Washington's My Health My Data Act clears state legislature - HOUSE BILL 1155
CERTIFICATION OF ENROLLMENT
ENGROSSED SUBSTITUTE HOUSE BILL 1155
68th Legislature
2023 Regular Session
Passed by the House April 17, 2023
Yeas 57 Nays 40
Speaker of the House of
Representatives
Passed by the Senate April 5, 2023
Yeas 27 Nays 21
President of the Senate
CERTIFICATE
I, Bernard Dean, Chief Clerk of the
House of Representatives of the
State of Washington, do hereby
certify that the attached is
ENGROSSED SUBSTITUTE HOUSE BILL
1155 as passed by the House of
Representatives and the Senate on
the dates hereon set forth.
Chief Clerk
Approved FILED
Governor of the State of Washington
Secretary of State
State of Washington
1 AN ACT Relating to the collection, sharing, and selling of
2 consumer health data; adding a new section to chapter 44.28 RCW;
3 adding a new chapter to Title 19 RCW; and providing an expiration
date.4
5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
6 NEW SECTION. Sec. 1. This act may be known and cited as the
7 Washington my health my data act.
8 NEW SECTION. Sec. 2. (1) The legislature finds that the people
9 of Washington regard their privacy as a fundamental right and an
10 essential element of their individual freedom. Washington's
11 Constitution explicitly provides the right to privacy. Fundamental
12 privacy rights have long been and continue to be integral to
13 protecting Washingtonians and to safeguarding our democratic
14 republic.
15 (2) Information related to an individual's health conditions or
16 attempts to obtain health care services is among the most personal
17 and sensitive categories of data collected. Washingtonians expect
18 that their health data is protected under laws like the health
19 information portability and accountability act (HIPAA). However,
20 HIPAA only covers health data collected by specific health care
ENGROSSED SUBSTITUTE HOUSE BILL 1155
AS AMENDED BY THE SENATE
Passed Legislature - 2023 Regular Session
State of Washington 68th Legislature 2023 Regular Session
By House Civil Rights & Judiciary (originally sponsored by
Representatives Slatter, Street, Reed, Ryu, Berg, Alvarado, Taylor,
Bateman, Ramel, Senn, Goodman, Fitzgibbon, Macri, Simmons, Reeves,
Lekanoff, Orwall, Duerr, Thai, Gregerson, Wylie, Ortiz-Self, Stonier,
Pollet, Riccelli, Donaghy, Fosse, and Ormsby; by request of Attorney
General)
READ FIRST TIME 02/07/23.
p. 1 ESHB 1155.PL
1 entities, including most health care providers. Health data collected
2 by noncovered entities, including certain apps and websites, are not
3 afforded the same protections. This act works to close the gap
4 between consumer knowledge and industry practice by providing
5 stronger privacy protections for all Washington consumers' health
data.6
7 (3) With this act, the legislature intends to provide heightened
8 protections for Washingtonian's health data by: Requiring additional
9 disclosures and consumer consent regarding the collection, sharing,
10 and use of such information; empowering consumers with the right to
11 have their health data deleted; prohibiting the selling of consumer
12 health data without valid authorization signed by the consumer; and
13 making it unlawful to utilize a geofence around a facility that
provides health care services.14
15 NEW SECTION. Sec. 3. The definitions in this section apply
16 throughout this chapter unless the context clearly requires
17 otherwise.
