Paubox blog: HIPAA compliant email made easy

Washington state enacts pioneering health data privacy law

Written by Dean Levitt | May 03, 2023

Washington State has passed groundbreaking legislation granting HIPAA-like protection to a broader scope of health data. The landmark bill, signed into law by Governor Jay Inslee, seeks to address privacy concerns in an increasingly data-driven world.

 

Why it matters: 

The new law, HB 1155, known as the My Health My Data Act, is the first in the nation to extend privacy protections to health data not covered under the federal Health Insurance Portability and Accountability Act (HIPAA). The move could pave the way for similar legislation in other states and underscore the importance of privacy in the digital age.

 

What they're saying:

Representative Vandana Slatter said, "As a mother and a pharmacist, I recognize the importance of protecting our health data and access to comprehensive health care. As a woman and a legislator, I am honored to have sponsored the My Health, My Data Act in the House to protect all Washingtonians health and data privacy in Washington state, including reproductive and gender affirming care." 

 

"This law provides Washingtonians control over their personal health data," Attorney General Bob Ferguson said. "Washingtonians deserve the right to decide who shares and sells their health data, and the freedom to demand that corporations delete their sensitive health data — and will now have these protections." 

 

The details: 

The My Health My Data Act expands privacy protections to cover personal health information collected by consumer devices, applications, and wearables not regulated by HIPAA. These include fitness trackers, smartphone health apps, and direct-to-consumer genetic testing services. 

 

House Bill 1155 guarantees Washingtonians: 

  • the right to withdraw consent and request data deletion 
  • restricts geo-fencing around healthcare facilities 
  • prohibits collection and sharing of health data without consent 
  • requires entities that collect this data to provide consumers with a privacy policy disclosing the use of health data

 

Under the My Health, My Data Act, companies must get explicit consent from a consumer to collect, share or sell the consumer's health data and open themselves up to lawsuits if non-compliant. Notably, the law applies to Washington-based companies, as well as any entities that have Washingtonians' health data.

 

The big picture: 

As more individuals use digital health tools and services, the amount of personal health data generated is skyrocketing. This new law acknowledges the growing concerns around data privacy and security, particularly for sensitive health information that can be used in ways that may harm individuals, such as discrimination or identity theft.

 

The WHDPA also aims to promote trust in digital health services by giving consumers greater control over their health data and ensuring that companies follow robust privacy and security practices.

 

The other side:

While the new law has been hailed as a major step forward in health data privacy, critics argue it could burden small businesses and startups with increased compliance costs. Some worry that these regulations may stifle innovation in the digital health sector.

 

What to watch: 

The My Health My Data Act is set to take effect on March 31, 2024. In the meantime, companies collecting, processing, or storing personal health information from Washington State residents should begin reviewing and updating their privacy practices to ensure compliance.

 

The bottom line: 

The action by Washington State represents a significant advancement in protecting personal health information beyond what HIPAA currently covers. This new legislation could serve as a model for other states and potentially even federal legislation in the future as the importance of health data privacy continues to grow in the digital era.

 

Go deeper: