Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
LinkedIn Created with Sketch. Twitter Created with Sketch.
02 April 2024

Washington: My Health My Data Act comes into effect for regulated entities

ConsentData Subject RightsPrivacy Law ReformHealth and Pharmaceutical

On March 31, 2024, House Bill 1155 establishing the My Health My Data Act came partially into effect for regulated entities, excluding small businesses. The bill was previously passed by the Washington House of Representatives on April 17, 2023, and by the Washington State Senate on April 5, 2023.

As of March 31, 2024, the Act became applicable to any 'regulated entity' that:

  • conducts business or targets consumers in Washington;
  • determines the purpose and means of collecting, processing, sharing, or selling of consumer health data; and
  • does not fall under the category of 'small business' by fulfilling one or both of the following thresholds:
    • collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
    • derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

The Act will become applicable to a 'small business' as of June 30, 2024.

In particular, the Act establishes that the regulated entities and small businesses must, among others:

  • maintain a consumer health data privacy policy that clearly and conspicuously discloses, among other things:
    • the categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
    • the categories of sources from which the consumer health data is collected;
    • the categories of consumer health data that is shared;
    • a list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
    • how a consumer can exercise the rights provided in Section 6 of the Act;
  • not collect or share any consumer health data except with consent from the consumer or to the extent necessary to provide a product or a service requested by the consumer;
  • establish a binding contract with a processor, which includes processing instructions and limits the actions of the processor;
  • not sell any consumer health data without valid authorization from the consumer; and
  • not use a geofence around a facility that provides health care services.

Furthermore, the Act outlines conditions for consent and provides consumer rights, including a right to confirm whether a regulated entity is collecting, sharing, or selling a consumer's health data, as well as the rights of access, to withdraw consent, and of deletion.

You can read the Act here and consult its legislative history here.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback