Companies must obtain consent before collecting health data per new Washington law

Washington state has passed a new law that requires companies to obtain explicit consent from users before collecting, sharing, or selling their health data. Governor Jay Inslee signed the “My Health, My Data” bill into law on Thursday, allowing users to withdraw consent at any time and have their data deleted. The law aims to protect consumers’ health data from companies and organizations not covered by the HIPAA Privacy Rule, which prevents certain medical providers from disclosing identifiable health information without consent.

The HIPAA Privacy Rule does not cover many health apps and sites that collect medical data, allowing them to freely collect and sell this information to advertisers. The new law in Washington will come into effect in March 2024 and requires medical apps and sites to ask users for permission to collect their health data in a nondeceptive manner that openly communicates their freely given, informed, opt-in, voluntary, specific, and unambiguous written consent. The bill also requires apps and sites to disclose the type of data they plan to collect and whether they plan to sell it. In addition, medical providers will be prohibited from using geofencing to collect location information about patients who visit their facilities.

Democratic Representative Vandana Slatter, one of the bill’s advocates, said that “My Health, My Data protects the independence and dignity of individuals when they make healthcare decisions. It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of the vast data that everything from our watches and phones collect.”

As more US states ban access to abortion care, patients in these states are becoming increasingly concerned about authorities accessing their online data when they visit or search for out-of-state abortion clinics. This is why lawmakers are working on bills to increase privacy protections at a national level. Last month, Democrats introduced the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act, which would prohibit companies from selling private health information, while Congress also held a hearing on the American Data Privacy and Protection Act (ADPPA), which gives users the ability to request the deletion of their data.