18 (1) "Abortion" means the termination of a pregnancy for purposes
other than producing a live birth.19
20 (2) "Affiliate" means a legal entity that shares common branding
21 with another legal entity and controls, is controlled by, or is under
22 common control with another legal entity. For the purposes of this
definition, "control" or "controlled" means:23
24 (a) Ownership of, or the power to vote, more than 50 percent of
25 the outstanding shares of any class of voting security of a company;
26 (b) Control in any manner over the election of a majority of the
27 directors or of individuals exercising similar functions; or
28 (c) The power to exercise controlling influence over the
management of a company.29
30 (3) "Authenticate" means to use reasonable means to determine
31 that a request to exercise any of the rights afforded in this chapter
32 is being made by, or on behalf of, the consumer who is entitled to
33 exercise such consumer rights with respect to the consumer health
data at issue.34
35 (4) "Biometric data" means data that is generated from the
36 measurement or technological processing of an individual's
37 physiological, biological, or behavioral characteristics and that
38 identifies a consumer, whether individually or in combination with
39 other data. Biometric data includes, but is not limited to:
p. 2 ESHB 1155.PL
1 (a) Imagery of the iris, retina, fingerprint, face, hand, palm,
2 vein patterns, and voice recordings, from which an identifier
template can be extracted; or3
4 (b) Keystroke patterns or rhythms and gait patterns or rhythms
that contain identifying information.5
6 (5) "Collect" means to buy, rent, access, retain, receive,
7 acquire, infer, derive, or otherwise process consumer health data in
any manner.8
9 (6)(a) "Consent" means a clear affirmative act that signifies a
10 consumer's freely given, specific, informed, opt-in, voluntary, and
11 unambiguous agreement, which may include written consent provided by
electronic means.12
(b) "Consent" may not be obtained by:13
14 (i) A consumer's acceptance of a general or broad terms of use
15 agreement or a similar document that contains descriptions of
16 personal data processing along with other unrelated information;
17 (ii) A consumer hovering over, muting, pausing, or closing a
given piece of content; or18
19 (iii) A consumer's agreement obtained through the use of
deceptive designs.20
21 (7) "Consumer" means (a) a natural person who is a Washington
22 resident; or (b) a natural person whose consumer health data is
23 collected in Washington. "Consumer" means a natural person who acts
24 only in an individual or household context, however identified,
25 including by any unique identifier. "Consumer" does not include an
individual acting in an employment context.26
27 (8)(a) "Consumer health data" means personal information that is
28 linked or reasonably linkable to a consumer and that identifies the
29 consumer's past, present, or future physical or mental health status.
30 (b) For the purposes of this definition, physical or mental
health status includes, but is not limited to:31
32 (i) Individual health conditions, treatment, diseases, or
diagnosis;33
34 (ii) Social, psychological, behavioral, and medical
interventions;35
(iii) Health-related surgeries or procedures;36
37 (iv) Use or purchase of prescribed medication;
38 (v) Bodily functions, vital signs, symptoms, or measurements of
39 the information described in this subsection (8)(b);
40 (vi) Diagnoses or diagnostic testing, treatment, or medication;
p. 3 ESHB 1155.PL
(vii) Gender-affirming care information;1
2 (viii) Reproductive or sexual health information;
(ix) Biometric data;3
(x) Genetic data;4
5 (xi) Precise location information that could reasonably indicate
6 a consumer's attempt to acquire or receive health services or
supplies;7
8 (xii) Data that identifies a consumer seeking health care
services; or9
10 (xiii) Any information that a regulated entity or a small
11 business, or their respective processor, processes to associate or
12 identify a consumer with the data described in (b)(i) through (xii)
13 of this subsection that is derived or extrapolated from nonhealth
14 information (such as proxy, derivative, inferred, or emergent data by
15 any means, including algorithms or machine learning).
16 (c) "Consumer health data" does not include personal information
17 that is used to engage in public or peer-reviewed scientific,
18 historical, or statistical research in the public interest that
19 adheres to all other applicable ethics and privacy laws and is
20 approved, monitored, and governed by an institutional review board,
21 human subjects research ethics review board, or a similar independent
22 oversight entity that determines that the regulated entity or the
23 small business has implemented reasonable safeguards to mitigate
24 privacy risks associated with research, including any risks
associated with reidentification.25
26 (9) "Deceptive design" means a user interface designed or
27 manipulated with the effect of subverting or impairing user autonomy,
decision making, or choice.28
29 (10) "Deidentified data" means data that cannot reasonably be
30 used to infer information about, or otherwise be linked to, an
31 identified or identifiable consumer, or a device linked to such
32 consumer, if the regulated entity or the small business that
33 possesses such data (a) takes reasonable measures to ensure that such
34 data cannot be associated with a consumer; (b) publicly commits to
35 process such data only in a deidentified fashion and not attempt to
36 reidentify such data; and (c) contractually obligates any recipients
37 of such data to satisfy the criteria set forth in this subsection
(10).38
39 (11) "Gender-affirming care information" means personal
40 information relating to seeking or obtaining past, present, or future
p. 4 ESHB 1155.PL
1 gender-affirming care services. "Gender-affirming care information"
includes, but is not limited to:2
3 (a) Precise location information that could reasonably indicate a
4 consumer's attempt to acquire or receive gender-affirming care
services;5
6 (b) Efforts to research or obtain gender-affirming care services;
or7
8 (c) Any gender-affirming care information that is derived,
9 extrapolated, or inferred, including from nonhealth information, such
10 as proxy, derivative, inferred, emergent, or algorithmic data.
