Chapter 19.373 RCW WASHINGTON MY HEALTH MY DATA ACT
Quote from Faye on January 9, 2025, 11:49 pmChapter 19.373 RCW
WASHINGTON MY HEALTH MY DATA ACT
Sections
19.373.005 Finding—Intent—2023 c 191.
19.373.010 Definitions.
19.373.020 Consumer health data privacy policy.
19.373.030 Collection or sharing of consumer health data.
19.373.040 Consumer rights and requests—Refusal—Appeal.
19.373.050 Data security practices.
19.373.060 Processors.
19.373.070 Valid authorization to sell—Defects—Provision to
consumer.
19.373.080 Geofence restrictions.
19.373.090 Application of consumer protection act.
19.373.100 Exemptions.
19.373.900 Short title.
RCW 19.373.005 Finding—Intent—2023 c 191. (1) The legislature
finds that the people of Washington regard their privacy as a
fundamental right and an essential element of their individual
freedom. Washington's Constitution explicitly provides the right to
privacy. Fundamental privacy rights have long been and continue to be
integral to protecting Washingtonians and to safeguarding our
democratic republic.(2) Information related to an individual's health conditions or
attempts to obtain health care services is among the most personal and
sensitive categories of data collected. Washingtonians expect that
their health data is protected under laws like the health information
portability and accountability act (HIPAA). However, HIPAA only covers
health data collected by specific health care entities, including most
health care providers. Health data collected by noncovered entities,
including certain apps and websites, are not afforded the same
protections. Chapter 191, Laws of 2023 works to close the gap between
consumer knowledge and industry practice by providing stronger privacy
protections for all Washington consumers' health data.(3) With chapter 191, Laws of 2023, the legislature intends to
provide heightened protections for Washingtonian's health data by:
Requiring additional disclosures and consumer consent regarding the
collection, sharing, and use of such information; empowering consumers
with the right to have their health data deleted; prohibiting the
selling of consumer health data without valid authorization signed by
the consumer; and making it unlawful to utilize a geofence around a
facility that provides health care services. [2023 c 191 s 2.]View the WA My Health Data Act on WA.gov website or continue reading the legislation below:
RCW 19.373.010 Definitions. The definitions in this section
apply throughout this chapter unless the context clearly requires
otherwise.(1) "Abortion" means the termination of a pregnancy for purposes
other than producing a live birth.
(2) "Affiliate" means a legal entity that shares common branding
with another legal entity and controls, is controlled by, or is under
common control with another legal entity. For the purposes of this
definition, "control" or "controlled" means:
(a) Ownership of, or the power to vote, more than 50 percent of
the outstanding shares of any class of voting security of a company;
(b) Control in any manner over the election of a majority of the
directors or of individuals exercising similar functions; or
(c) The power to exercise controlling influence over the
management of a company.
(3) "Authenticate" means to use reasonable means to determine
that a request to exercise any of the rights afforded in this chapter
is being made by, or on behalf of, the consumer who is entitled to
exercise such consumer rights with respect to the consumer health data
at issue.
(4) "Biometric data" means data that is generated from the
measurement or technological processing of an individual's
physiological, biological, or behavioral characteristics and that
identifies a consumer, whether individually or in combination with
other data. Biometric data includes, but is not limited to:
(a) Imagery of the iris, retina, fingerprint, face, hand, palm,
vein patterns, and voice recordings, from which an identifier template
can be extracted; or
(b) Keystroke patterns or rhythms and gait patterns or rhythms
that contain identifying information.
(5) "Collect" means to buy, rent, access, retain, receive,
acquire, infer, derive, or otherwise process consumer health data in
any manner.
(6)(a) "Consent" means a clear affirmative act that signifies a
consumer's freely given, specific, informed, opt-in, voluntary, and
unambiguous agreement, which may include written consent provided by
electronic means.
(b) "Consent" may not be obtained by:
(i) A consumer's acceptance of a general or broad terms of use
agreement or a similar document that contains descriptions of personal
data processing along with other unrelated information;
(ii) A consumer hovering over, muting, pausing, or closing a
given piece of content; or
(iii) A consumer's agreement obtained through the use of
deceptive designs.
(7) "Consumer" means (a) a natural person who is a Washington
resident; or (b) a natural person whose consumer health data is
collected in Washington. "Consumer" means a natural person who acts
only in an individual or household context, however identified,
including by any unique identifier. "Consumer" does not include an
individual acting in an employment context.
(8)(a) "Consumer health data" means personal information that is
linked or reasonably linkable to a consumer and that identifies the
consumer's past, present, or future physical or mental health status.
(b) For the purposes of this definition, physical or mental
health status includes, but is not limited to:
(i) Individual health conditions, treatment, diseases, or
diagnosis;
(ii) Social, psychological, behavioral, and medical
interventions;
(iii) Health-related surgeries or procedures;
(iv) Use or purchase of prescribed medication;
(v) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection (8)(b);
(vi) Diagnoses or diagnostic testing, treatment, or medication;
(vii) Gender-affirming care information;
(viii) Reproductive or sexual health information;
(ix) Biometric data;
(x) Genetic data;
(xi) Precise location information that could reasonably indicate
a consumer's attempt to acquire or receive health services or
supplies;
(xii) Data that identifies a consumer seeking health care
services; or
(xiii) Any information that a regulated entity or a small
business, or their respective processor, processes to associate or
identify a consumer with the data described in (b)(i) through (xii) of
this subsection that is derived or extrapolated from nonhealth
information (such as proxy, derivative, inferred, or emergent data by
any means, including algorithms or machine learning).
(c) "Consumer health data" does not include personal information
that is used to engage in public or peer-reviewed scientific,
historical, or statistical research in the public interest that
adheres to all other applicable ethics and privacy laws and is
approved, monitored, and governed by an institutional review board,
human subjects research ethics review board, or a similar independent
oversight entity that determines that the regulated entity or the
small business has implemented reasonable safeguards to mitigate
privacy risks associated with research, including any risks associated
with reidentification.
(9) "Deceptive design" means a user interface designed or
manipulated with the effect of subverting or impairing user autonomy,
decision making, or choice.
(10) "Deidentified data" means data that cannot reasonably be
used to infer information about, or otherwise be linked to, an
identified or identifiable consumer, or a device linked to such
consumer, if the regulated entity or the small business that possesses
such data (a) takes reasonable measures to ensure that such data
cannot be associated with a consumer; (b) publicly commits to process
such data only in a deidentified fashion and not attempt to reidentify
such data; and (c) contractually obligates any recipients of such data
to satisfy the criteria set forth in this subsection (10).
(11) "Gender-affirming care information" means personal
information relating to seeking or obtaining past, present, or future
gender-affirming care services. "Gender-affirming care information"
includes, but is not limited to:
(a) Precise location information that could reasonably indicate a
consumer's attempt to acquire or receive gender-affirming care
services;
(b) Efforts to research or obtain gender-affirming care services;
or
(c) Any gender-affirming care information that is derived,
extrapolated, or inferred, including from nonhealth information, such
as proxy, derivative, inferred, emergent, or algorithmic data.(12) "Gender-affirming care services" means health services or
products that support and affirm an individual's gender identity
including, but not limited to, social, psychological, behavioral,
cosmetic, medical, or surgical interventions. "Gender-affirming care
services" includes, but is not limited to, treatments for gender
dysphoria, gender-affirming hormone therapy, and gender-affirming
surgical procedures.
