Washington Gov. Jay Inslee (D) signed the into law on Thursday, which will take effect on March 31, 2024, leaving companies about a year to prepare for the sweeping health data protections.
Inslee signed the bill alongside four others that "protect the right to abortion, gender-affirming care and other health freedoms" in Washington state, according to an announcement on , where he frequently posts about recent legislation.
In a , he said the legislative package "will keep the tentacles of oppressive and overreaching states out of Washington."
The that it "works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data." The law applies to Washington-based companies, as well as any entities that have Washingtonians' health data.
"My Health, My Data protects the independence and dignity of individuals when they make healthcare decisions," said State Rep. Vandana Slatter (D). "It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of the vast data that everything from our watches and phones collect."
New protections include prohibiting the sale of health data, requiring disclosure of data collection and sharing, allowing consumers to have their health data deleted, and banning geofences around facilities that provide in-person healthcare services.
Alya Sulaiman, JD, a partner at McDermott Will & Emery in Chicago and a certified information privacy professional, said the law protects health information itself, especially outside the bounds of HIPAA.
"The law includes exceptions for HIPAA-regulated entities that are handling PHI [protected health information] consistent with their responsibilities under HIPAA. So in that case, doctors and provider organizations are actually in a good spot," she said. "It's a common misconception that HIPAA protections flow with data."
Sulaiman also noted that the My Health, My Data Act defines health information in broad terms, which is part of what makes the legislation so sweeping.
"This, to me, is like one of the most significant privacy bills that we've seen out of any state legislature and I say that because of the breadth of information that it seeks to protect," she said.
Entities can only use health data in the ways they explicitly received consent from the consumer.
Aaron Burstein, JD, a partner at Kelley Drye & Warren in New York City, agrees with Sulaiman that the categorization is broad.
"Well, I think one thing that's important is that there aren't really any different categories or tiers of consumer health data, it's all afforded the same level of protection, regardless of how sensitive it might be," he said. "I think that when companies are looking at this law, it's important to remember that once data is consumer health data, it's subject to all these protections and it really doesn't matter at that point how sensitive you might reasonably think a piece of information is."
In other words, it's possible that sensitive information like biometric data or test results could be treated the same way as fitness trackers or purchases related to bodily functions, such as deodorant, menstrual products, and toilet paper.
Burstein warns that while HIPAA-covered entities will mostly continue on as normal, there are still some areas that need to be considered when using data under the new law.
"Entities that are subject to HIPAA, whether they're healthcare providers or hospitals or similar institutions, are not properly carved out. So if they're handling health information outside of HIPAA, for example, anything that might be in connection with their websites or apps or things of that nature, then they are subject to My Health, My Data, at least for Washington residents," Burstein said.
Inslee explicitly tied My Health, My Data to other bills protecting gender-affirming and abortion care, and Burstein sees that in the legislation itself.
"It's an influence that I think is motivating some states, such as Washington, to create stronger protections through statutes. But I would just emphasize again that My Health, My Data sweeps much more broadly than that. So it's not limited to reproductive health or any specific area of health information," he added.