A new Washington state law will require companies to receive a user’s explicit consent before they can collect, share, or sell their health data. Washington Governor Jay Inslee signed the My Health, My Data bill into law on Thursday, giving users the right to withdraw consent at any time and have their data deleted.
The law should help shield users’ health data from the companies and organizations not included under the HIPAA Privacy Rule, which prevents certain medical providers from disclosing “individually identifiable” health information without consent. The HIPAA Privacy Rule doesn’t cover many of the health apps and sites that collect medical data, allowing them to freely collect and sell this information to advertisers.
Under Washington’s new law, which comes into effect in March 2024, medical apps and sites must ask a user for permission to collect their health data in a nondeceptive manner that “openly communicates a consumer’s freely given, informed, opt-in, voluntary, specific, and unambiguous written consent.” The site and apps must also disclose what kind of data they plan to collect and if they plan to sell it. Additionally, the bill will block medical providers from using geofencing to collect location information about the patients that visit the facility.
“My Health, My Data protects the independence and dignity of individuals when they make healthcare decisions,” says Representative Vandana Slatter (D), one of the bill’s backers. “It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of the vast data that everything from our watches and phones collect.”
In recent months, the Federal Trade Commission has been cracking down on the apps and websites that share sensitive health information with advertisers, in part due to the overturning of Roe v. Wade and the rise of telehealth during the covid pandemic. Earlier this year, the FTC fined the online pharmacy and telehealth provider GoodRx for sending health data to Google, Facebook, and companies without consent. Meanwhile, other online services, including two alcohol counseling companies and the telehealth startup Cerebral, admitted to sharing patient data with third parties. Meta also faces class action lawsuits that accuse the company of violating patient privacy through its pixel tracking tool.
As more states ban access to abortion care, patients in these states are becoming increasingly concerned about local authorities accessing their online data when visiting or searching for an out-of-state abortion clinic. That’s part of the reason why lawmakers are working on bills that would increase privacy protections on a national level. Last month, Democrats introduced the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act that would bar companies from selling private health information, while Congress also held a hearing on the American Data Privacy and Protection Act (ADPPA), which gives users the ability to request the deletion of their data.