Washington's My Health, My Data Act

Evergreen health data protections

On 27 April, Gov. Jay Inslee, D.-Wash, signed the My Health My Data Act, which aims to "close the gap" between current industry practices and consumers’ understanding of how their health data is collected, stored and transferred. The votes in the legislature to pass the law fell largely along party lines in both the House and Senate, with almost all Democratic lawmakers voting in favor. According to the law's primary sponsor Rep. Vandana Slatter, D-Wash., it is "part of a comprehensive pack of legislation from House Democrats" that responds to the U.S. Supreme Court decision in Dobbs v. Jackson Women's Health Organization and protects Washingtonians’ health privacy, especially for reproductive health care. This law reflects health data-focused trends in other states, such as California’s introduced amendment to the California Consumer Privacy Act and New York’s introduced bill, which both aim to provide more data privacy protections for health data outside the scope of the Health Insurance Portability and Accountability Act.

The consent-driven law essentially requires one of two possible legal bases for processing health-related data: consent or necessity. Either consent or necessity is required for collection and any processing of any consumer health data, and a regulated entity must obtain separate consent or meet the same necessity standard to share the data. Further, selling it requires a special written and signed authorization from the consumer. The definitions of consumer, covered data and health care services are broad, bringing a wide spectrum of data and entities into the scope of the MHMDA. The breadth of relevant data is important for businesses because the law recognizes a private right of action for consumers to sue companies for violating any provision of the act.

Scope

Entities