Who and what data is protected?

The Act protects as 'consumers,' Washington residents and natural persons whose consumer health data is collected in Washington. Consumers are those who act only in an individual or household context and exclude individuals acting in an employment context.

Consumers' health data is protected and means personal information that is linked or reasonably linkable to a consumer and reasonably linkable to past, present, or future health status. The definition includes a non-exhaustive list of examples including location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies and health data that is derived from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). Personal information does not include publicly available information. Publicly available information does not include any biometric data collected about a consumer by a business without the consumer's consent. Biometric data includes imagery of the face from which an identifier template can be extracted.

Similarly to the California Consumer Privacy Act (CCPA), the Act includes an exemption for deidentified data that only applies if a regulated entity or small business that possesses such data takes reasonable measures to ensure that such data cannot be associated with a consumer, publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data, and contractually obligates any recipient to do the same. Other exemptions include an exemption for public or peer-reviewed research and exemptions for processing covered by existing health privacy laws including the Health Insurance Portability and Accountability Act (HIPAA).

Who must comply?

Certain obligations apply to 'any person.' 'Person' shall include, where applicable, natural persons, corporations, trusts, unincorporated associations, and partnerships. 'Person' does not include government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of a government agency.

However, most obligations apply to 'regulated entities' and 'small businesses,' which is a particular kind of regulated entity that gets three more months to get into compliance.

A regulated entity means any legal entity that:

• conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
• alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

'Regulated entity' does not mean government agencies, tribal nations, or contracted services providers when processing consumer health data on behalf of the government agency.

A 'small business' means a regulated entity that satisfies one or both of the following thresholds:

• collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
• derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers. In the below, 'regulated entities' refers also to small businesses.

'Processors' to regulated entities must assist the regulated entity with technical and organizational measures and only process consumer health data in a manner consistent with the binding instructions set forth in a contract with the regulated entity. 'Processor' means a person that processes consumer health data on behalf of a regulated entity.

How to comply?

Obtain consent or document why collection or sharing of consumer health data is necessary

Collecting and sharing consumer health data is prohibited unless: (i) a consumer gives prior consent; or (ii) collecting or sharing the data is necessary to provide a product or service the consumer has requested from the regulated entity. If relying on consent, the regulated entity must obtain one consent for collection and one consent for sharing. The request for consent must disclose the categories of data collected or shared, the purpose of the collection or sharing, the categories of entities with whom the data is shared, and how the consumer can withdraw consent.

Include new disclosures in your website privacy policy or create a new dedicated policy

Regulated entities shall maintain a consumer health data privacy policy on their homepage that includes enumerated information such as the categories of consumer health data collected, processing purposes, the categories of consumer health data that is shared, how a consumer can exercise data subject rights, and a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data. Collecting, using, or sharing additional categories of consumer health data, not disclosed in the consumer health privacy policy, requires prior affirmative consumer consent.

Don't sell consumer health data without signed authorization

It is unlawful for any person to sell, or offer to sell, consumer health data without first obtaining valid signed authorization, which must include prescribed information such as the purpose for the sale and a one-year expiration date of the authorization, from the consumer¹. The authorization to sell must be separate and distinct from the consent obtained to collect or share consumer health data. Selling means the exchange of consumer health data for monetary or other valuable consideration. Selling does not include an exchange with a third party as an asset in a merger or other similar transaction, or by a regulated entity to a processor when such exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.

Don't implement a geofence around healthcare facilities

It is unlawful for any person to implement a geofence to identify, track, collect data from, or send notifications, messages, or advertisements related to a consumer's health data to a consumer that enters any entity that provides in-person health care services. Geofence means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location. The geofence prohibition goes into effect 90 days after the Act's passage.

Honor authenticated data subject requests

Consumers have a right to confirm if a regulated entity is collecting, sharing, or selling consumer health data concerning the consumer and to access such data including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties, the right to withdraw consent, and the right to have consumer health data concerning the consumer deleted. A regulated entity that receives a consumer's request to delete shall delete the data and notify all affiliates, processors, contractors, and other third parties of the request. All affiliates, processors, contractors, and other third parties shall honor the deletion request. A regulated entity shall respond to the consumer without undue delay, but in all cases within 45 days of receipt. The period for a substantive response may be extended by an additional 45 days when reasonably necessary. A regulated entity shall establish an appeals process for consumers to appeal the entity's refusal to take action on a request. Such an appeals process must be conspicuously available. If the appeal is denied, the regulated entity shall also provide the consumer with an online mechanism, if available, or other methods through which the consumer may contact the Attorney General to submit a complaint.

Sign contracts with processors/service providers

Processors may process consumer health data only pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limits the actions the processor may take. If a processor fails to adhere to the regulated entity's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity, the processor is considered a regulated entity.

Implement security measures

Regulated entities shall implement technical and organizational measures that satisfy reasonable standards of care with the regulated entity's industry and restrict access to consumer health data to those with a need to know.

Don't discriminate

A regulated entity may not unlawfully discriminate against a consumer for exercising any rights under the Act.

Outlook

The Act imposes challenging compliance burdens on businesses that need to determine if they can leverage compliance with existing privacy laws. The Act will be enforceable both by the Washington Attorney General's Office and through a private right of action.

Helena Engfeldt Partner
[email protected]
Baker & McKenzie LLP

1. The prescriptive authorization requirements are similar, but not identical, to authorization requirements in California's Confidentiality of Medical Information Act.