Bill to strengthen health data privacy passes state legislature

OLYMPIA, Wash. – A bill to strengthen health data privacy in Washington state has been passed by both chambers of the Legislature.

If it becomes law, ESHB 1155, also known as the My Health, My Data Act, will establish consumer health data rights. These rights will allow Washingtonians to access, delete, and withdraw consent to the collection, sharing, or sale of their consumer health data.

“The purpose and mission is to protect the very private information that women often place on things like apps that they think are protected but in fact have no protection under the law,” said Attorney General Bob. Ferguson said. “So, to take an example, if you’re tracking your time in an app, you might think that there are some laws that protect you from the owner of that app selling your information or transferring that information to law enforcement but in reality – no protection at all.”

Ferguson said his agency has asked for the law to apply the same kinds of protections that someone would have if they went to a hospital, such as where HIPAA law protects personal information, into other contexts. .

Maya Morales, founder of the People’s Privacy of Washington, believes the bill strikes a balance.

“We’re doing what we can and this is a great start,” Morales said. “Data privacy advocates are aware that this bill doesn’t go far enough for us, it doesn’t guarantee everything, but it’s a really important step and we’re taking it. in Washington state.”

Morales said people may not realize how much of their data is being collected and transmitted to other servers and bought and sold.

“What people need to understand about that is that the flow of data is far beyond anything most people can even imagine, and there are so many types of data that are really sensitive,” Morales said. “Health data is one of those types of data and so this bill is very important to protect those types of data.”

The Washington Retail Association supports the bill’s purpose, but has problems with its current form. In a statement, President and CEO Renée Sunde wrote:

“Washington retailers are concerned the “My Health Data Act,” as drafted, is vague and unclear and will negatively impact consumers in Washington. The bill’s stated purpose is to protect the health data of Washingtonians, and as retailers that understand the essential importance of consumer privacy, we support that intention.

However, in its current form, the bill could be applied in a way that goes beyond its stated purpose. The practical effect would apply opt-in consent to many everyday transactions not reasonably expected by consumers that are related to “a state of health or an attempt to obtain care services.” health”.

Ferguson said he believes the bill is balanced and has strong support.

“A lot of Washingtonians are using apps and other types of technology to store personal information and they think that information is protected, that some law has to protect that information,” Ferguson said. . “While this seems reasonable, it is not. In this day and age, when it comes to reproductive freedoms, those rights are now questioned in some parts of the country and excluded. removed in some states, it is important that information is protected for women but also for all Washingtonians.”

Last October, when the bill was introduced in a press release from the state attorney general’s office, some examples of how Washington’s health data is vulnerable to being shared with advertisers and Other groups were included.

• Menstrual tracking apps can sell sensitive information about women’s missed periods or miscarriages to data brokers. Data brokers can link that information to her data profile, essentially for sale on the open market. Law enforcement from states with strict anti-abortion laws or anti-choice advocacy groups can purchase such data records and use that information to prosecute women who have had abortions or miscarriages. pregnant in another state.
• Pregnant individuals sometimes contact or visit crisis pregnancy centers to seek reproductive health services, only to find out that they cannot have abortions at that facility. But while they’re there, the crisis pregnancy center can collect and share the woman’s sensitive data with anti-abortion groups, who can then target the woman with anti-abortion messages. abortion and political advertising.
• Digital advertising agencies can set up geo-fences around healthcare facilities that will move when a person carries their cell phone or mobile device over the fence. Individuals can be attacked with text messages and advertisements encouraging them not to seek reproductive or gender-affirming care.

The 2023 legislative session ends on April 23.