New Washington State Health Privacy Law Brings Litigation and Enforcement Risks

Businesses dealing with health-related data in Washington state will face new litigation and enforcement risks as a comprehensive health privacy law takes effect next week. The My Health My Data Act, enacted in April 2023 in response to the US Supreme Court’s decision overturning a federal right to abortion, provides Washington residents with some of the most extensive health information privacy protections in the nation.

Starting March 31, the law’s enforcement provisions will come into play, allowing the state attorney general to take enforcement actions and individuals to file lawsuits against alleged violators, seeking up to $25,000 per plaintiff in damages. This private right of action could lead to a surge in cases, similar to what occurred in Illinois following the Biometric Information Privacy Act.

The law prohibits covered entities from collecting or selling health data tied to an individual without their express consent. It also includes provisions to protect location data near places like abortion clinics. The law’s protections go beyond federal guarantees in the Health Insurance Portability and Accountability Act to encompass information that could be used to infer an individual’s health status, such as purchases of toiletries.

While large businesses will face immediate enforcement or litigation risks, small businesses have until June 30 to comply with the law’s requirements. Retailers in the state may need to adjust their data-collection practices to comply with the law, potentially impacting customer service.

Data brokers and entities that aggregate health data without obtaining consumer consent are likely targets for lawsuits under the Washington statute. The targeted-advertising industry could be significantly affected, as compliance with the law may be challenging for internet advertising practices.

Compliance with the law will require many companies to rethink their consent policies and handling of sensitive data. Some companies may opt to avoid collecting sensitive data altogether to mitigate risks. The law’s enforcement date approaching has prompted companies to reassess their data collection practices and vendor relationships to ensure compliance.

The My Health My Data Act in Washington is seen as a precursor to potential changes in how regulators approach sensitive data and targeted advertising. Other states may look to Washington’s implementation of the law before enacting similar legislation. The impact of the law on businesses and potential unintended consequences will be closely monitored in the coming months.