Consumers in Washington state will gain new privacy protections over their health data if lawmakers pass proposed legislation called the My Health, My Data Act.
The act would prohibit websites and apps from collecting consumer health data without user consent and prevent the sale of such data.
The draft legislation also gives consumers the right to have their health data deleted and to withdraw consent to share it. “Geofencing” technology would also be prohibited around healthcare facilities for purposes such as identifying or messaging a consumer entering the geofenced area, including abortion clinics.
Healthcare privacy has gained extra urgency as states such as Missouri pass prohibitions against abortion and seek to limit women from obtaining abortions in other states, said Washington state Rep. Vandana Slatter (D-Redmond), the sponsor of the House version of the bill (HB 1155). Period tracking apps, for instance, can disclose information about abortions or miscarriages, and the new law would shield such data.
“Recent attacks on bodily autonomy and reproductive healthcare have shown us how urgent the need is to protect health data, and that is what this bill does,” Slatter told GeekWire.
A related bill was signed into law last year in California that limits companies from providing data like search requests in response to out-of-state warrants.
Federal regulations protect health data collected by most healthcare providers but do not protect data collected by consumer apps and websites.
A recent analysis by STAT News and The Markup showed that many direct-to-consumer telehealth companies share sensitive medical data with large advertising platforms. Trackers that collected medical intake data were present on 13 of the 50 websites assessed, and all but one shared URLs that people visited and their IP addresses.
The My Health, My Data Act was requested by Washington state attorney general Bob Ferguson and would be enforceable under the state’s Consumer Protection Act.
The act “applies to basically everyone doing business in Washington, not just healthcare providers,” said Ari Friedman, a physician at the University of Pennsylvania who researches digital health privacy. Another strength of the legislation, said Friedman, is its broad definition of health data that includes efforts to research health services and supplies.
The draft bill also regulates how consent is given, such as mandating that websites provide separate consent for collecting and sharing data, and prohibiting privacy statements as part of a document with unrelated information.
But Friedman is concerned that the bill may not go far enough.
For instance, consumers should be able to access a website’s services whether or not they accept the privacy policy, said Friedman. “Posting a privacy policy at the bottom of your webpage and forcing busy, overwhelmed consumers to click a checkbox saying they have read it isn’t really meaningful consent,” he said.
The house bill is currently undergoing revisions after a hearing in late January and is slated for a vote Friday in the House Committee on Civil Rights & Judiciary.
The legislation has the support of Planned Parenthood, the American Civil Liberties Union of Washington, Pro-Choice Washington, the League of Women Voters of Washington and other groups.
At a hearing last week, Andrew Kingman, a representative from the State Privacy and Security Coalition, said that the industry group “supports the intent of this bill.” However, he said the draft bill’s definition of consumer health data was too broad. “Consumers will get opt in requests for routine purchases, like books about health, or many types of clothing,” said Kingman.
Kelly Fukai, vice president of governmental and community affairs for the Washington Technology Industry Association, similarly asked legislators to narrow the definition of consumer health data. She also said: “There is no doubt that the subjects highlighted in this legislation are sensitive, important and top of mind for many Washington residents.”
In response to industry concerns, Washington assistant attorney general Andrea Alegrett said that “we hope to continue to have ongoing conversations to find middle ground.” A senate version of the legislation (SB5351) is also under consideration.
“We have been listening and working with stakeholders for months on this legislation,” said Slatter.
If it passes, the Washington bill could ultimately help set up a regulatory framework and process for comprehensive privacy regulations, said Friedman — something Washington state has grappled with, with little success, during previous legislative sessions.
Slatter said that health data is in its own category. “This is really deeply personal, it’s vulnerable. It can do harm if we share it or sell it,” she said.
Seattle-area tech giant Microsoft noted the wider potential of the legislation in a recent blog post on its legislative priorities.
“While we still believe that Washingtonians need and deserve comprehensive data privacy protections, we recognize that the issues surrounding health data are particularly important and timely. While we will want to review the details of the legislation, we are hopeful that enacting data privacy protections in one area could be a step towards comprehensive legislation,” said Microsoft in the post.
We’ve reached out to Amazon, which offers a growing suite of online health services, for comment and will update this story if we hear back.