Medical records and data showing health data privacy law

New Health Data Privacy Law in Washington Protects Location Records, Ensures Access to Personal Data

The state of Washington’s new health data privacy law expands protections for residents, including restrictions on the sharing of location data that would shelter abortion seekers who might face legal trouble in their home states.

Though the new law was spurred by the overturn of Roe v. Wade, it provides some additional data protections that go beyond the realm of abortion concerns. Health consumers of all types will now have greater visibility into stored data, and the ability to request corrections and deletions. The bill specifically addresses sources that fall into the “HIPAA gap,” such as fitness apps and period trackers.

General health data privacy improvement in Washington stems from abortion worries

The “My Health My Data Act” reflects protections that are offered by the EU’s General Data Protection Regulation (GDPR), but is the first of its kind among United States laws.

The health data privacy terms were first introduced in 2022, after the overturn of Roe v. Wade sent decisions about abortion regulations back to individual states. This prompted widespread concerns that states might demand health or location information from certain apps to track the movements of residents outside of their borders, looking to establish violations of the anti-abortion terms that they were now allowed to adopt.

This was a well-founded concern in terms of access, given the amount of apps that could provide a trail to and from abortion clinics and that are not covered by HIPAA health care regulations. State prosecutors would simply need to request the data from companies like Google and Meta, and it is unclear if they would be legally able to deny all of it. Types of apps that pose this sort of health data privacy concern include menstruation and pregnancy trackers, web searches and shopping, and anything that can place a user in an abortion clinic via GPS location.

The Washington bill now covers these “HIPAA gap” apps both with regulations for app developers, and restrictions on health care facilities. Any organization providing in-person health services in Washington is now forbidden from setting up a tracking geofence on its property, helping to protect user GPS location data. Consumers must also now be asked for express consent to collect, share or sell their health data, and a right to access collected data and have it removed is also now guaranteed.

The health data privacy bill also establishes both fines for violators, and a private right of action under the existing terms of the Washington Consumer Protection Act. At minimum fines would run $7,500 per violation. The terms do not go into effect until March 31 2024, but small businesses would have an additional enforcement delay of three months from that date. However, the geofencing prohibition is set to begin within three months.

Could the bill go beyond health data privacy?

There has been expected pushback from tech platforms, who claim the bill has expanded in scope beyond what was originally proposed in 2022. But some independent legal analysts question the language it uses, and the possibility that it is overbroad and may end up being used to penalize apps and websites it was not intended to cover.

As it is worded, the health data privacy bill could potentially be applied to any retail store that sells a fitness or nutrition product. Other companies that also deal in or use biometric identification measures, for example as a multi-factor authentication login option, could also find themselves swept up in these regulations even if they have no real connection to health services. While some might cheer this added regulation being applied across as many industries as possible, the inclusion of a right to private action does raise the specter of frivolous lawsuits being filed against small companies that the bill was not really intended to regulate.

With federal health data privacy legislation still seemingly somewhere beyond the horizon, the development in Washington may prompt other states to follow. Even the California Consumer Privacy Act, the most robust state-level data privacy regulation thus far, does not provide some of the protections offered by this new legislation. The only existing law with some comparable terms is the Illinois Biometric Information Privacy Act, with similar rules forbidding the transfer of biometric information between organizations and allowance for large claims of damages in private legal action.

One limitation of the Washington bill is that, though geofencing on the premises of a health care service is forbidden, “imprecise” location data can be collected within a 1,750-foot radius of the property. Personal data involving the sale of non-prescription “over the counter” medications may also be exempt from the rules, based on the language used in the final version of the bill.


Senior Correspondent at CPO Magazine