(13) "Genetic data" means any data, regardless of its format,
that concerns a consumer's genetic characteristics. "Genetic data"
includes, but is not limited to:
(a) Raw sequence data that result from the sequencing of a
consumer's complete extracted deoxyribonucleic acid (DNA) or a portion
of the extracted DNA;
(b) Genotypic and phenotypic information that results from
analyzing the raw sequence data; and
(c) Self-reported health data that a consumer submits to a
regulated entity or a small business and that is analyzed in
connection with consumer's raw sequence data.
(14) "Geofence" means technology that uses global positioning
coordinates, cell tower connectivity, cellular data, radio frequency
identification, Wifi data, and/or any other form of spatial or
location detection to establish a virtual boundary around a specific
physical location, or to locate a consumer within a virtual boundary.
For purposes of this definition, "geofence" means a virtual boundary
that is 2,000 feet or less from the perimeter of the physical
location.
(15) "Health care services" means any service provided to a
person to assess, measure, improve, or learn about a person's mental
or physical health, including but not limited to:
(a) Individual health conditions, status, diseases, or diagnoses;
(b) Social, psychological, behavioral, and medical interventions;
(c) Health-related surgeries or procedures;
(d) Use or purchase of medication;
(e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;
(f) Diagnoses or diagnostic testing, treatment, or medication;
(g) Reproductive health care services; or
(h) Gender-affirming care services.
(16) "Homepage" means the introductory page of an internet
website and any internet webpage where personal information is
collected. In the case of an online service, such as a mobile
application, homepage means the application's platform page or
download page, and a link within the application, such as from the
application configuration, "about," "information," or settings page.
(17) "Person" means, where applicable, natural persons,
corporations, trusts, unincorporated associations, and partnerships.
"Person" does not include government agencies, tribal nations, or
contracted service providers when processing consumer health data on
behalf of a government agency.
(18)(a) "Personal information" means information that identifies
or is reasonably capable of being associated or linked, directly or
indirectly, with a particular consumer. "Personal information"
includes, but is not limited to, data associated with a persistent
unique identifier, such as a cookie ID, an IP address, a device
identifier, or any other form of persistent unique identifier.
(b) "Personal information" does not include publicly available
information.
(c) "Personal information" does not include deidentified data.
(19) "Precise location information" means information derived
from technology including, but not limited to, global positioning
system level latitude and longitude coordinates or other mechanisms,
that directly identifies the specific location of an individual with
precision and accuracy within a radius of 1,750 feet. "Precise
location information" does not include the content of communications,
or any data generated by or connected to advanced utility metering
infrastructure systems or equipment for use by a utility.
(20) "Process" or "processing" means any operation or set of
operations performed on consumer health data.
(21) "Processor" means a person that processes consumer health
data on behalf of a regulated entity or a small business.
(22) "Publicly available information" means information that (a)
is lawfully made available through federal, state, or municipal
government records or widely distributed media, and (b) a regulated
entity or a small business has a reasonable basis to believe a
consumer has lawfully made available to the general public. "Publicly
available information" does not include any biometric data collected
about a consumer by a business without the consumer's consent.
(23) "Regulated entity" means any legal entity that: (a) Conducts
business in Washington, or produces or provides products or services
that are targeted to consumers in Washington; and (b) alone or jointly
with others, determines the purpose and means of collecting,
processing, sharing, or selling of consumer health data. "Regulated
entity" does not mean government agencies, tribal nations, or
contracted service providers when processing consumer health data on
behalf of the government agency.
(24) "Reproductive or sexual health information" means personal
information relating to seeking or obtaining past, present, or future
reproductive or sexual health services. "Reproductive or sexual health
information" includes, but is not limited to:
(a) Precise location information that could reasonably indicate a
consumer's attempt to acquire or receive reproductive or sexual health
services;
(b) Efforts to research or obtain reproductive or sexual health
services; or
(c) Any reproductive or sexual health information that is
derived, extrapolated, or inferred, including from nonhealth
information (such as proxy, derivative, inferred, emergent, or
algorithmic data).
(25) "Reproductive or sexual health services" means health
services or products that support or relate to a consumer's
reproductive system or sexual well-being, including but not limited
to:
(a) Individual health conditions, status, diseases, or diagnoses;
(b) Social, psychological, behavioral, and medical interventions;
(c) Health-related surgeries or procedures including, but not
limited to, abortions;
(d) Use or purchase of medication including, but not limited to,
medications for the purposes of abortion;
(e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;
(f) Diagnoses or diagnostic testing, treatment, or medication;
and
(g) Medical or nonmedical services related to and provided in
conjunction with an abortion, including but not limited to associated
diagnostics, counseling, supplies, and follow-up services.
(26)(a) "Sell" or "sale" means the exchange of consumer health
data for monetary or other valuable consideration.
(b) "Sell" or "sale" does not include the exchange of consumer
health data for monetary or other valuable consideration:
(i) To a third party as an asset that is part of a merger,
acquisition, bankruptcy, or other transaction in which the third party
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 5
assumes control of all or part of the regulated entity's or the small
business's assets that complies with the requirements and obligations
in this chapter; or
(ii) By a regulated entity or a small business to a processor
when such exchange is consistent with the purpose for which the
consumer health data was collected and disclosed to the consumer.
(27)(a) "Share" or "sharing" means to release, disclose,
disseminate, divulge, make available, provide access to, license, or
otherwise communicate orally, in writing, or by electronic or other
means, consumer health data by a regulated entity or a small business
to a third party or affiliate.
(b) The term "share" or "sharing" does not include:
(i) The disclosure of consumer health data by a regulated entity
or a small business to a processor when such sharing is to provide
goods or services in a manner consistent with the purpose for which
the consumer health data was collected and disclosed to the consumer;
(ii) The disclosure of consumer health data to a third party with
whom the consumer has a direct relationship when: (A) The disclosure
is for purposes of providing a product or service requested by the
consumer; (B) the regulated entity or the small business maintains
control and ownership of the data; and (C) the third party uses the
consumer health data only at direction from the regulated entity or
the small business and consistent with the purpose for which it was
collected and consented to by the consumer; or
(iii) The disclosure or transfer of personal data to a third
party as an asset that is part of a merger, acquisition, bankruptcy,
or other transaction in which the third party assumes control of all
or part of the regulated entity's or the small business's assets and
complies with the requirements and obligations in this chapter.
(28) "Small business" means a regulated entity that satisfies one
or both of the following thresholds:
(a) Collects, processes, sells, or shares consumer health data of
fewer than 100,000 consumers during a calendar year; or
(b) Derives less than 50 percent of gross revenue from the
collection, processing, selling, or sharing of consumer health data,
and controls, processes, sells, or shares consumer health data of
fewer than 25,000 consumers.
(29) "Third party" means an entity other than a consumer,
regulated entity, processor, small business, or affiliate of the
regulated entity or the small business. [2023 c 191 s 3.]
RCW 19.373.020 Consumer health data privacy policy. (1)(a)
Except as provided in subsection (2) of this section, beginning March
31, 2024, a regulated entity and a small business shall maintain a
consumer health data privacy policy that clearly and conspicuously
discloses:
(i) The categories of consumer health data collected and the
purpose for which the data is collected, including how the data will
be used;
(ii) The categories of sources from which the consumer health
data is collected;
(iii) The categories of consumer health data that is shared;
(iv) A list of the categories of third parties and specific
affiliates with whom the regulated entity or the small business shares
the consumer health data; and
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 6
(v) How a consumer can exercise the rights provided in RCW
19.373.040.
