New Law Seeks to Protect Health Data, But Could Create Hurdles

Washington has passed a law designed to provide privacy protections to residents in the state by regulating the collection, sharing, and disclosure of consumer health data.

House Bill 1155, known as the My Health, My Data Act, was signed into law on April 27 by Washington Governor Jay Inslee. The state law notes that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) only covers health data collected by specific health care entities, including most healthcare providers. Health data collected by some entities, such as certain apps and websites, doesn’t have the same protections, the law says.

The legislation intends to give stronger protections to Washingtonians by requiring additional disclosures and consumer consent on the collection, sharing, and use of health data. It also allows patients to have health data deleted, prohibits the selling of health data without signed patient authorization, and makes it unlawful to establish a geofence around a facility that provides healthcare services.

“My Health, My Data [MHMD] protects the independence and dignity of individuals when they make healthcare decisions,” says Washington state Rep. Vandana Slatter (D), the bill’s sponsor. “It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of the vast data that everything from our watches and phones collect.”

Some provisions, such as geofencing, go into effect July 22, 2023, with others beginning on March 31, 2024 (June 30, 2024, for small businesses). MHMD applies to regulated entities that do business in Washington or “produce or provide products or services” aimed at consumers in the state, while determining the “means and purposes of collecting or processing ‘consumer health data.’ ”

What the Law Means to Health Information Professionals

Kimberly Lee, MEd, RHIA, CCS-P, director of advocacy and collaboration for the Washington State Health Information Management Association (WSHIMA), says that health information (HI) professionals in Washington should be aware of the law’s impact on health data.

“It will be important for HI professionals working in traditional HIM [health information management] settings where HIPAA prevails to be cognizant of handling consumer information outside the boundaries of HIPAA because some organizations may use third-party apps,” Lee said.

For example, an organization could have a relationship with a third-party app that helps manage depression or anxiety. The organization could provide names of individuals to that third-party app, which could then market its product by advertising that it helps alleviate depression and anxiety.

“It is essential for those handling health information in Washington state to understand that [this law] does not apply to data already subject to federal law, such as HIPAA and financial data under the Gramm-Leach-Bliley Act (GLBA),” Lee said. However, HIPAA does not necessarily protect data from third-party apps, some wearable devices, and some websites, so Lee says it will be vital for HI professionals “to determine if they are within the scope of MHMD, especially if their organization has business they are conducting with apps, wearable devices, etc.”

Definition of Consumer Health Data

Unlike many recently enacted consumer privacy laws, MHMD defines “consumer health data” in broader terms as:

• “Personal information” that “identifies … or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.”
• “Personal information relating to the past, present, or future physical or mental health of a consumer.”

This definition differs from other privacy laws, such as security breach notification laws, in that it does not determine consumer health to be tied specifically to treatment or diagnosis by a healthcare professional. In essence, the law “does not distinguish between highly sensitive personal health information and less sensitive personal information, each of which may fit within the law’s ‘consumer health data’ definition,” says Andrew Epstein, special counsel at law firm Cooley, based in Seattle.

From a consumer perspective, the law provides greater control over the collection and use of consumer health data outside HIPAA. However, for some regulated entities, particularly smaller businesses and not-for-profits with fewer resources, the law could create significant compliance burdens.

Epstein says the law may snare regulated entities whose core services may not have much to do with healthcare due to the broad definitions of “healthcare services” and “regulated entity.” In addition, “Consumer health data will encompass a range of health and wellness information, and the line between what is consumer health data and what is not will be very fuzzy,” he says.

Another concern is what impact the law will have on residents when traveling out of state and non-residents whose data is collected in Washington, says Adam Greene, a partner at law firm Davis Wright Tremaine in Washington, D.C.

According to Epstein, like most US and international privacy laws, MHMD does not set metrics or measure whether the law actually protects privacy. The law also is devoid of any revenue thresholds or a baseline for the number of individuals whose personal information must be collected by a regulated entity before the law is applicable, he adds.

“Washington’s legislature could have started the design of this law by identifying its ideal outcome—more privacy for certain consumers—and implementing a means to measure whether that outcome is achieved by the [law],” he said.

MHMD’s Potential Impact on Marketers and Other States

Under the law, regulated entities are limited in their ability to collect and share consumer health data for purposes not related to providing a product or service sought by a consumer, absent their consent. The law also restricts the selling of consumer health data without getting a HIPAA-like authorization. The wide-ranging definitions of “regulated entity” and “consumer health data,” among others, are likely to include marketing uses of non-sensitive and routine personal information.

Without the distinction between consumer health data and other types of personal information, MHMD will make it less appealing for marketers to collect, use, and sell consumer health data. Meanwhile, Washington’s law could lead to similar legislation in other states, expanding the number of complex privacy laws, Epstein says.

Such expansion could pose challenges to HI professionals, given the different approaches in regulating health information and data across states.

“It doesn’t help when [HI] professionals are dealing with the many state laws regarding the collection, use, and dissemination of healthcare information to a mobile population,” Lee says. “It creates a tremendous burden on the healthcare system.”

But Washington may be an outlier in enacting a law specific to consumer health data, Greene says. “I expect the trend to be that states will attempt to capture this information in general consumer privacy laws,” he says, adding that’s been their approach so far.

Epstein added, “It is unclear whether this law or any follow-ons will be stronger in the sense of truly providing more privacy to consumers.” He suggests that MHMD more likely “will create expensive compliance regimes to which only wealthy and entrenched organizations will be able to comply to the detriment of smaller, less-sophisticated and less-established companies.” 

Christian Green is a freelance healthcare writer based in Utah.