Washington My Health My Data Act: Requirements and Exceptions

Consumer Rights

A consumer has the right to do the following.

• Confirm whether a regulated entity or a small business is collecting, sharing, or selling consumer health data concerning the consumer and to access such data, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties.
• Withdraw consent from the regulated entity's or the small business's collection and sharing of consumer health data concerning the consumer.
• Have consumer health data concerning the consumer deleted and may exercise that right by informing the regulated entity or the small business of the consumer's request for deletion.

A consumer may exercise the rights in the Act by submitting a request, at any time, to a regulated entity or a small business.

Privacy Policy

A regulated entity and a small business must maintain a consumer health data privacy policy that clearly and conspicuously discloses the following.

• The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
• The categories of sources from which the consumer health data is collected;
• The categories of consumer health data that is shared;
• A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
• How a consumer can exercise the consumer rights provided as more particularly described above.

A regulated entity and a small business must prominently publish a link to its consumer health data privacy policy on its homepage.

It is a violation of the Act for a regulated entity or a small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or the small business's consumer health data privacy policy.

Consumer Health Data Collection and Sharing

A regulated entity or a small business may not collect any consumer health data except for the following.

• With consent from the consumer for such collection for a specified purpose; or
• To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.

A regulated entity or a small business may not share any consumer health data except the following.

• With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or
• To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.

Such consent must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose the following.

• The categories of consumer health data collected or shared;
• The purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used;
• The categories of entities with whom the consumer health data is shared; and
• How the consumer can withdraw consent from future collection or sharing of the consumer's health data.

A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in the Act.

Access Restriction and Data Security Practices

A regulated entity and a small business must do the following.

• Restrict access to consumer health data by the employees, processors, and contractors of such regulated entity or small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business; and
• Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy the reasonable standard of care within the regulated entity's or the small business's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.

Processor Contract Requirements

A processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or the small business that sets forth the processing instructions and limits the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity or the small business.

A processor may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract with the regulated entity or the small business.

If a processor fails to adhere to the regulated entity's or the small business's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity or the small business, the processor is considered a regulated entity or a small business with regard to such data and is subject to all the requirements of the Act with regard to such data.

A processor must assist the regulated entity or the small business by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the regulated entity's and the small business's obligations under the Act.

Consumer Health Data Sale and Valid Authorization Requirements

It is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer.

The sale of consumer health data must be consistent with the valid authorization signed by the consumer. This authorization must be separate and distinct from the consent obtained to collect or share consumer health data, as required regarding consumer health data collection and sharing and as more particularly described above.

A valid authorization to sell consumer health data is a document that must be written in plain language and must contain the following.

• The specific consumer health data concerning the consumer that the person intends to sell;
• The name and contact information of the person collecting and selling the consumer health data;
• The name and contact information of the person purchasing the consumer health data from the seller of the consumer health data;
• A description of the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser of the consumer health data when sold;
• A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
• A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization;
• A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected hereby;
• An expiration date for the valid authorization that expires 1 year from when the consumer signs the valid authorization; and
• The signature of the consumer and date.

An authorization is not valid if the document has any of the following defects.

• The expiration date has passed;
• The authorization does not contain all the information required hereunder;
• The authorization has been revoked by the consumer;
• The authorization has been combined with other documents to create a compound authorization; or
• The provision of goods or services is conditioned on the consumer signing the authorization.

A copy of the signed valid authorization must be provided to the consumer.

The seller and purchaser of consumer health data must retain a copy of all valid authorizations for sale of consumer health data for 6 years from the date of its signature or the date when it was last in effect, whichever is later.

Geofencing Prohibition

It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to do the following.

• Identify or track consumers seeking health care services;
• Collect consumer health data from consumers; or
• Send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

Exceptions

The Act does not apply to the following.

1. Information that meets the definition of the following.
   1. Protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996 and related regulations (collectively, "HIPAA");
   2. Health care information collected, used, or disclosed in accordance with chapter 70.02 RCW;
   3. Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
   4. Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth herein;
   5. Information and documents created specifically for, and collected and maintained by the following.
      • I. A quality improvement committee for purposes of RCW 43.70.510, 70.230.080, or 70.41.200;
      • II. A peer review committee for purposes of RCW 4.24.250;
      • III. A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390;
      • IV. A hospital, as defined in RCW 43.70.056, for the reporting of health care-associated infections for purposes of RCW 43.70.056, a notification of an incident for purposes of RCW 70.56.040(5), or reports regarding adverse events for purposes of RCW 70.56.020(2)(b); or
      • V. A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when collected, used, or disclosed for purposes specified in chapter 70.02 RCW;
   6. Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 and related regulations;
   7. Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
   8. Information that is the following.
      • I. Deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and
      • II. Derived from any of such health care-related information.
2. Information originating from, and intermingled to be indistinguishable with, information under (1) above that is maintained by the following.
   1. Covered entity or business associate as defined by HIPAA;
   2. Health care facility or health care provider as defined in RCW 70.02.010; or
   3. Program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
3. Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514; or
4. Identifiable data collected, used, or disclosed in accordance with chapter 43.371 RCW or RCW 69.43.165.

Personal information that is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or act, is exempt from the Act.

• The Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) and implementing regulations;
• Part C of Title XI of the Social Security Act (42 U.S.C. 1320d et seq.);
• The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
• The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; Part 99 of Title 34, C.F.R.);
• The Washington Health Benefit Exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter 43.71 RCW; or
• Privacy rules adopted by the Office of the Insurance Commissioner pursuant to chapter 48.02 or 48.43 RCW.

The obligations imposed on regulated entities, small businesses, and processors under the Act do not restrict a regulated entity's, small business's, or processor's ability for collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.

If a regulated entity, small business, or processor processes consumer health data pursuant to the immediately preceding paragraph, such entity bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements thereof.