(b) A regulated entity and a small business shall prominently
publish a link to its consumer health data privacy policy on its
homepage.
(c) A regulated entity or a small business may not collect, use,
or share additional categories of consumer health data not disclosed
in the consumer health data privacy policy without first disclosing
the additional categories and obtaining the consumer's affirmative
consent prior to the collection, use, or sharing of such consumer
health data.
(d) A regulated entity or a small business may not collect, use,
or share consumer health data for additional purposes not disclosed in
the consumer health data privacy policy without first disclosing the
additional purposes and obtaining the consumer's affirmative consent
prior to the collection, use, or sharing of such consumer health data.
(e) It is a violation of this chapter for a regulated entity or a
small business to contract with a processor to process consumer health
data in a manner that is inconsistent with the regulated entity's or
the small business's consumer health data privacy policy.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 4.]
RCW 19.373.030 Collection or sharing of consumer health data.
(1)(a) Except as provided in subsection (2) of this section, beginning
March 31, 2024, a regulated entity or a small business may not collect
any consumer health data except:
(i) With consent from the consumer for such collection for a
specified purpose; or
(ii) To the extent necessary to provide a product or service that
the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.
(b) A regulated entity or a small business may not share any
consumer health data except:
(i) With consent from the consumer for such sharing that is
separate and distinct from the consent obtained to collect consumer
health data; or
(ii) To the extent necessary to provide a product or service that
the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.
(c) Consent required under this section must be obtained prior to
the collection or sharing, as applicable, of any consumer health data,
and the request for consent must clearly and conspicuously disclose:
(i) The categories of consumer health data collected or shared; (ii)
the purpose of the collection or sharing of the consumer health data,
including the specific ways in which it will be used; (iii) the
categories of entities with whom the consumer health data is shared;
and (iv) how the consumer can withdraw consent from future collection
or sharing of the consumer's health data.
(d) A regulated entity or a small business may not unlawfully
discriminate against a consumer for exercising any rights included in
this chapter.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 5.]
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 7
RCW 19.373.040 Consumer rights and requests—Refusal—Appeal.
(1)(a) Except as provided in subsection (2) of this section, beginning
March 31, 2024, a consumer has the right to confirm whether a
regulated entity or a small business is collecting, sharing, or
selling consumer health data concerning the consumer and to access
such data, including a list of all third parties and affiliates with
whom the regulated entity or the small business has shared or sold the
consumer health data and an active email address or other online
mechanism that the consumer may use to contact these third parties.
(b) A consumer has the right to withdraw consent from the
regulated entity's or the small business's collection and sharing of
consumer health data concerning the consumer.
(c) A consumer has the right to have consumer health data
concerning the consumer deleted and may exercise that right by
informing the regulated entity or the small business of the consumer's
request for deletion.
(i) A regulated entity or a small business that receives a
consumer's request to delete any consumer health data concerning the
consumer shall:
(A) Delete the consumer health data from its records, including
from all parts of the regulated entity's or the small business's
network, including archived or backup systems pursuant to (c)(iii) of
this subsection; and
(B) Notify all affiliates, processors, contractors, and other
third parties with whom the regulated entity or the small business has
shared consumer health data of the deletion request.
(ii) All affiliates, processors, contractors, and other third
parties that receive notice of a consumer's deletion request shall
honor the consumer's deletion request and delete the consumer health
data from its records, subject to the same requirements of this
chapter.
(iii) If consumer health data that a consumer requests to be
deleted is stored on archived or backup systems, then the request for
deletion may be delayed to enable restoration of the archived or
backup systems and such delay may not exceed six months from
authenticating the deletion request.
(d) A consumer may exercise the rights set forth in this chapter
by submitting a request, at any time, to a regulated entity or a small
business. Such a request may be made by a secure and reliable means
established by the regulated entity or the small business and
described in its consumer health data privacy policy. The method must
take into account the ways in which consumers normally interact with
the regulated entity or the small business, the need for secure and
reliable communication of such requests, and the ability of the
regulated entity or the small business to authenticate the identity of
the consumer making the request. A regulated entity or a small
business may not require a consumer to create a new account in order
to exercise consumer rights pursuant to this chapter but may require a
consumer to use an existing account.
(e) If a regulated entity or a small business is unable to
authenticate the request using commercially reasonable efforts, the
regulated entity or the small business is not required to comply with
a request to initiate an action under this section and may request
that the consumer provide additional information reasonably necessary
to authenticate the consumer and the consumer's request.
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 8
(f) Information provided in response to a consumer request must
be provided by a regulated entity and a small business free of charge,
up to twice annually per consumer. If requests from a consumer are
manifestly unfounded, excessive, or repetitive, the regulated entity
or the small business may charge the consumer a reasonable fee to
cover the administrative costs of complying with the request or
decline to act on the request. The regulated entity and the small
business bear the burden of demonstrating the manifestly unfounded,
excessive, or repetitive nature of the request.
(g) A regulated entity and a small business shall comply with the
consumer's requests under subsection (1)(a) through (c) of this
section [(a) through (c) of this subsection] without undue delay, but
in all cases within 45 days of receipt of the request submitted
pursuant to the methods described in this section. A regulated entity
and a small business must promptly take steps to authenticate a
consumer request but this does not extend the regulated entity's and
the small business's duty to comply with the consumer's request within
45 days of receipt of the consumer's request. The response period may
be extended once by 45 additional days when reasonably necessary,
taking into account the complexity and number of the consumer's
requests, so long as the regulated entity or the small business
informs the consumer of any such extension within the initial 45-day
response period, together with the reason for the extension.
(h) A regulated entity and a small business shall establish a
process for a consumer to appeal the regulated entity's or the small
business's refusal to take action on a request within a reasonable
period of time after the consumer's receipt of the decision. The
appeal process must be conspicuously available and similar to the
process for submitting requests to initiate action pursuant to this
section. Within 45 days of receipt of an appeal, a regulated entity or
a small business shall inform the consumer in writing of any action
taken or not taken in response to the appeal, including a written
explanation of the reasons for the decisions. If the appeal is denied,
the regulated entity or the small business shall also provide the
consumer with an online mechanism, if available, or other method
through which the consumer may contact the attorney general to submit
a complaint.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 6.]
RCW 19.373.050 Data security practices. (1) Except as provided
in subsection (2) of this section, beginning March 31, 2024, a
regulated entity and a small business shall:
(a) Restrict access to consumer health data by the employees,
processors, and contractors of such regulated entity or small business
to only those employees, processors, and contractors for which access
is necessary to further the purposes for which the consumer provided
consent or where necessary to provide a product or service that the
consumer to whom such consumer health data relates has requested from
such regulated entity or small business; and
(b) Establish, implement, and maintain administrative, technical,
and physical data security practices that, at a minimum, satisfy
reasonable standard of care within the regulated entity's or the small
business's industry to protect the confidentiality, integrity, and
accessibility of consumer health data appropriate to the volume and
nature of the consumer health data at issue.
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 9
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 7.]
RCW 19.373.060 Processors. (1)(a)(i) Except as provided in
subsection (2) of this section, beginning March 31, 2024, a processor
may process consumer health data only pursuant to a binding contract
between the processor and the regulated entity or the small business
that sets forth the processing instructions and limit the actions the
processor may take with respect to the consumer health data it
processes on behalf of the regulated entity or the small business.
(ii) A processor may process consumer health data only in a
manner that is consistent with the binding instructions set forth in
the contract with the regulated entity or the small business.
