Thursday, June 20, 2024
HomeHealth LawWashington State Enacts Landmark Privateness Regulation Geared toward Digital Well being Trade

Washington State Enacts Landmark Privateness Regulation Geared toward Digital Well being Trade

On April 27, 2023, the state of Washington enacted a landmark privateness regulation aimed toward defending the privateness of well being knowledge not coated by HIPAA. This regulation, named the “My Well being My Information Act,” covers a really wide selection of entities, customers, and knowledge. It additionally accommodates a non-public proper of motion. Corporations ought to quickly start evaluating the scope of this regulation and its necessities earlier than it comes into impact March 31, 2024 (for “small companies,” June 30, 2024).

There are lots of nuances and complexities to this regulation that transcend HIPAA or every other current state “complete” privateness regulation. We spotlight a few of the key components under:

  • Applicability. Not like different state client privateness legal guidelines, this regulation accommodates no income or quantity of processing thresholds. The regulation applies to “regulated entities” amassing “client well being knowledge” from “customers.” Every of those key phrases is outlined broadly. Non-governmental entities, together with non-profits, that conduct enterprise in Washington or produce or present services or products focused to Washington customers, and alone or collectively with others, determines the needs and meanings of amassing, processing, sharing, or promoting client well being knowledge are in scope.

“Shoppers” embody Washington residents in addition to any particular person whose well being knowledge is “collected” in Washington (and “accumulate” doesn’t imply “accumulate” within the conventional sense of the phrase). The regulation doesn’t apply to people in an employment context or to worker knowledge. The broad definition of “client well being knowledge” contains even knowledge derived from non-health data that will point out a client’s try and obtain well being companies or provides. There are exceptions for knowledge that’s topic to sure enumerated privateness legal guidelines reminiscent of HIPAA, GLBA, FCRA, FERPA, and current Washington state legal guidelines associated to well being care and insurance coverage. For extra particulars on these key definitions and the scope of the regulation learn our submit right here.

  • Discover. Like different privateness legal guidelines, the regulation requires entities topic to the regulation to have a privateness coverage with sure content material necessities. It stays to be seen whether or not current web site privateness insurance policies can be utilized, or whether or not a separate discover will likely be required.
  • Rights. Whereas the varieties of rights and procedural necessities will likely be usually acquainted to corporations topic to different client privateness legal guidelines, there are particular points that go additional than current US privateness legal guidelines. For instance, the main points that should be supplied in an entry request, and the shortage of typical exceptions to customers’ proper to delete will create burdensome operational challenges. For extra particulars on client rights requests, learn our submit right here.
  • Consent. The regulation requires opt-in consent for any assortment, use, disclosure, or different processing of knowledge past what is important to offer a consumer-requested services or products. There are additionally necessities for “sharing” (although the definition doesn’t observe CCPA’s definition). As well as, there may be an onerous authorization requirement for any “sale” of client well being knowledge. The broad definition of “sale,” coupled with the requirement to have a written and signed authorization for any “gross sales” could affect how corporations interact in focused promoting actions. For extra particulars on the consent necessities, learn our submit right here.
  • Geo-fencing ban. Geo-fencing is to create a digital perimeter for a particular geographic space. The regulation prohibits corporations from utilizing a geofence to determine customers, accumulate client well being knowledge, or ship adverts or notifications based mostly a client’s proximity to in-person well being care companies amenities.

The regulation could also be enforced by a non-public proper of motion, along with enforcement by the Washington Legal professional Normal. This regulation suits a rising development in direction of elevated scrutiny and protections for well being knowledge not coated by HIPAA. (See right here for a dialogue on the FTC’s focus).



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments