Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities.

By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte

Key Takeaways:

  • On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status.
  • On June 16, 2023, Nevada passed a similar law by enacting Senate Bill 370 (Nevada Health Privacy Law).
  • Both laws apply to consumer health information not covered under health data privacy laws like the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). However, while Nevada’s law shares similar terminology as Washington State’s law, it is narrower in scope and unlike the Washington State law, it does not include a private cause of action.
  • The requirements under both laws include publishing a consumer health data privacy policy, obtaining consent for the collection and sharing of consumers’ health data with prescriptive requirements, and establishing consumer health data rights.
  • While both laws will be enforced by the states Attorney General, the Washington State law also provides a private right of action, allowing individuals to directly bring an enforcement action against a business.
  • With certain exceptions (see small businesses and the geolocation restriction under My Health My Data), both laws will go into effect on March 31, 2024.

Washington State and Nevada have now passed health data privacy laws that impose obligations relating to the collection, processing, and sharing of “consumer health data.” Both laws (collectively, State Health Data Privacy Laws) go into effect on March 31, 2024, with some exceptions. The Washington State law’s ban on geofencing went into effect on July 23, 2023, and the law also includes a slight delay for small businesses, which are not subject to most of the law’s requirements until June 30, 2024.

By Jennifer Archie, Susan Ambler Ebersole, and Kasey Branam

Alleged HIPAA Violations Resulted from Medical Center’s Failure to Risk Assess Internet-Based Document Sharing Application and Inadequate Breach Response

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement in the form of a Resolution Agreement and Corrective Action Plan (CAP) with St. Elizabeth’s Medical Center (SEMC) in July arising out of two alleged security breach incidents in violation of the HIPAA Security Rule. While the settlement amount paid pursuant to the Resolution Agreement was relatively small in comparison to other recent Resolution Agreements announced by OCR, this one is notable for the fact that one of the breaches related to SEMC’s use of an internet-based document sharing application. According to the complaint filed with OCR, SEMC workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals.  However, it appears that this practice and the cloud-based document sharing application itself were not included in SEMC’s risk analysis of “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information,” as required under HIPAA at 45 C.F.R. § 164.308. OCR determined from its investigation that SEMC not only failed to risk assess the application, but it also failed to timely identify and respond once it became aware of its employees’ practice of storing ePHI on the application, failed to mitigate the harmful effects of the incident, and failed to document the security incident and its outcome.