Washington is about to enact new legislation that will substantially increase privacy protections for consumer health information in the state and will resolve the existing gap in privacy protections for health information that the Health Insurance Portability and Accountability Act (HIPAA) do not cover.
Representative Vandana Slatter (D-WA) proposed the My Health My Data Act (HB1155). The Act has already passed through the House as well as the Senate with a 27-21 vote. The bill is now back in the House so the Senate amendments can be reviewed. If the bill passes a second vote, it will most likely be signed into law by Washington Governor Jay Inslee.
The My Health, My Data Act seeks to protect the freedom and self-respect of persons whenever they make medical decisions. It avoids vulnerabilities in this technological age that targets and exploits consumers who are not aware of the huge volume of information that are collected.
Data Protected by the Washington My Health My Data Act
The My Health My Data Act is applicable to health information gathered by non-HIPAA-covered entities, such as mobile and web publishers. The extensive definition of health data employed in this Act includes diagnoses, medical conditions, treatment data, and biometric details, together with other information that will allow the identification of a state resident’s past, present or upcoming physical or mental health.
Health data is defined as any information that relates to the following:
- Patient’s medical condition, treatment, health status, diagnoses or diseases
- social, behavioral, psychological, and medical interventions
- health-associated operations or procedures
- usage or purchase of medicines
- physical functions, vital signs, and symptoms
- diagnoses or diagnostic tests, treatment or medicines
- data on gender-affirming care
- sexual or reproductive health data
- biometric data
- genetic data
- exact location details that can reasonably show a consumer’s effort to get or receive medical services or goods
- data that is taken or extrapolated from non-medical information
The bill protects location information, when that information is used for making inferences associated with health. Many companies collect location data, even if the data is not used in relation to health. Location data can provide details about when a person has gone to a hospital, pharmacy, reproductive health clinic, or other medical facility. It is required for any company that gathers location data for targeted marketing purposes to follow the My Health My Data Act requirements. The My Health My Data Act is applicable to any entity that conducts business in Washington and collects health data, irrespective of revenue or size.
How Consumer Consent Help Protect Health Data
If approved, state locals can exercise more control over the collection and use of their health data. Before any company could use health data, it must get a person’s consent through an opt-in procedure. There will be restrictions on the use of health data according to the specifics of the consent.
When getting consent, it must be clearly explained to the consumer what they are agreeing to, and consent should be acquired voluntarily. The same consent requirements apply to the sharing of health data and when the collecting company plans to sell the information to a third party, it must get written authorization from the consumer. The entity must state the reason for selling the data when getting consent and the details of the entity or entities buying the data. It must provide the contact information of those entities to the consumer. Consumers can withdraw their authorization, halt any processing of their information, and have that information deleted. Entities should also give a clear privacy policy to consumers and follow a methodology for processing consumer information requests, which include requests for data access, withdrawal of permission, and data deletion.
Legal Action on My Health My Data Act Violations
Before the approval of privacy legislation, usually, businesses are being protected from consumers who take legal action over privacy violations. There are no such restrictions in the My Health My Data Act. Consumers are allowed to take legal action against violators of the My Health My Data Act. As long as a Washington resident could show proof of harm due to a violation of the My Health My Data Act, taking legal action to get damages is allowed under the general consumer protection regulations in the state.
Changes to the American Data Privacy and Protection Act
Last March, the U.S. House of Representatives’ Committee on Energy and Commerce conducted its third meeting before releasing a new version of the American Data Privacy and Protection Act (ADPPA). ADPPA is about to become the first, all-inclusive federal privacy law in the United States.
Greater privacy protection is needed for people in the U.S. Big tech companies collect big volumes of sensitive information and there is little control over the collection, use, and sharing of consumer data. There is increasing concern about the collected data on minors and their usage, the serving of targeted ads to teens and children depending on the personal data gathered by tech companies, and the sheer volume of data that is being accumulated on all U.S. citizens.
Presently, privacy policies are enforced at the state level and could vary from state to state. ADPPA wants to address this by putting limitations on the collection and usage of consumer information at the federal level and changing the present patchwork of state privacy legislation. The Committee on Energy and Commerce approved ADPPA on July 20, 2022, with a 53-2 vote. However, the bill was not approved by the House or Senate floors in the most recent Congress. There is strong support for the bill, but not strong enough in its present form to be signed into law.
Last March 1, 2023, the Committee hearing began discussing about federal privacy legislation again. Subcommittee Chair Gus Bilirakis (R-FL) and Ranking Member Jan Schakowsky (D-IL) stated there is a great need to pass this federal privacy. There was an agreement among subcommittee members on the need for federal privacy legislation and the answer could well be the ADPPA. However, views differ on what should be included in the privacy legislation. Substantial changes are necessary before signing ADPPA into law.
The Committee conducted one more hearing on March 23, 2023 that looked at immensely popular applications and how Congress could protect American data, deal with data-sharing issues, and keep children safe online. TikTok CEO, Shou Zi Chew, spoke in front of the Committee for hours but seemed unable to convince the Committee that TikTok was a safe platform and that it was not gathering information and sharing that data with the Chinese government. The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act was proposed in March 2023 particularly to deal with this threat. It would authorize the government to prohibit IT products like TikTok should they pose a risk to national security. Although the Biden Administration supports the RESTRICT Act, it does not tackle domestic data privacy concerns and the present digital system where only a few rules apply to the collection, use, and sharing of consumer data.
A new ADPPA draft is expected soon, as Chair Cathy McMorris Rodgers (R-WA) of the Committee on Energy and Commerce reportedly penned the last few significant changes to the bill. One of the main points is the preemption of state legislation, which backers say is important for small companies that are disproportionately loaded by the present patchwork of state legislation. Nevertheless, progressive states with stricter privacy policies like California would likely have weakened consumer privacy policies because of ADPPA. Since the privacy law sets protections in stone, improving protections, later on, would be difficult once ADPPA is approved. Nancy Pelosi, (D-CA) stated that she would not support ADPPA as it is today for this reason.
It’s still uncertain whether the new version of ADPPA will be signed into law, but the changes are necessary to get ADPPA through Congress and the Senate.