By Mike Hintze
This is the second in a series of blog posts about the Washington My Health My Data Act. The first part provided a high-level overview of the Act. This part discusses in more detail a key element that determines the scope and impact of the Act – the definition of “consumer health data.” Future posts in the coming days will delve deeply into additional aspects of the Act and the issues it raises.
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” Because the definition of that term is so key to the Act’s broad scope and impact, no other aspect of the bill was as actively discussed and debated as it made its way through the legislative process.
What Data is Excluded?
Before describing what is included in the definition of “consumer health data,” I’ll first note what is not included.
First, there are exceptions for data subject to certain enumerated privacy laws, most notably HIPAA, GLBA, FCRA, FERPA, and several existing Washington state laws related to health care and insurance. The HIPAA exception is particularly important here, as this covers nearly all health information processed by a HIPAA covered entity (hospitals, clinics, pharmacies, other health care providers, health insurance providers, etc.) or a “business associate” processing the data on behalf of a covered entity. The Act even excludes data that may not be covered by HIPAA, but that originates from and is maintained by a covered entity or business associate which it intermingles with HIPAA-covered data. This exclusion aligns with the stated intent of the Act to protect data that is not protected by HIPAA. But as noted in Part 1 of this blog series, this Act is very different from HIPAA, in many ways being broader and having more onerous requirements. Thus, the Act creates enormous disparities between how personal data must be handled between HIPAA covered entities and every other type of entity.
Second, because “consumer health data” is data about “consumers,” and the definition of “consumer” does not include individuals acting in an employment context, employee and B2B data should be considered out of scope.
Third, within the definition of “consumer health data” itself, there is a narrow exception for data used for certain approved peer-reviewed research in the public interest.
Finally, by virtue of “consumer health data” being limited to “personal information” the exclusions of “deidentified data” and “publicly available” information from the definition of “personal information” also excludes them from “consumer health data.” For data to be considered “deidentified” under the Act, it must meet the following definition:
"Deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such consumer, if the regulated entity or the small business that possesses such data (a) takes reasonable measures to ensure that such data cannot be associated with a consumer; (b) publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data; and (c) contractually obligates any recipients of such data to satisfy the criteria set forth in this [definition].
For data to be considered “publicly available information” under the Act, it must meet the following definition:
"Publicly available information" means information that (a) is lawfully made available through federal, state, or municipal government records or widely distributed media, and (b) a regulated entity or a small business has a reasonable basis to believe a consumer has lawfully made available to the general public.
The way the “publicly available information” definition is drafted creates some confusion and ambiguity. Normally, the “and” between parts (a) and (b) of the definition would suggest that both (a) and (b) must be satisfied. But that results in a nonsensical reading that would capture little or no actual data. For instance, when information is “is lawfully made available through … government records” it is the government making the data available, not the consumer. So, part (a) is met, but not part (b). If the “and” was intended to require that both prongs be met, the definition would have simply said that the regulated entity must have a reasonable basis to believe that a consumer has lawfully made the information available to the general public though government records or widely distributed media. But it did not, which suggests that the “and” is best interpreted as an “or.” Of course, given the private right of action under this Act, relying on sensible interpretations of ambiguous terms is risky.
Thus, as a result of the additional requirements necessary to consider data to be deidentified (public commitments and contractual restrictions) and the ambiguities around what constitutes publicly available data, these exceptions may in practice be quite narrow as well.
What Data is Included?
As included in the latest version of the Act, passed by the Senate last week, the definition of “consumer health data” is extremely broad and open-ended. It begins with a general definition, as any personal information “that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.”