11 (12) "Gender-affirming care services" means health services or
12 products that support and affirm an individual's gender identity
13 including, but not limited to, social, psychological, behavioral,
14 cosmetic, medical, or surgical interventions. "Gender-affirming care
15 services" includes, but is not limited to, treatments for gender
16 dysphoria, gender-affirming hormone therapy, and gender-affirming
surgical procedures.17
18 (13) "Genetic data" means any data, regardless of its format,
19 that concerns a consumer's genetic characteristics. "Genetic data"
includes, but is not limited to:20
21 (a) Raw sequence data that result from the sequencing of a
22 consumer's complete extracted deoxyribonucleic acid (DNA) or a
portion of the extracted DNA;23
24 (b) Genotypic and phenotypic information that results from
analyzing the raw sequence data; and25
26 (c) Self-reported health data that a consumer submits to a
27 regulated entity or a small business and that is analyzed in
connection with consumer's raw sequence data.28
29 (14) "Geofence" means technology that uses global positioning
30 coordinates, cell tower connectivity, cellular data, radio frequency
31 identification, Wifi data, and/or any other form of spatial or
32 location detection to establish a virtual boundary around a specific
33 physical location, or to locate a consumer within a virtual boundary.
34 For purposes of this definition, "geofence" means a virtual boundary
35 that is 2,000 feet or less from the perimeter of the physical
location.36
37 (15) "Health care services" means any service provided to a
38 person to assess, measure, improve, or learn about a person's mental
or physical health, including but not limited to:39
40 (a) Individual health conditions, status, diseases, or diagnoses;
p. 5 ESHB 1155.PL
1 (b) Social, psychological, behavioral, and medical interventions;
(c) Health-related surgeries or procedures;2
(d) Use or purchase of medication;3
4 (e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;5
6 (f) Diagnoses or diagnostic testing, treatment, or medication;
(g) Reproductive health care services; or7
(h) Gender-affirming care services.8
9 (16) "Homepage" means the introductory page of an internet
10 website and any internet webpage where personal information is
11 collected. In the case of an online service, such as a mobile
12 application, homepage means the application's platform page or
13 download page, and a link within the application, such as from the
14 application configuration, "about," "information," or settings page.
15 (17) "Person" means, where applicable, natural persons,
16 corporations, trusts, unincorporated associations, and partnerships.
17 "Person" does not include government agencies, tribal nations, or
18 contracted service providers when processing consumer health data on
behalf of a government agency.19
20 (18)(a) "Personal information" means information that identifies
21 or is reasonably capable of being associated or linked, directly or
22 indirectly, with a particular consumer. "Personal information"
23 includes, but is not limited to, data associated with a persistent
24 unique identifier, such as a cookie ID, an IP address, a device
25 identifier, or any other form of persistent unique identifier.
26 (b) "Personal information" does not include publicly available
information.27
28 (c) "Personal information" does not include deidentified data.
29 (19) "Precise location information" means information derived
30 from technology including, but not limited to, global positioning
31 system level latitude and longitude coordinates or other mechanisms,
32 that directly identifies the specific location of an individual with
33 precision and accuracy within a radius of 1,750 feet. "Precise
34 location information" does not include the content of communications,
35 or any data generated by or connected to advanced utility metering
36 infrastructure systems or equipment for use by a utility.
37 (20) "Process" or "processing" means any operation or set of
operations performed on consumer health data.38
39 (21) "Processor" means a person that processes consumer health
40 data on behalf of a regulated entity or a small business.
p. 6 ESHB 1155.PL
1 (22) "Publicly available information" means information that (a)
2 is lawfully made available through federal, state, or municipal
3 government records or widely distributed media, and (b) a regulated
4 entity or a small business has a reasonable basis to believe a
5 consumer has lawfully made available to the general public. "Publicly
6 available information" does not include any biometric data collected
7 about a consumer by a business without the consumer's consent.
