's bill is also similar.

Illinois' Protect Health Data Act is more inline with GDPR guidelines related to health data, and does not have any specific call outs related to "reproductive or sexual health information". New York's bill is also similar in that there are no call outs for reproduction or sexual health information, but it does provide for the protection of health information, establishes requirements for communications to individuals about their health information, and requires either written consent or a designated necessary purpose for the processing of an individual's health information.

Conclusion

This bill is so interesting to me on a couple of reasons. First, it is so interesting to see how health data has changed in general, but especially since the start of the pandemic. HIPAA is not enough anymore and we definitely need some new laws passed that recognize the modern world of digital health data. Second, the fact that this bill was not specifically introduced for that reason, but instead based on concerns for how we have seen the overturn of Roe v. Wade playing out is even more perplexing. The different ways this bill is looking to insulate people from risk related to "reproductive or sexual health information" getting shared in ways they do not consent to, going as far as prohibiting geofencing, means Washington is very serious about safeguarding not only obvious data, but non-obvious data that could theoretically fall into the "wrong" hands. I am interested to see how this idea and space evolves over time, and if we will see any cases of prosecutions or suits based off data collected from a website or application.

Cover Photo by National Cancer Institute on Unsplash

About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.