The definition goes on to enumerate a list of data types that are included within “physical or mental health status.” Although the list is non-exclusive (being preceded by “includes, but is not limited to”), it is critical to helping to understand just how broad this definition is, and so it is worth quoting it in its entirety:
(b) For the purposes of this definition, physical or mental health status includes, but is not limited to:
(i) Individual health conditions, treatment, diseases, or diagnosis;
(ii) Social, psychological, behavioral, and medical interventions;
(iii) Health-related surgeries or procedures;
(iv) Use or purchase of prescribed medication;
(v) Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection (8)(b);
(vi) Diagnoses or diagnostic testing, treatment, or medication;
(vii) Gender-affirming care information;
(viii) Reproductive or sexual health information;
(ix) Biometric data;
(x) Genetic data;
(xi) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
(xii) Data that identifies a consumer seeking health care services; or
(xiii) Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
Italics and underlining is added in the above to indicate other defined terms within this definition.
Some of the individual items listed in the above-quoted portion of the definition are subject to extremely broad interpretations. “Social … interventions” in undefined but could cover a wide range of everyday social interactions among people. “Bodily functions” certainly includes functions such as digestion, and so could be read expansively to include information about eating a meal at a restaurant.
But perhaps the broadest item is “data that identifies a consumer seeking health care services.” “Health care services” is a defined term and means:
“any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health.”
A search engine is a service that a person could use to “learn about” their health. Similarly, any online or offline research about topics relating to health, wellness, nutrition, or fitness could fall into such a sweeping definition. A gym membership is almost certainly a “service provided to a person to … improve [their] … physical health” Likewise, a store selling running shoes could be seen as offering a service that allows a “person to … improve [their] … physical health.”
In light of these expansive elements of the relevant definitions, it’s clear that the plaintiffs’ bar will have the ammunition to at least put forth arguments that nearly any purchase, nearly any use of media, nearly any activity could identify a consumer’s “health status” and therefore information about any of that could be “consumer health data.”
This conclusion is reinforced by the fact that proponents of the Act repeatedly cited the decade-old incident in which Target inferred a likelihood of pregnancy based on the purchase of items that are not directly related to pregnancy (unscented lotions, cotton balls, vitamins, large handbags, etc.). This focus on inferences is reflected in part (xiii) of the above-quoted definition, which, while confusingly drafted, could be argued that it opens up the definition to even more types of data.
Of course there are a range of counterarguments that this and other aspects of the definition should be read more narrowly and reasonably. But the private right of action creates the incentives for plaintiffs’ attorneys to make the case for expansive readings.
The stunning breath of certain parts of the “consumer health data” definition, the references to inferences and derived data, and the open-ended nature of the enumerated data types (“includes, but is not limited to”), combined with the creativity (and financial incentives) of trial lawyers, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act.
As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
A Final (Personal) Note on The Definition of Consumer Health Data
It is important to acknowledge that two particular categories of health care are specifically called out in the definition of “consumer health data” – “reproductive and sexual health” and “gender-affirming care.” It’s no secret that these are two classes of health care that are under political and legal threat in the United States, in large part flowing from last year’s Supreme Court decision in Dobbs v. Jackson Women's Health Organization overturning the constitutional right to abortion. Other protections related to reproduction, sexuality, and gender have been called into question based in the reasoning in Dobbs and have been undermined or threatened in many U.S. states. This context was clearly and explicitly called out by supporters of this Act as a motivation behind it and was a key factor in propelling it forward.
Let me say unequivocally and without hesitation, I strongly support the right of all people to access these services and the importance of protecting the privacy of those seeking such care. These involve some of the most private decisions that can be made and go to the very core of human dignity and autonomy. To the extent that my analyses of this legislation may be viewed as a critique, that should not be taken in any way as a lack of support for such legislative intent or objectives. On the contrary, my analyses are focused solely on the challenges faced by those entities seeking to comply with its requirements. Those challenges would have been significantly lessened, and much of the business opposition to the legislation surely would have diminished, had the bill been more clearly and squarely focused on the sensitive information related to those types of services. But as described in this post and elsewhere, it is much, much broader than that.
As noted above, in the coming days we will discuss other aspects of the Act and the issues it raises. In the next post, we will look at another element that determines the broad scope and impact the Act: the scope of entities and consumers that it captures.