8 (23) "Regulated entity" means any legal entity that: (a) Conducts
9 business in Washington, or produces or provides products or services
10 that are targeted to consumers in Washington; and (b) alone or
11 jointly with others, determines the purpose and means of collecting,
12 processing, sharing, or selling of consumer health data. "Regulated
13 entity" does not mean government agencies, tribal nations, or
14 contracted service providers when processing consumer health data on
behalf of the government agency.15
16 (24) "Reproductive or sexual health information" means personal
17 information relating to seeking or obtaining past, present, or future
18 reproductive or sexual health services. "Reproductive or sexual
19 health information" includes, but is not limited to:
20 (a) Precise location information that could reasonably indicate a
21 consumer's attempt to acquire or receive reproductive or sexual
health services;22
23 (b) Efforts to research or obtain reproductive or sexual health
services; or24
25 (c) Any reproductive or sexual health information that is
26 derived, extrapolated, or inferred, including from nonhealth
27 information (such as proxy, derivative, inferred, emergent, or
algorithmic data).28
29 (25) "Reproductive or sexual health services" means health
30 services or products that support or relate to a consumer's
31 reproductive system or sexual well-being, including but not limited
to:32
33 (a) Individual health conditions, status, diseases, or diagnoses;
34 (b) Social, psychological, behavioral, and medical interventions;
35 (c) Health-related surgeries or procedures including, but not
limited to, abortions;36
37 (d) Use or purchase of medication including, but not limited to,
medications for the purposes of abortion;38
39 (e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;40
p. 7 ESHB 1155.PL
1 (f) Diagnoses or diagnostic testing, treatment, or medication;
and2
3 (g) Medical or nonmedical services related to and provided in
4 conjunction with an abortion, including but not limited to associated
5 diagnostics, counseling, supplies, and follow-up services.
6 (26)(a) "Sell" or "sale" means the exchange of consumer health
data for monetary or other valuable consideration.7
8 (b) "Sell" or "sale" does not include the exchange of consumer
9 health data for monetary or other valuable consideration:
10 (i) To a third party as an asset that is part of a merger,
11 acquisition, bankruptcy, or other transaction in which the third
12 party assumes control of all or part of the regulated entity's or the
13 small business's assets that complies with the requirements and
obligations in this chapter; or14
15 (ii) By a regulated entity or a small business to a processor
16 when such exchange is consistent with the purpose for which the
17 consumer health data was collected and disclosed to the consumer.
18 (27)(a) "Share" or "sharing" means to release, disclose,
19 disseminate, divulge, make available, provide access to, license, or
20 otherwise communicate orally, in writing, or by electronic or other
21 means, consumer health data by a regulated entity or a small business
to a third party or affiliate.22
23 (b) The term "share" or "sharing" does not include:
24 (i) The disclosure of consumer health data by a regulated entity
25 or a small business to a processor when such sharing is to provide
26 goods or services in a manner consistent with the purpose for which
27 the consumer health data was collected and disclosed to the consumer;
28 (ii) The disclosure of consumer health data to a third party with
29 whom the consumer has a direct relationship when: (A) The disclosure
30 is for purposes of providing a product or service requested by the
31 consumer; (B) the regulated entity or the small business maintains
32 control and ownership of the data; and (C) the third party uses the
33 consumer health data only at direction from the regulated entity or
34 the small business and consistent with the purpose for which it was
collected and consented to by the consumer; or35
36 (iii) The disclosure or transfer of personal data to a third
37 party as an asset that is part of a merger, acquisition, bankruptcy,
38 or other transaction in which the third party assumes control of all
39 or part of the regulated entity's or the small business's assets and
40 complies with the requirements and obligations in this chapter.
