Washington state lawmakers finalized passage of a bill Monday that provides privacy protections for consumer health data.
The bill protects health data collected by consumer apps and websites, which is not covered by federal regulations, and is headed to Washington Gov. Jay Inslee for his signature.
The legislation has special urgency as many states pass prohibitions against abortion and seek to limit women from obtaining them elsewhere, according to Rep. Vandana Slatter (D-Redmond), the bill’s sponsor who spoke to GeekWire in an earlier interview. Period tracking apps, for instance, can disclose information about abortions or miscarriages, and the new law would shield such data.
“Websites, apps and health tracking devices lack the basic protections we’ve come to expect when sharing our personal health data,” said Rep. Slatter in a statement Monday. “There is no way to consent or even know about it. We must protect the data of Washingtonians and all who travel here. Without a federal policy, this is where we are and the first in the nation bill we need.”
Cher Scarlett, a Seattle-area software engineer and worker’s rights activist who testified in favor of the bill, celebrated its passage. “This is an enormous victory for not only Washington state, but the entire nation,” Scarlett said in an email to GeekWire.
The bill, HB1155, passed the state House 57-40 in March and the Senate 27-21 on April 5. The house agreed to the amendments Monday. The law, called the My Health, My Data Act, will:
- Prohibit the sharing and collection of health data without consent in Washington state.
- Require distinct privacy policies that disclose how personal health data is used by entitities that collect it.
- Require prior authorization for companies to sell sensitive health data to third parties.
- Guarantee the right of Washingtonians to withdraw consent and request deletion of their health data.
- Prohibit “geofencing” around health care facilities to identify or track consumers seeking healthcare services or send messages related to health.
Some of the amendments to the bill weakened its privacy protections compared to the original version, said Scarlett. Location data was originally fully protected, but the final bill allows imprecise location data within a 1,750-foot radius to be collected and sold, she said.
The bill also originally included “use or purchase of medications” under the definition of consumer health data, but that was changed to the narrower term “prescribed medication.”
Protected reproductive and health services data, however, did specifically retain broader privacy protections for “medication,” said Scarlett. And even for non-reproductive services, the purchase of all medications is protected if the information is used to infer health status, said Slatter.
An analysis by STAT News and The Markup showed that many direct-to-consumer telehealth companies share sensitive medical data with large advertising platforms. Trackers that collected medical intake data were present on 13 of the 50 websites assessed, and all but one shared URLs that people visited and their IP addresses.
The My Health, My Data Act was requested by Washington state attorney general Bob Ferguson and can be enforced by his office or by Washingtonians bringing their own civil lawsuits.
“This law provides Washingtonians control over their personal health data,” Ferguson said in a statement. “Washingtonians deserve the right to decide who shares and sells their health data, and the freedom to demand that corporations delete their sensitive health data — and will now have these protections.”
Editor’s note: This story was updated with information about an amendment defining consumer health data.