(b) A processor shall assist the regulated entity or the small
business by appropriate technical and organizational measures, insofar
as this is possible, in fulfilling the regulated entity's and the
small business's obligations under this chapter.
(c) If a processor fails to adhere to the regulated entity's or
the small business's instructions or processes consumer health data in
a manner that is outside the scope of the processor's contract with
the regulated entity or the small business, the processor is
considered a regulated entity or a small business with regard to such
data and is subject to all the requirements of this chapter with
regard to such data.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 8.]
RCW 19.373.070 Valid authorization to sell—Defects—Provision to
consumer. (1) Except as provided in subsection (6) of this section,
beginning March 31, 2024, it is unlawful for any person to sell or
offer to sell consumer health data concerning a consumer without first
obtaining valid authorization from the consumer. The sale of consumer
health data must be consistent with the valid authorization signed by
the consumer. This authorization must be separate and distinct from
the consent obtained to collect or share consumer health data, as
required under RCW 19.373.030.
(2) A valid authorization to sell consumer health data is a
document consistent with this section and must be written in plain
language. The valid authorization to sell consumer health data must
contain the following:
(a) The specific consumer health data concerning the consumer
that the person intends to sell;
(b) The name and contact information of the person collecting and
selling the consumer health data;
(c) The name and contact information of the person purchasing the
consumer health data from the seller identified in (b) of this
subsection;
(d) A description of the purpose for the sale, including how the
consumer health data will be gathered and how it will be used by the
purchaser identified in (c) of this subsection when sold;
(e) A statement that the provision of goods or services may not
be conditioned on the consumer signing the valid authorization;
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 10
(f) A statement that the consumer has a right to revoke the valid
authorization at any time and a description on how to submit a
revocation of the valid authorization;
(g) A statement that the consumer health data sold pursuant to
the valid authorization may be subject to redisclosure by the
purchaser and may no longer be protected by this section;
(h) An expiration date for the valid authorization that expires
one year from when the consumer signs the valid authorization; and
(i) The signature of the consumer and date.
(3) An authorization is not valid if the document has any of the
following defects:
(a) The expiration date has passed;
(b) The authorization does not contain all the information
required under this section;
(c) The authorization has been revoked by the consumer;
(d) The authorization has been combined with other documents to
create a compound authorization; or
(e) The provision of goods or services is conditioned on the
consumer signing the authorization.
(4) A copy of the signed valid authorization must be provided to
the consumer.
(5) The seller and purchaser of consumer health data must retain
a copy of all valid authorizations for sale of consumer health data
for six years from the date of its signature or the date when it was
last in effect, whichever is later.
(6) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 9.]
RCW 19.373.080 Geofence restrictions. It is unlawful for any
person to implement a geofence around an entity that provides in
person health care services where such geofence is used to: (1)
Identify or track consumers seeking health care services; (2) collect
consumer health data from consumers; or (3) send notifications,
messages, or advertisements to consumers related to their consumer
health data or health care services. [2023 c 191 s 10.]
RCW 19.373.090 Application of consumer protection act. The
legislature finds that the practices covered by this chapter are
matters vitally affecting the public interest for the purpose of
applying the consumer protection act, chapter 19.86 RCW. A violation
of this chapter is not reasonable in relation to the development and
preservation of business, and is an unfair or deceptive act in trade
or commerce and an unfair method of competition for the purpose of
applying the consumer protection act, chapter 19.86 RCW. [2023 c 191
s 11.]
RCW 19.373.100 Exemptions. (1) This chapter does not apply to:
(a) Information that meets the definition of:
(i) Protected health information for purposes of the federal
health insurance portability and accountability act of 1996 and
related regulations;
(ii) Health care information collected, used, or disclosed in
accordance with chapter 70.02 RCW;
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 11
(iii) Patient identifying information collected, used, or
disclosed in accordance with 42 C.F.R. Part 2, established pursuant to
42 U.S.C. Sec. 290dd-2;
(iv) Identifiable private information for purposes of the federal
policy for the protection of human subjects, 45 C.F.R. Part 46;
identifiable private information that is otherwise information
collected as part of human subjects research pursuant to the good
clinical practice guidelines issued by the international council for
harmonization; the protection of human subjects under 21 C.F.R. Parts
50 and 56; or personal data used or shared in research conducted in
accordance with one or more of the requirements set forth in this
subsection;
(v) Information and documents created specifically for, and
collected and maintained by:
(A) A quality improvement committee for purposes of RCW
43.70.510, 70.230.080, or 70.41.200;
(B) A peer review committee for purposes of RCW 4.24.250;
(C) A quality assurance committee for purposes of RCW 74.42.640
or 18.20.390;
(D) A hospital, as defined in RCW 43.70.056, for reporting of
health care-associated infections for purposes of RCW 43.70.056, a
notification of an incident for purposes of RCW 70.56.040(5), or
reports regarding adverse events for purposes of RCW 70.56.020(2)(b);
or
(E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when
collected, used, or disclosed for purposes specified in chapter 70.02
RCW;
(vi) Information and documents created for purposes of the
federal health care quality improvement act of 1986, and related
regulations;
(vii) Patient safety work product for purposes of 42 C.F.R. Part
3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
(viii) Information that is (A) deidentified in accordance with
the requirements for deidentification set forth in 45 C.F.R. Part 164,
and (B) derived from any of the health care-related information listed
in this subsection (1)(a)(viii);
(b) Information originating from, and intermingled to be
indistinguishable with, information under (a) of this subsection that
is maintained by:
(i) A covered entity or business associate as defined by the
health insurance portability and accountability act of 1996 and
related regulations;
(ii) A health care facility or health care provider as defined in
RCW 70.02.010; or
(iii) A program or a qualified service organization as defined by
42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
(c) Information used only for public health activities and
purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a
limited data set, as defined, and is used, disclosed, and maintained
in the manner required, by 45 C.F.R. Sec. 164.514; or
(d) Identifiable data collected, used, or disclosed in accordance
with chapter 43.371 RCW or RCW 69.43.165.
(2) Personal information that is governed by and collected, used,
or disclosed pursuant to the following regulations, parts, titles, or
acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15
U.S.C. 6801 et seq.) and implementing regulations; (b) part C of Title
XI of the social security act (42 U.S.C. 1320d et seq.); (c) the fair
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 12
credit reporting act (15 U.S.C. 1681 et seq.); (d) the family
educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title
34, C.F.R.); (e) the Washington health benefit exchange and applicable
statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter
43.71 RCW; or (f) privacy rules adopted by the office of the insurance
commissioner pursuant to chapter 48.02 or 48.43 RCW.
(3) The obligations imposed on regulated entities, small
businesses, and processors under this chapter does not restrict a
regulated entity's, small business's, or processor's ability for
collection, use, or disclosure of consumer health data to prevent,
detect, protect against, or respond to security incidents, identity
theft, fraud, harassment, malicious or deceptive activities, or any
activity that is illegal under Washington state law or federal law;
preserve the integrity or security of systems; or investigate, report,
or prosecute those responsible for any such action that is illegal
under Washington state law or federal law.
(4) If a regulated entity, small business, or processor processes
consumer health data pursuant to subsection (3) of this section, such
entity bears the burden of demonstrating that such processing
qualifies for the exemption and complies with the requirements of this
section. [2023 c 191 s 12.]
