OLYMPIA, Wash. — A bill that would strengthen the privacy of health data in Washington state has passed both chambers of the Legislature.
If it becomes law, ESHB 1155, also known as the My Health, My Data Act, would establish consumer health data rights. These rights would allow Washingtonians the right to access, delete, and withdraw consent from the collection, sharing, or selling of their consumer health data.
"The intent and mission is to protect very private information that women often place on things like apps that they think are protected but actually there's no protections under the law," said state Attorney General Bob Ferguson. "So, as one example, if you are tracking your period under an app, you may think that there is some law that protects you from that owner of that app from selling your information or turning it over to law enforcement but in fact - no protections at all."
Ferguson said his agency requested the legislation to place the same types of protections someone would have if they went to a hospital, for example, where HIPAA laws protect personal information, into other contexts as well.
Maya Morales, founder of Washington People's Privacy, believes the bill strikes a balance.
"We're doing what we can and this is an excellent start," Morales said. "Data privacy advocates are aware this bill doesn't go far enough for us, it doesn't secure everything, but it is a really important step and we're taking that step in Washington state."
Morales said people may not recognize how much of their data is collected and transmitted to other servers and is bought and sold.
"What people need to understand about that, is that data flows far exceed anything most people can even imagine, and there are a lot of kinds of data that are really sensitive," Morales said. "Health data is one of those categories of data, and so this bill is important to protect those kinds of data."
The Washington Retail Association supports the intent of the bill, but takes issue with its current form. In a statement, President and CEO Renée Sunde wrote:
“Washington retailers are concerned the “My Health My Data Act,” as drafted, is vague and ambiguous, and will negatively impact Washington consumers. The stated purpose of the bill is to protect Washingtonians’ health data, and as retailers that understand the critical importance of our consumers’ privacy, we support that intent.
However, in its current form, the bill could be applied in a way that far exceeds its stated intent. The practical effect would apply opt-in consent to many everyday transactions that consumers reasonably do not expect are connected to “health conditions or attempts to obtain health care services.”
Ferguson said he believes the bill is balanced and has strong support.
"So many Washingtonians are using apps and other types of technology to store personal information and they do so thinking it's protected, that some law must protect that information," Ferguson said. "While it may seem logical, the reality is, that's not the case. In this day and age, when it comes to reproductive freedoms, that those are now in doubt in some parts of the country and eliminated in some states, it's important that information is protected for women but also all Washingtonians."
Last October, when the bill was introduced in a press release from the state attorney general's office, several examples of how Washingtonians' health data was left vulnerable to be shared with advertisers and other groups were included.
- Period tracking apps can sell sensitive information about a woman’s late period or miscarriage to data brokers. Data brokers can link that information to her data profile, which is essentially for sale on the open market. Law enforcement from states with strict anti-abortion laws or anti-choice advocacy groups can purchase that data profile and use that information to prosecute women who had an abortion or miscarriage in another state.
- Pregnant individuals sometimes contact or visit crisis pregnancy centers looking for reproductive health care services, only to find that they cannot receive an abortion at that facility. But while they are there, the crisis pregnancy center can collect and share the woman’s sensitive data with anti-abortion groups who can then target the woman with anti-abortion messaging and political ads.
- Digital advertising firms can set up geofencing around health care facilities that trip when a person brings their cell phone or mobile device across the barrier. The individual can be bombarded with text messages and advertisements urging them not to seek reproductive or gender-affirming care.
The 2023 legislative session ends April 23.