p. 8 ESHB 1155.PL
1 (28) "Small business" means a regulated entity that satisfies one
or both of the following thresholds:2
3 (a) Collects, processes, sells, or shares consumer health data of
4 fewer than 100,000 consumers during a calendar year; or
5 (b) Derives less than 50 percent of gross revenue from the
6 collection, processing, selling, or sharing of consumer health data,
7 and controls, processes, sells, or shares consumer health data of
fewer than 25,000 consumers.8
9 (29) "Third party" means an entity other than a consumer,
10 regulated entity, processor, small business, or affiliate of the
regulated entity or the small business.11
12 NEW SECTION. Sec. 4. (1)(a) Except as provided in subsection
13 (2) of this section, beginning March 31, 2024, a regulated entity and
14 a small business shall maintain a consumer health data privacy policy
15 that clearly and conspicuously discloses:
16 (i) The categories of consumer health data collected and the
17 purpose for which the data is collected, including how the data will
be used;18
19 (ii) The categories of sources from which the consumer health
data is collected;20
21 (iii) The categories of consumer health data that is shared;
22 (iv) A list of the categories of third parties and specific
23 affiliates with whom the regulated entity or the small business
shares the consumer health data; and24
25 (v) How a consumer can exercise the rights provided in section 6
of this act.26
27 (b) A regulated entity and a small business shall prominently
28 publish a link to its consumer health data privacy policy on its
homepage.29
30 (c) A regulated entity or a small business may not collect, use,
31 or share additional categories of consumer health data not disclosed
32 in the consumer health data privacy policy without first disclosing
33 the additional categories and obtaining the consumer's affirmative
34 consent prior to the collection, use, or sharing of such consumer
health data.35
36 (d) A regulated entity or a small business may not collect, use,
37 or share consumer health data for additional purposes not disclosed
38 in the consumer health data privacy policy without first disclosing
39 the additional purposes and obtaining the consumer's affirmative
p. 9 ESHB 1155.PL
1 consent prior to the collection, use, or sharing of such consumer
health data.2
3 (e) It is a violation of this chapter for a regulated entity or a
4 small business to contract with a processor to process consumer
5 health data in a manner that is inconsistent with the regulated
6 entity's or the small business's consumer health data privacy policy.
7 (2) A small business must comply with this section beginning June
30, 2024.8
9 NEW SECTION. Sec. 5. (1)(a) Except as provided in subsection
10 (2) of this section, beginning March 31, 2024, a regulated entity or
11 a small business may not collect any consumer health data except:
12 (i) With consent from the consumer for such collection for a
specified purpose; or13
14 (ii) To the extent necessary to provide a product or service that
15 the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.16
17 (b) A regulated entity or a small business may not share any
consumer health data except:18
19 (i) With consent from the consumer for such sharing that is
20 separate and distinct from the consent obtained to collect consumer
health data; or21
22 (ii) To the extent necessary to provide a product or service that
23 the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.24
25 (c) Consent required under this section must be obtained prior to
26 the collection or sharing, as applicable, of any consumer health
27 data, and the request for consent must clearly and conspicuously
28 disclose: (i) The categories of consumer health data collected or
29 shared; (ii) the purpose of the collection or sharing of the consumer
30 health data, including the specific ways in which it will be used;
31 (iii) the categories of entities with whom the consumer health data
32 is shared; and (iv) how the consumer can withdraw consent from future
33 collection or sharing of the consumer's health data.
34 (d) A regulated entity or a small business may not unlawfully
35 discriminate against a consumer for exercising any rights included in
this chapter.36
37 (2) A small business must comply with this section beginning June
30, 2024.38
p. 10 ESHB 1155.PL
1 NEW SECTION. Sec. 6. (1)(a) Except as provided in subsection
2 (2) of this section, beginning March 31, 2024, a consumer has the
3 right to confirm whether a regulated entity or a small business is
4 collecting, sharing, or selling consumer health data concerning the
5 consumer and to access such data, including a list of all third
6 parties and affiliates with whom the regulated entity or the small
7 business has shared or sold the consumer health data and an active
8 email address or other online mechanism that the consumer may use to
9 contact these third parties.
10 (b) A consumer has the right to withdraw consent from the
11 regulated entity's or the small business's collection and sharing of
consumer health data concerning the consumer.12
13 (c) A consumer has the right to have consumer health data
14 concerning the consumer deleted and may exercise that right by
15 informing the regulated entity or the small business of the
consumer's request for deletion.16
17 (i) A regulated entity or a small business that receives a
18 consumer's request to delete any consumer health data concerning the
consumer shall:19
20 (A) Delete the consumer health data from its records, including
21 from all parts of the regulated entity's or the small business's
22 network, including archived or backup systems pursuant to (c)(iii) of
this subsection; and23
24 (B) Notify all affiliates, processors, contractors, and other
25 third parties with whom the regulated entity or the small business
26 has shared consumer health data of the deletion request.
