Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities.
By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte
Key Takeaways:
- On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status.
- On June 16, 2023, Nevada passed a similar law by enacting Senate Bill 370 (Nevada Health Privacy Law).
- Both laws apply to consumer health information not covered under health data privacy laws like the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). However, while Nevada’s law shares similar terminology as Washington State’s law, it is narrower in scope and unlike the Washington State law, it does not include a private cause of action.
- The requirements under both laws include publishing a consumer health data privacy policy, obtaining consent for the collection and sharing of consumers’ health data with prescriptive requirements, and establishing consumer health data rights.
- While both laws will be enforced by the states Attorney General, the Washington State law also provides a private right of action, allowing individuals to directly bring an enforcement action against a business.
- With certain exceptions (see small businesses and the geolocation restriction under My Health My Data), both laws will go into effect on March 31, 2024.
Washington State and Nevada have now passed health data privacy laws that impose obligations relating to the collection, processing, and sharing of “consumer health data.” Both laws (collectively, State Health Data Privacy Laws) go into effect on March 31, 2024, with some exceptions. The Washington State law’s ban on geofencing went into effect on July 23, 2023, and the law also includes a slight delay for small businesses, which are not subject to most of the law’s requirements until June 30, 2024.