Washington is poised to pass legislation that would implement substantive alterations to customer overall health information protections in the state, and potentially beyond.
Property Bill 1155, the My Well being My Information Act, would grant shoppers the ideal to access, delete and withdraw consent from the collection, sharing or sale of their overall health information and involves express consent needs for collecting, sharing and promoting customer overall health information and facts. It would call for businesses to implement a detailed overall health information policy and prohibit implementing a geofence about a facility supplying in-individual overall health care solutions.
But probably most notably, it establishes a private ideal of action for violations, enforceable below Washington’s Customer Protection Act.
“The My Well being My Information Act would be the 1st law of its sort in the U.S. to take a extensive strategy to the protection of customer overall health information and facts and, like the California Customer Privacy Act, could inspire the adoption of comparable legislation in other states,” Future of Privacy Forum Policy Fellow Felicity Slater mentioned. “In addition, the My Well being My Information Act would be the 1st considerable sectoral state privacy framework to consist of a private ideal of action due to the fact the adoption of the Illinois Biometric Information and facts Privacy Act in 2008.”
The bill passed the Senate with amendments in a 27-21 vote five April and returns to the Property — exactly where it passed four March — for concurrence. If accepted by the Property, it then moves on to Gov. Jay Inslee for final action.
If passed, most sections of the bill would take impact 31 March 2024, though the geofencing prohibition would go into impact 90 days immediately after the bill’s passage.
My Well being My Information Act’s broad scope
“Information and facts associated to an individual’s overall health circumstances or attempts to acquire overall health care solutions is amongst the most individual and sensitive categories of information collected. Washingtonians anticipate that their overall health information is protected below laws like the Well being Information and facts Portability and Accountability Act,” the bill states. “Having said that, HIPAA only covers overall health information collected by particular overall health care entities, such as most overall health care providers. Well being information collected by noncovered entities, such as specific apps and internet sites, are not afforded the similar protections. This act functions to close the gap among customer understanding and business practice by supplying stronger privacy protections for all Washington consumers’ overall health information.”
In addition to safeguarding private overall health care information not at the moment covered by HIPAA, ACLU of Washington Technologies and Liberty Project Manager Jennifer Lee mentioned the bill “will decrease barriers to abortion and gender-affirming overall health care access.”
But Hintze Law Companion Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, mentioned the act goes “far broader than just regulating overall health information” with definitions that “make it potentially applicable to almost any kind of individual information,” “substantive needs as opposed to any other privacy law,” and “unprecedented obligations.” He mentioned it needs opt-in consent for “a lot of popular, and benign and useful, information makes use of,” notice needs such as a separate “and redundant” privacy notice, and deletion needs “with practically no exceptions.”
The bill covers any entity that conducts enterprise in Washington state or that sells merchandise or solutions there.
Slater mentioned a lot of of the bill’s definitions — such as “customer overall health information,” “biometric information” and “overall health care service” — seem substantially broader than definitions inside other federal and state privacy laws, “which means that the bill may well apply to a lot of businesses that do not at the moment take into consideration themselves to gather or approach overall health information and facts.”
Digital overall health platform Evidation Well being Head of Privacy Lauren Wu, CIPP/US, who spoke on her personal behalf, mentioned the bill’s “pretty broad” definitions “may possibly bring into scope information and processing activities that probably had been not intended to be incorporated and would not necessarily outcome in extra protection for these additional sensitive categories of overall health information.”
Wu noted overall health information, such as connected demographic information, is necessary to “the improvement of potentially life saving and good quality of life enhancing innovation.” Though the My Well being My Information Act appears to consist of exemptions, such as for specific investigation and information currently regulated below other laws and regulations like HIPAA, she mentioned these exceptions are “restricted” and “apply only at the information — and not entity — level.”
“These exemptions are usually insufficient to prevent potentially damaging impacts to overall health-associated investigation and innovation,” she mentioned.
In certain, she mentioned regulated entities will have just 30 days to comply with information deletion needs and will no longer be capable to decline, or delay, deletion requests for reputable purposes, like meeting specific legally-necessary record maintaining and retention needs.
Adaptive Biotechnologies Head of Privacy Alea Garbagnati, CIPP/US, speaking on her personal behalf, mentioned regulated businesses are necessary to retain information for a period of time, which can span years to decades below needs by the U.S. Meals and Drug Administration, Clinical Laboratory Improvements Amendments, and other individuals.
“If we can not rely on exemptions and there are no exceptions to these deletion requests, then we are going to be in a location exactly where it really is like which law do we want to comply with, and that is not a excellent position to place any firm in when each laws are intended to do some thing excellent,” she mentioned.
Adding ‘additional complexity’ to the regulatory environment
Buyers could sue for violations of the My Well being My Information Act below Washington’s Customer Protection Act. If plaintiffs can prove injury, they could acquire up to treble damages.
“This bill will be a boon for compliance attorneys, litigation departments, and most of all, trial lawyers. Sadly, its overbreadth may possibly nicely imply that notifications for collecting and sharing genuinely sensitive reproductive overall health and gender-affirming care information get lost in the shuffle of opt-in notifications for innocuous, every day transactions,” mentioned Mariner Techniques President Andrew Kingman, who advocated on behalf of the enterprise business in the course of the drafting approach.
With out the private ideal of action, Hintze mentioned the bill’s “broad definitions and vague language” would be “far significantly less regarding.”
“Providers could place some faith in the lawyer common working out judgment and discretion to pursue terrible actors and enforcement actions developed to additional the stated objectives of the legislation,” he mentioned. “Having said that, the incentives for plaintiffs’ lawyers are far unique, exactly where they will appear for technical violations, ‘gotcha’ claims, and situations that are most probably to outcome in a rapid settlement and quick payday.”
With the ever-evolving state privacy legislative landscape, Goodwin Procter Companion and IAPP Westin Emeritus Fellow Omer Tene mentioned a law with a private ideal of action, as soon as in location and enforced, could “build stress on Congress to act” on federal legislation. The My Well being My Information Act, he mentioned, will add to the “regulatory maze that businesses require to navigate, such as the multiplication of state laws and FTC enforcement actions.”
“A lot of businesses respond to BIPA by staying out of Illinois. Clearly, that method loses momentum as extra states introduce a private ideal of action,” he mentioned.
Wu mentioned the My Well being My Information Act “adds extra complexity to an currently challenging to navigate legal and regulatory atmosphere, producing it additional difficult and increasingly burdensome for businesses to comply.” This, she mentioned, eventually has a damaging effect on shoppers.
“The outcome of the continued expansion of the patchwork of privacy laws in the U.S. is probably that shoppers may possibly turn into significantly less informed, significantly less engaged, and significantly less empowered as privacy notices turn into ever additional difficult and filled with legalese, consent types turn into additional confusing, as well several, or unnecessarily voluminous, and processes for shoppers to impact their information-associated requests turn into additional cumbersome,” she mentioned.
As the Washington bill appears probably to pass in the coming days, Wu mentioned it is “necessary that businesses obtain techniques to shield these varieties of overall health information, be transparent with shoppers about the company’s information practices and information usage, and guarantee that people are effortlessly capable to exercising manage more than their personal information, specially when it requires sensitive overall health information.”