RCW 19.373.900 Short title. Chapter 191, Laws of 2023 may be
known and cited as the Washington my health my data act. [2023 c 191
Chapter 19.373 RCW
WASHINGTON MY HEALTH MY DATA ACT
Sections
19.373.005 Finding—Intent—2023 c 191.
19.373.010 Definitions.
19.373.020 Consumer health data privacy policy.
19.373.030 Collection or sharing of consumer health data.
19.373.040 Consumer rights and requests—Refusal—Appeal.
19.373.050 Data security practices.
19.373.060 Processors.
19.373.070 Valid authorization to sell—Defects—Provision to
consumer.
19.373.080 Geofence restrictions.
19.373.090 Application of consumer protection act.
19.373.100 Exemptions.
19.373.900 Short title.
RCW 19.373.005 Finding—Intent—2023 c 191. (1) The legislature
finds that the people of Washington regard their privacy as a
fundamental right and an essential element of their individual
freedom. Washington's Constitution explicitly provides the right to
privacy. Fundamental privacy rights have long been and continue to be
integral to protecting Washingtonians and to safeguarding our
democratic republic.
(2) Information related to an individual's health conditions or
attempts to obtain health care services is among the most personal and
sensitive categories of data collected. Washingtonians expect that
their health data is protected under laws like the health information
portability and accountability act (HIPAA). However, HIPAA only covers
health data collected by specific health care entities, including most
health care providers. Health data collected by noncovered entities,
including certain apps and websites, are not afforded the same
protections. Chapter 191, Laws of 2023 works to close the gap between
consumer knowledge and industry practice by providing stronger privacy
protections for all Washington consumers' health data.
(3) With chapter 191, Laws of 2023, the legislature intends to
provide heightened protections for Washingtonian's health data by:
Requiring additional disclosures and consumer consent regarding the
collection, sharing, and use of such information; empowering consumers
with the right to have their health data deleted; prohibiting the
selling of consumer health data without valid authorization signed by
the consumer; and making it unlawful to utilize a geofence around a
facility that provides health care services. [2023 c 191 s 2.]
View the WA My Health Data Act on WA.gov website or continue reading the legislation below:
RCW 19.373.010 Definitions. The definitions in this section
apply throughout this chapter unless the context clearly requires
otherwise.
(1) "Abortion" means the termination of a pregnancy for purposes
other than producing a live birth.
(2) "Affiliate" means a legal entity that shares common branding
with another legal entity and controls, is controlled by, or is under
common control with another legal entity. For the purposes of this
definition, "control" or "controlled" means:
(a) Ownership of, or the power to vote, more than 50 percent of
the outstanding shares of any class of voting security of a company;
(b) Control in any manner over the election of a majority of the
directors or of individuals exercising similar functions; or
(c) The power to exercise controlling influence over the
management of a company.
(3) "Authenticate" means to use reasonable means to determine
that a request to exercise any of the rights afforded in this chapter
is being made by, or on behalf of, the consumer who is entitled to
exercise such consumer rights with respect to the consumer health data
at issue.
(4) "Biometric data" means data that is generated from the
measurement or technological processing of an individual's
physiological, biological, or behavioral characteristics and that
identifies a consumer, whether individually or in combination with
other data. Biometric data includes, but is not limited to:
(a) Imagery of the iris, retina, fingerprint, face, hand, palm,
vein patterns, and voice recordings, from which an identifier template
can be extracted; or
(b) Keystroke patterns or rhythms and gait patterns or rhythms
that contain identifying information.
(5) "Collect" means to buy, rent, access, retain, receive,
acquire, infer, derive, or otherwise process consumer health data in
any manner.
(6)(a) "Consent" means a clear affirmative act that signifies a
consumer's freely given, specific, informed, opt-in, voluntary, and
unambiguous agreement, which may include written consent provided by
electronic means.
(b) "Consent" may not be obtained by:
(i) A consumer's acceptance of a general or broad terms of use
agreement or a similar document that contains descriptions of personal
data processing along with other unrelated information;
(ii) A consumer hovering over, muting, pausing, or closing a
given piece of content; or
(iii) A consumer's agreement obtained through the use of
deceptive designs.
(7) "Consumer" means (a) a natural person who is a Washington
resident; or (b) a natural person whose consumer health data is
collected in Washington. "Consumer" means a natural person who acts
only in an individual or household context, however identified,
including by any unique identifier. "Consumer" does not include an
individual acting in an employment context.
(8)(a) "Consumer health data" means personal information that is
linked or reasonably linkable to a consumer and that identifies the
consumer's past, present, or future physical or mental health status.
(b) For the purposes of this definition, physical or mental
health status includes, but is not limited to:
(i) Individual health conditions, treatment, diseases, or
diagnosis;
(ii) Social, psychological, behavioral, and medical
interventions;
(iii) Health-related surgeries or procedures;
(iv) Use or purchase of prescribed medication;
(v) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection (8)(b);
(vi) Diagnoses or diagnostic testing, treatment, or medication;
(vii) Gender-affirming care information;
(viii) Reproductive or sexual health information;
(ix) Biometric data;
(x) Genetic data;
(xi) Precise location information that could reasonably indicate
a consumer's attempt to acquire or receive health services or
supplies;
(xii) Data that identifies a consumer seeking health care
services; or
(xiii) Any information that a regulated entity or a small
business, or their respective processor, processes to associate or
identify a consumer with the data described in (b)(i) through (xii) of
this subsection that is derived or extrapolated from nonhealth
information (such as proxy, derivative, inferred, or emergent data by
any means, including algorithms or machine learning).
(c) "Consumer health data" does not include personal information
that is used to engage in public or peer-reviewed scientific,
historical, or statistical research in the public interest that
adheres to all other applicable ethics and privacy laws and is
approved, monitored, and governed by an institutional review board,
human subjects research ethics review board, or a similar independent
oversight entity that determines that the regulated entity or the
small business has implemented reasonable safeguards to mitigate
privacy risks associated with research, including any risks associated
with reidentification.
(9) "Deceptive design" means a user interface designed or
manipulated with the effect of subverting or impairing user autonomy,
decision making, or choice.
(10) "Deidentified data" means data that cannot reasonably be
used to infer information about, or otherwise be linked to, an
identified or identifiable consumer, or a device linked to such
consumer, if the regulated entity or the small business that possesses
such data (a) takes reasonable measures to ensure that such data
cannot be associated with a consumer; (b) publicly commits to process
such data only in a deidentified fashion and not attempt to reidentify
such data; and (c) contractually obligates any recipients of such data
to satisfy the criteria set forth in this subsection (10).
(11) "Gender-affirming care information" means personal
information relating to seeking or obtaining past, present, or future
gender-affirming care services. "Gender-affirming care information"
includes, but is not limited to:
(a) Precise location information that could reasonably indicate a
consumer's attempt to acquire or receive gender-affirming care
services;
(b) Efforts to research or obtain gender-affirming care services;
or
(c) Any gender-affirming care information that is derived,
extrapolated, or inferred, including from nonhealth information, such
as proxy, derivative, inferred, emergent, or algorithmic data.
(12) "Gender-affirming care services" means health services or
products that support and affirm an individual's gender identity
including, but not limited to, social, psychological, behavioral,
cosmetic, medical, or surgical interventions. "Gender-affirming care
services" includes, but is not limited to, treatments for gender
dysphoria, gender-affirming hormone therapy, and gender-affirming
surgical procedures.
