On April 27, 2023, Washington State Governor Jay Inslee signed a far-reaching health privacy law entitled the “My Health My Data Act” (the Act), which extends protections to consumer health data collected by entities not currently covered under the Health Information Portability and Accountability Act of 1996 (HIPAA). The Act may transform the already fast-evolving healthcare privacy landscape, and could impose onerous obligations on entities that do not process traditional categories of health data.1 Unlike HIPAA, the Act provides for a private right of action, which could heighten risks for entities subject to the law. Below is a high-level analysis of the Act.
Key Takeaways from the Act
Attempts to limit the broad definition of “consumer health data” during the legislative process and to clarify that the term is not intended to include information from everyday purchases such as footwear, groceries, cleaning products, and first aid supplies were rejected, so the actual scope of “consumer health data” will likely be left to the courts to determine through the inevitable private actions that will follow.
This sweeping Act is likely to pose compliance challenges to even those businesses who have taken measures to comply with the CCPA and other comprehensive state laws. We recommend businesses to reevaluate their compliance programs, as the compliance deadline for many is less than a year away.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your compliance efforts related to My Health My Data Act, please contact Tracy Shapiro, Haley Bavasi, Eddie Holman, Hale Melnick, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
We previously covered the Federal Trade Commission’s recent enforcement actions involving consumer health data in the following Wilson Sonsini Alerts: “FTC Announces First Enforcement Action Under the Health Breach Notification Rule Against GoodRx” and “FTC Announces Settlement with BetterHelp for Disclosing Consumers’ Health Information to Third-Party Advertisers.”
Note that the definition of “biometric data” could conceivably include pictures of individuals’ faces and voice recordings, regardless of whether any identifier templates are extracted from such information. In that case, such pictures and recordings could then be considered to be “consumer health data” provided that the pictures or recordings are capable of being associated with a particular consumer.