Washington state lawmakers finalized passage of a bill Monday that provides privacy protections for consumer health data.... The legislation has special urgency as many states pass prohibitions against abortion and seek to limit women from obtaining them elsewhere, according to Rep. Vandana Slatter (D-Redmond), the bill’s sponsor who spoke to GeekWire in an earlier interview....
Cher Scarlett, a Seattle-area software engineer and worker’s rights activist who testified in favor of the bill, celebrated its passage. “This is an enormous victory for not only Washington state, but the entire nation,” Scarlett said in an email to GeekWire.
– Washington state lawmakers pass bill to protect privacy of consumer health data, Charlotte Schubert, Geekwire
By a vote of 57–40, the House voted to concur in the Senate amendments to House Bill 1155, prime sponsored by Representative Vandana Slatter...
The Senate’s changes, proposed by [Senator Manka Dhingra’s committee, restored the bill to its originally contemplated scope,1 with a strong private right of action.2 What that means is that if people find the privacy of their health data has been infringed upon, they can go to the courts to seek justice themselves, rather than having to rely on the Attorney General’s office as the sole enforcer of their rights.
– VICTORY! My Health, My Data Act heads to Governor Inslee after House concurrence vote, in Northwest Progressive Institute (NPI)'s Cascadia Advocate
In addition to protecting private health care data not currently covered by HIPAA, ACLU of Washington Technology and Liberty Project Manager Jennifer Lee said the bill "will reduce barriers to abortion and gender-affirming health care access."
– Washington state on track to pass broad-based health data privacy law, Jennifer Bryant, in IAPP Privacy Explorer
Notably, the scope of “consumer health data” covered by the MHMDA is fairly broad, defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition goes on to list examples like prescription medications, diagnoses and health conditions, biometric data, and location information that would indicate a consumer’s attempt to receive health services, among other examples.
– Washington State Legislature Passes Health Data Privacy Law, EPIC Privacy
With a private right of action, broad applicability to businesses2 of all sizes and types, a scope that is broader than its name suggests, and strong consent-based requirements and privacy rights, the Washington My Health My Data Act will be a transformative privacy law for the United States.
– Washington Legislature Passes My Health My Data Act, David Stauss, on Byte Back Law
“Websites, apps and health tracking devices lack the basic protections we’ve come to expect when sharing our personal health data,” Rep. Slatter said. “There is no way to consent or even know about it. We must protect the data of Washingtonians and all who travel here. Without a federal policy, this is where we are and the first in the nation bill we need. I’m glad my colleagues and the attorney general are choosing to rise to the occasion in protecting people’s right to privacy, personal agency and safe medical care.”
"People have a right to keep private health data private,” Sen. Dhingra said. “With the My Health My Data Act, Washington becomes the national leader in informing and obtaining consent from consumers when companies collect, share and sell their health care data. It is crucial that people have the ability to request that their private data be deleted once collected, and this bill allows them to do so.”
– AG Ferguson, Rep. Slatter bill creating health data privacy protections passes Legislature, on atg.wa.gov
Less than three hours after My Health My Data in the home stretch noted that House concurrence was very likely but cautioned "it ain't over 'til it's over", the House did in fact concur on the Senate version of HB 1155. The bill officially went to Gov. Jay Inslee on Wednesday, and he's expected to sign it next week. So (barring any unexpected hiccups or shenanigans4), My Health My Data is about to become law.
Getting any privacy bill through the legislature has been a challenge for years, and My Health My Data breaks new ground over other state privacy legislation in hugely important ways – especially the strong private right of action, which industry had blacked from all privacy laws all across the US for the last 15 years. As Rep. Slatter said in at the beginning of the session, "recent attacks on bodily autonomy and reproductive healthcare have shown us how urgent the need is to protect health data."
WA People's Privacy founder Maya Morales describes the version of My Health My Data the legislature passed as "an excellent start", noting that "data privacy advocates are aware this bill doesn't go far enough for us. But it is a really important step and we're taking that step in Washington state." And given Washington's justifiable reputation as a tech leader, My Health My Data is likely to influence legislation in other states and federally.
Assuming the Governor signs the bill as expected, there's a lot to build on here – and also a lot to analyze, learn from, discuss, and apply. Let's hold those thoughts for now though and take a moment to recognize what's been accomplished.
Congratulations and applause to Rep. Slatter and Sen. Dhingra, the Attorney General's Offic, Senators Trudeau and Kuderer and the rest of the Senate Law & Justice committee, Rep. Shelley Kloba and Rep. April Berg for sponsoring earlier privacy bills My Health My Data builds on, and all the other legislators, legislative assistants, staffers, organizers, advocates, and activists who have spent so much time and energy working to pass strong privacy legislation over the years and in 2023!
1 Not really. As Cher Scarlett pointed out in the Geekwire, nothing that "some of the amendments to the bill weakened its privacy protections compared to the original version." NPI's correct that the Senate bill is stronger than the House bill; Most importantly Chair Dhingra's Senate Law & Justice committee had restored the private right of action, which a House floor amendment from Rep. Amy Walen (D-Bellevue) had stripped. However, the House Civil Rights & Judiciary (CR&J) Committee had previously watered down the original bill's protections significantly. So while Law & Justice made some valuable improvements in addition to restoring the private right of action, the final version of the bill is much closer to the CR&J watered-down substitute than to the original. That said, restoring the strong private right of action was huge! Sen. Trudeau discusses why it matters so much from a consumer protection perspective in the video below.
2 see the video above, the link in the footnote below, and The private right of action, the per se clause and why it matters for more
3 and non-profits, who aren't covered by most other state privacy legislation. Legal Voice's ESHB 1155 overview includes a discussion so-called "crisis pregnancy centers" (CPCs) operated by anti-abortion groups that illustrates the importance of a strong private right of action in regulating entities who aren't currently covered by HIPAA and "often lure people in with promises of free diapers, formulas, and fake ultrasounds."
4 Which are technically still possible – it ain't over 'til it's over! And of course even after Gov. Inslee signs the bill, the biennium still ain't over; the legislative battle will resume next session. Not only that, industry may well file suit to block enforcement (as they just did in California). Still, even though it ain't over, getting My Health My Data through the legislature with a strong private right of action is a huge milestone.