(13) "Genetic data" means any data, regardless of its format,
that concerns a consumer's genetic characteristics. "Genetic data"
includes, but is not limited to:
(a) Raw sequence data that result from the sequencing of a
consumer's complete extracted deoxyribonucleic acid (DNA) or a portion
of the extracted DNA;
(b) Genotypic and phenotypic information that results from
analyzing the raw sequence data; and
(c) Self-reported health data that a consumer submits to a
regulated entity or a small business and that is analyzed in
connection with consumer's raw sequence data.
(14) "Geofence" means technology that uses global positioning
coordinates, cell tower connectivity, cellular data, radio frequency
identification, Wifi data, and/or any other form of spatial or
location detection to establish a virtual boundary around a specific
physical location, or to locate a consumer within a virtual boundary.
For purposes of this definition, "geofence" means a virtual boundary
that is 2,000 feet or less from the perimeter of the physical
location.
(15) "Health care services" means any service provided to a
person to assess, measure, improve, or learn about a person's mental
or physical health, including but not limited to:
(a) Individual health conditions, status, diseases, or diagnoses;
(b) Social, psychological, behavioral, and medical interventions;
(c) Health-related surgeries or procedures;
(d) Use or purchase of medication;
(e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;
(f) Diagnoses or diagnostic testing, treatment, or medication;
(g) Reproductive health care services; or
(h) Gender-affirming care services.
(16) "Homepage" means the introductory page of an internet
website and any internet webpage where personal information is
collected. In the case of an online service, such as a mobile
application, homepage means the application's platform page or
download page, and a link within the application, such as from the
application configuration, "about," "information," or settings page.
(17) "Person" means, where applicable, natural persons,
corporations, trusts, unincorporated associations, and partnerships.
"Person" does not include government agencies, tribal nations, or
contracted service providers when processing consumer health data on
behalf of a government agency.
(18)(a) "Personal information" means information that identifies
or is reasonably capable of being associated or linked, directly or
indirectly, with a particular consumer. "Personal information"
includes, but is not limited to, data associated with a persistent
unique identifier, such as a cookie ID, an IP address, a device
identifier, or any other form of persistent unique identifier.
(b) "Personal information" does not include publicly available
information.
(c) "Personal information" does not include deidentified data.
(19) "Precise location information" means information derived
from technology including, but not limited to, global positioning
system level latitude and longitude coordinates or other mechanisms,
that directly identifies the specific location of an individual with
precision and accuracy within a radius of 1,750 feet. "Precise
location information" does not include the content of communications,
or any data generated by or connected to advanced utility metering
infrastructure systems or equipment for use by a utility.
(20) "Process" or "processing" means any operation or set of
operations performed on consumer health data.
(21) "Processor" means a person that processes consumer health
data on behalf of a regulated entity or a small business.
(22) "Publicly available information" means information that (a)
is lawfully made available through federal, state, or municipal
government records or widely distributed media, and (b) a regulated
entity or a small business has a reasonable basis to believe a
consumer has lawfully made available to the general public. "Publicly
available information" does not include any biometric data collected
about a consumer by a business without the consumer's consent.
(23) "Regulated entity" means any legal entity that: (a) Conducts
business in Washington, or produces or provides products or services
that are targeted to consumers in Washington; and (b) alone or jointly
with others, determines the purpose and means of collecting,
processing, sharing, or selling of consumer health data. "Regulated
entity" does not mean government agencies, tribal nations, or
contracted service providers when processing consumer health data on
behalf of the government agency.
(24) "Reproductive or sexual health information" means personal
information relating to seeking or obtaining past, present, or future
reproductive or sexual health services. "Reproductive or sexual health
information" includes, but is not limited to:
(a) Precise location information that could reasonably indicate a
consumer's attempt to acquire or receive reproductive or sexual health
services;
(b) Efforts to research or obtain reproductive or sexual health
services; or
(c) Any reproductive or sexual health information that is
derived, extrapolated, or inferred, including from nonhealth
information (such as proxy, derivative, inferred, emergent, or
algorithmic data).
(25) "Reproductive or sexual health services" means health
services or products that support or relate to a consumer's
reproductive system or sexual well-being, including but not limited
to:
(a) Individual health conditions, status, diseases, or diagnoses;
(b) Social, psychological, behavioral, and medical interventions;
(c) Health-related surgeries or procedures including, but not
limited to, abortions;
(d) Use or purchase of medication including, but not limited to,
medications for the purposes of abortion;
(e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;
(f) Diagnoses or diagnostic testing, treatment, or medication;
and
(g) Medical or nonmedical services related to and provided in
conjunction with an abortion, including but not limited to associated
diagnostics, counseling, supplies, and follow-up services.
(26)(a) "Sell" or "sale" means the exchange of consumer health
data for monetary or other valuable consideration.
(b) "Sell" or "sale" does not include the exchange of consumer
health data for monetary or other valuable consideration:
(i) To a third party as an asset that is part of a merger,
acquisition, bankruptcy, or other transaction in which the third party
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 5
assumes control of all or part of the regulated entity's or the small
business's assets that complies with the requirements and obligations
in this chapter; or
(ii) By a regulated entity or a small business to a processor
when such exchange is consistent with the purpose for which the
consumer health data was collected and disclosed to the consumer.
(27)(a) "Share" or "sharing" means to release, disclose,
disseminate, divulge, make available, provide access to, license, or
otherwise communicate orally, in writing, or by electronic or other
means, consumer health data by a regulated entity or a small business
to a third party or affiliate.
(b) The term "share" or "sharing" does not include:
(i) The disclosure of consumer health data by a regulated entity
or a small business to a processor when such sharing is to provide
goods or services in a manner consistent with the purpose for which
the consumer health data was collected and disclosed to the consumer;
(ii) The disclosure of consumer health data to a third party with
whom the consumer has a direct relationship when: (A) The disclosure
is for purposes of providing a product or service requested by the
consumer; (B) the regulated entity or the small business maintains
control and ownership of the data; and (C) the third party uses the
consumer health data only at direction from the regulated entity or
the small business and consistent with the purpose for which it was
collected and consented to by the consumer; or
(iii) The disclosure or transfer of personal data to a third
party as an asset that is part of a merger, acquisition, bankruptcy,
or other transaction in which the third party assumes control of all
or part of the regulated entity's or the small business's assets and
complies with the requirements and obligations in this chapter.
(28) "Small business" means a regulated entity that satisfies one
or both of the following thresholds:
(a) Collects, processes, sells, or shares consumer health data of
fewer than 100,000 consumers during a calendar year; or
(b) Derives less than 50 percent of gross revenue from the
collection, processing, selling, or sharing of consumer health data,
and controls, processes, sells, or shares consumer health data of
fewer than 25,000 consumers.
(29) "Third party" means an entity other than a consumer,
regulated entity, processor, small business, or affiliate of the
regulated entity or the small business. [2023 c 191 s 3.]
RCW 19.373.020 Consumer health data privacy policy. (1)(a)
Except as provided in subsection (2) of this section, beginning March
31, 2024, a regulated entity and a small business shall maintain a
consumer health data privacy policy that clearly and conspicuously
discloses:
(i) The categories of consumer health data collected and the
purpose for which the data is collected, including how the data will
be used;
(ii) The categories of sources from which the consumer health
data is collected;
(iii) The categories of consumer health data that is shared;
(iv) A list of the categories of third parties and specific
affiliates with whom the regulated entity or the small business shares
the consumer health data; and
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 6
(v) How a consumer can exercise the rights provided in RCW
19.373.040.
(b) A regulated entity and a small business shall prominently
publish a link to its consumer health data privacy policy on its
homepage.
(c) A regulated entity or a small business may not collect, use,
or share additional categories of consumer health data not disclosed
in the consumer health data privacy policy without first disclosing
the additional categories and obtaining the consumer's affirmative
consent prior to the collection, use, or sharing of such consumer
health data.
(d) A regulated entity or a small business may not collect, use,
or share consumer health data for additional purposes not disclosed in
the consumer health data privacy policy without first disclosing the
additional purposes and obtaining the consumer's affirmative consent
prior to the collection, use, or sharing of such consumer health data.
(e) It is a violation of this chapter for a regulated entity or a
small business to contract with a processor to process consumer health
data in a manner that is inconsistent with the regulated entity's or
the small business's consumer health data privacy policy.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 4.]
RCW 19.373.030 Collection or sharing of consumer health data.
(1)(a) Except as provided in subsection (2) of this section, beginning
March 31, 2024, a regulated entity or a small business may not collect
any consumer health data except:
(i) With consent from the consumer for such collection for a
specified purpose; or
(ii) To the extent necessary to provide a product or service that
the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.
(b) A regulated entity or a small business may not share any
consumer health data except:
(i) With consent from the consumer for such sharing that is
separate and distinct from the consent obtained to collect consumer
health data; or
(ii) To the extent necessary to provide a product or service that
the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.
(c) Consent required under this section must be obtained prior to
the collection or sharing, as applicable, of any consumer health data,
and the request for consent must clearly and conspicuously disclose:
(i) The categories of consumer health data collected or shared; (ii)
the purpose of the collection or sharing of the consumer health data,
including the specific ways in which it will be used; (iii) the
categories of entities with whom the consumer health data is shared;
and (iv) how the consumer can withdraw consent from future collection
or sharing of the consumer's health data.
(d) A regulated entity or a small business may not unlawfully
discriminate against a consumer for exercising any rights included in
this chapter.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 5.]
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 7
RCW 19.373.040 Consumer rights and requests—Refusal—Appeal.
(1)(a) Except as provided in subsection (2) of this section, beginning
March 31, 2024, a consumer has the right to confirm whether a
regulated entity or a small business is collecting, sharing, or
selling consumer health data concerning the consumer and to access
such data, including a list of all third parties and affiliates with
whom the regulated entity or the small business has shared or sold the
consumer health data and an active email address or other online
mechanism that the consumer may use to contact these third parties.
(b) A consumer has the right to withdraw consent from the
regulated entity's or the small business's collection and sharing of
consumer health data concerning the consumer.
(c) A consumer has the right to have consumer health data
concerning the consumer deleted and may exercise that right by
informing the regulated entity or the small business of the consumer's
request for deletion.
(i) A regulated entity or a small business that receives a
consumer's request to delete any consumer health data concerning the
consumer shall:
(A) Delete the consumer health data from its records, including
from all parts of the regulated entity's or the small business's
network, including archived or backup systems pursuant to (c)(iii) of
this subsection; and
(B) Notify all affiliates, processors, contractors, and other
third parties with whom the regulated entity or the small business has
shared consumer health data of the deletion request.
(ii) All affiliates, processors, contractors, and other third
parties that receive notice of a consumer's deletion request shall
honor the consumer's deletion request and delete the consumer health
data from its records, subject to the same requirements of this
chapter.
(iii) If consumer health data that a consumer requests to be
deleted is stored on archived or backup systems, then the request for
deletion may be delayed to enable restoration of the archived or
backup systems and such delay may not exceed six months from
authenticating the deletion request.
(d) A consumer may exercise the rights set forth in this chapter
by submitting a request, at any time, to a regulated entity or a small
business. Such a request may be made by a secure and reliable means
established by the regulated entity or the small business and
described in its consumer health data privacy policy. The method must
take into account the ways in which consumers normally interact with
the regulated entity or the small business, the need for secure and
reliable communication of such requests, and the ability of the
regulated entity or the small business to authenticate the identity of
the consumer making the request. A regulated entity or a small
business may not require a consumer to create a new account in order
to exercise consumer rights pursuant to this chapter but may require a
consumer to use an existing account.
(e) If a regulated entity or a small business is unable to
authenticate the request using commercially reasonable efforts, the
regulated entity or the small business is not required to comply with
a request to initiate an action under this section and may request
that the consumer provide additional information reasonably necessary
to authenticate the consumer and the consumer's request.
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 8
(f) Information provided in response to a consumer request must
be provided by a regulated entity and a small business free of charge,
up to twice annually per consumer. If requests from a consumer are
manifestly unfounded, excessive, or repetitive, the regulated entity
or the small business may charge the consumer a reasonable fee to
cover the administrative costs of complying with the request or
decline to act on the request. The regulated entity and the small
business bear the burden of demonstrating the manifestly unfounded,
excessive, or repetitive nature of the request.
(g) A regulated entity and a small business shall comply with the
consumer's requests under subsection (1)(a) through (c) of this
section [(a) through (c) of this subsection] without undue delay, but
in all cases within 45 days of receipt of the request submitted
pursuant to the methods described in this section. A regulated entity
and a small business must promptly take steps to authenticate a
consumer request but this does not extend the regulated entity's and
the small business's duty to comply with the consumer's request within
45 days of receipt of the consumer's request. The response period may
be extended once by 45 additional days when reasonably necessary,
taking into account the complexity and number of the consumer's
requests, so long as the regulated entity or the small business
informs the consumer of any such extension within the initial 45-day
response period, together with the reason for the extension.
(h) A regulated entity and a small business shall establish a
process for a consumer to appeal the regulated entity's or the small
business's refusal to take action on a request within a reasonable
period of time after the consumer's receipt of the decision. The
appeal process must be conspicuously available and similar to the
process for submitting requests to initiate action pursuant to this
section. Within 45 days of receipt of an appeal, a regulated entity or
a small business shall inform the consumer in writing of any action
taken or not taken in response to the appeal, including a written
explanation of the reasons for the decisions. If the appeal is denied,
the regulated entity or the small business shall also provide the
consumer with an online mechanism, if available, or other method
through which the consumer may contact the attorney general to submit
a complaint.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 6.]
RCW 19.373.050 Data security practices. (1) Except as provided
in subsection (2) of this section, beginning March 31, 2024, a
regulated entity and a small business shall:
(a) Restrict access to consumer health data by the employees,
processors, and contractors of such regulated entity or small business
to only those employees, processors, and contractors for which access
is necessary to further the purposes for which the consumer provided
consent or where necessary to provide a product or service that the
consumer to whom such consumer health data relates has requested from
such regulated entity or small business; and
(b) Establish, implement, and maintain administrative, technical,
and physical data security practices that, at a minimum, satisfy
reasonable standard of care within the regulated entity's or the small
business's industry to protect the confidentiality, integrity, and
accessibility of consumer health data appropriate to the volume and
nature of the consumer health data at issue.
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 9
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 7.]
RCW 19.373.060 Processors. (1)(a)(i) Except as provided in
subsection (2) of this section, beginning March 31, 2024, a processor
may process consumer health data only pursuant to a binding contract
between the processor and the regulated entity or the small business
that sets forth the processing instructions and limit the actions the
processor may take with respect to the consumer health data it
processes on behalf of the regulated entity or the small business.
(ii) A processor may process consumer health data only in a
manner that is consistent with the binding instructions set forth in
the contract with the regulated entity or the small business.
(b) A processor shall assist the regulated entity or the small
business by appropriate technical and organizational measures, insofar
as this is possible, in fulfilling the regulated entity's and the
small business's obligations under this chapter.
(c) If a processor fails to adhere to the regulated entity's or
the small business's instructions or processes consumer health data in
a manner that is outside the scope of the processor's contract with
the regulated entity or the small business, the processor is
considered a regulated entity or a small business with regard to such
data and is subject to all the requirements of this chapter with
regard to such data.
(2) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 8.]
RCW 19.373.070 Valid authorization to sell—Defects—Provision to
consumer. (1) Except as provided in subsection (6) of this section,
beginning March 31, 2024, it is unlawful for any person to sell or
offer to sell consumer health data concerning a consumer without first
obtaining valid authorization from the consumer. The sale of consumer
health data must be consistent with the valid authorization signed by
the consumer. This authorization must be separate and distinct from
the consent obtained to collect or share consumer health data, as
required under RCW 19.373.030.
(2) A valid authorization to sell consumer health data is a
document consistent with this section and must be written in plain
language. The valid authorization to sell consumer health data must
contain the following:
(a) The specific consumer health data concerning the consumer
that the person intends to sell;
(b) The name and contact information of the person collecting and
selling the consumer health data;
(c) The name and contact information of the person purchasing the
consumer health data from the seller identified in (b) of this
subsection;
(d) A description of the purpose for the sale, including how the
consumer health data will be gathered and how it will be used by the
purchaser identified in (c) of this subsection when sold;
(e) A statement that the provision of goods or services may not
be conditioned on the consumer signing the valid authorization;
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 10
(f) A statement that the consumer has a right to revoke the valid
authorization at any time and a description on how to submit a
revocation of the valid authorization;
(g) A statement that the consumer health data sold pursuant to
the valid authorization may be subject to redisclosure by the
purchaser and may no longer be protected by this section;
(h) An expiration date for the valid authorization that expires
one year from when the consumer signs the valid authorization; and
(i) The signature of the consumer and date.
(3) An authorization is not valid if the document has any of the
following defects:
(a) The expiration date has passed;
(b) The authorization does not contain all the information
required under this section;
(c) The authorization has been revoked by the consumer;
(d) The authorization has been combined with other documents to
create a compound authorization; or
(e) The provision of goods or services is conditioned on the
consumer signing the authorization.
(4) A copy of the signed valid authorization must be provided to
the consumer.
(5) The seller and purchaser of consumer health data must retain
a copy of all valid authorizations for sale of consumer health data
for six years from the date of its signature or the date when it was
last in effect, whichever is later.
(6) A small business must comply with this section beginning June
30, 2024. [2023 c 191 s 9.]
RCW 19.373.080 Geofence restrictions. It is unlawful for any
person to implement a geofence around an entity that provides in
person health care services where such geofence is used to: (1)
Identify or track consumers seeking health care services; (2) collect
consumer health data from consumers; or (3) send notifications,
messages, or advertisements to consumers related to their consumer
health data or health care services. [2023 c 191 s 10.]
RCW 19.373.090 Application of consumer protection act. The
legislature finds that the practices covered by this chapter are
matters vitally affecting the public interest for the purpose of
applying the consumer protection act, chapter 19.86 RCW. A violation
of this chapter is not reasonable in relation to the development and
preservation of business, and is an unfair or deceptive act in trade
or commerce and an unfair method of competition for the purpose of
applying the consumer protection act, chapter 19.86 RCW. [2023 c 191
s 11.]
RCW 19.373.100 Exemptions. (1) This chapter does not apply to:
(a) Information that meets the definition of:
(i) Protected health information for purposes of the federal
health insurance portability and accountability act of 1996 and
related regulations;
(ii) Health care information collected, used, or disclosed in
accordance with chapter 70.02 RCW;
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 11
(iii) Patient identifying information collected, used, or
disclosed in accordance with 42 C.F.R. Part 2, established pursuant to
42 U.S.C. Sec. 290dd-2;
(iv) Identifiable private information for purposes of the federal
policy for the protection of human subjects, 45 C.F.R. Part 46;
identifiable private information that is otherwise information
collected as part of human subjects research pursuant to the good
clinical practice guidelines issued by the international council for
harmonization; the protection of human subjects under 21 C.F.R. Parts
50 and 56; or personal data used or shared in research conducted in
accordance with one or more of the requirements set forth in this
subsection;
(v) Information and documents created specifically for, and
collected and maintained by:
(A) A quality improvement committee for purposes of RCW
43.70.510, 70.230.080, or 70.41.200;
(B) A peer review committee for purposes of RCW 4.24.250;
(C) A quality assurance committee for purposes of RCW 74.42.640
or 18.20.390;
(D) A hospital, as defined in RCW 43.70.056, for reporting of
health care-associated infections for purposes of RCW 43.70.056, a
notification of an incident for purposes of RCW 70.56.040(5), or
reports regarding adverse events for purposes of RCW 70.56.020(2)(b);
or
(E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when
collected, used, or disclosed for purposes specified in chapter 70.02
RCW;
(vi) Information and documents created for purposes of the
federal health care quality improvement act of 1986, and related
regulations;
(vii) Patient safety work product for purposes of 42 C.F.R. Part
3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
(viii) Information that is (A) deidentified in accordance with
the requirements for deidentification set forth in 45 C.F.R. Part 164,
and (B) derived from any of the health care-related information listed
in this subsection (1)(a)(viii);
(b) Information originating from, and intermingled to be
indistinguishable with, information under (a) of this subsection that
is maintained by:
(i) A covered entity or business associate as defined by the
health insurance portability and accountability act of 1996 and
related regulations;
(ii) A health care facility or health care provider as defined in
RCW 70.02.010; or
(iii) A program or a qualified service organization as defined by
42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
(c) Information used only for public health activities and
purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a
limited data set, as defined, and is used, disclosed, and maintained
in the manner required, by 45 C.F.R. Sec. 164.514; or
(d) Identifiable data collected, used, or disclosed in accordance
with chapter 43.371 RCW or RCW 69.43.165.
(2) Personal information that is governed by and collected, used,
or disclosed pursuant to the following regulations, parts, titles, or
acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15
U.S.C. 6801 et seq.) and implementing regulations; (b) part C of Title
XI of the social security act (42 U.S.C. 1320d et seq.); (c) the fair
Certified on 7/12/2024
Combined Chapter 19.373 RCW
Page 12
credit reporting act (15 U.S.C. 1681 et seq.); (d) the family
educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title
34, C.F.R.); (e) the Washington health benefit exchange and applicable
statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter
43.71 RCW; or (f) privacy rules adopted by the office of the insurance
commissioner pursuant to chapter 48.02 or 48.43 RCW.
(3) The obligations imposed on regulated entities, small
businesses, and processors under this chapter does not restrict a
regulated entity's, small business's, or processor's ability for
collection, use, or disclosure of consumer health data to prevent,
detect, protect against, or respond to security incidents, identity
theft, fraud, harassment, malicious or deceptive activities, or any
activity that is illegal under Washington state law or federal law;
preserve the integrity or security of systems; or investigate, report,
or prosecute those responsible for any such action that is illegal
under Washington state law or federal law.
(4) If a regulated entity, small business, or processor processes
consumer health data pursuant to subsection (3) of this section, such
entity bears the burden of demonstrating that such processing
qualifies for the exemption and complies with the requirements of this
section. [2023 c 191 s 12.]
RCW 19.373.900 Short title. Chapter 191, Laws of 2023 may be
known and cited as the Washington my health my data act. [2023 c 191