27 (ii) All affiliates, processors, contractors, and other third
28 parties that receive notice of a consumer's deletion request shall
29 honor the consumer's deletion request and delete the consumer health
30 data from its records, subject to the same requirements of this
chapter.31
32 (iii) If consumer health data that a consumer requests to be
33 deleted is stored on archived or backup systems, then the request for
34 deletion may be delayed to enable restoration of the archived or
35 backup systems and such delay may not exceed six months from
authenticating the deletion request.36
37 (d) A consumer may exercise the rights set forth in this chapter
38 by submitting a request, at any time, to a regulated entity or a
39 small business. Such a request may be made by a secure and reliable
40 means established by the regulated entity or the small business and
p. 11 ESHB 1155.PL
1 described in its consumer health data privacy policy. The method must
2 take into account the ways in which consumers normally interact with
3 the regulated entity or the small business, the need for secure and
4 reliable communication of such requests, and the ability of the
5 regulated entity or the small business to authenticate the identity
6 of the consumer making the request. A regulated entity or a small
7 business may not require a consumer to create a new account in order
8 to exercise consumer rights pursuant to this chapter but may require
a consumer to use an existing account.9
10 (e) If a regulated entity or a small business is unable to
11 authenticate the request using commercially reasonable efforts, the
12 regulated entity or the small business is not required to comply with
13 a request to initiate an action under this section and may request
14 that the consumer provide additional information reasonably necessary
15 to authenticate the consumer and the consumer's request.
16 (f) Information provided in response to a consumer request must
17 be provided by a regulated entity and a small business free of
18 charge, up to twice annually per consumer. If requests from a
19 consumer are manifestly unfounded, excessive, or repetitive, the
20 regulated entity or the small business may charge the consumer a
21 reasonable fee to cover the administrative costs of complying with
22 the request or decline to act on the request. The regulated entity
23 and the small business bear the burden of demonstrating the
24 manifestly unfounded, excessive, or repetitive nature of the request.
25 (g) A regulated entity and a small business shall comply with the
26 consumer's requests under subsection (1)(a) through (c) of this
27 section without undue delay, but in all cases within 45 days of
28 receipt of the request submitted pursuant to the methods described in
29 this section. A regulated entity and a small business must promptly
30 take steps to authenticate a consumer request but this does not
31 extend the regulated entity's and the small business's duty to comply
32 with the consumer's request within 45 days of receipt of the
33 consumer's request. The response period may be extended once by 45
34 additional days when reasonably necessary, taking into account the
35 complexity and number of the consumer's requests, so long as the
36 regulated entity or the small business informs the consumer of any
37 such extension within the initial 45-day response period, together
with the reason for the extension.38
39 (h) A regulated entity and a small business shall establish a
40 process for a consumer to appeal the regulated entity's or the small
p. 12 ESHB 1155.PL
1 business's refusal to take action on a request within a reasonable
2 period of time after the consumer's receipt of the decision. The
3 appeal process must be conspicuously available and similar to the
4 process for submitting requests to initiate action pursuant to this
5 section. Within 45 days of receipt of an appeal, a regulated entity
6 or a small business shall inform the consumer in writing of any
7 action taken or not taken in response to the appeal, including a
8 written explanation of the reasons for the decisions. If the appeal
9 is denied, the regulated entity or the small business shall also
10 provide the consumer with an online mechanism, if available, or other
11 method through which the consumer may contact the attorney general to
submit a complaint.12
13 (2) A small business must comply with this section beginning June
30, 2024.14
15 NEW SECTION. Sec. 7. (1) Except as provided in subsection (2)
16 of this section, beginning March 31, 2024, a regulated entity and a
17 small business shall:
18 (a) Restrict access to consumer health data by the employees,
19 processors, and contractors of such regulated entity or small
20 business to only those employees, processors, and contractors for
21 which access is necessary to further the purposes for which the
22 consumer provided consent or where necessary to provide a product or
23 service that the consumer to whom such consumer health data relates
24 has requested from such regulated entity or small business; and
25 (b) Establish, implement, and maintain administrative, technical,
26 and physical data security practices that, at a minimum, satisfy
27 reasonable standard of care within the regulated entity's or the
28 small business's industry to protect the confidentiality, integrity,
29 and accessibility of consumer health data appropriate to the volume
and nature of the consumer health data at issue.30
31 (2) A small business must comply with this section beginning June
30, 2024.32
33 NEW SECTION. Sec. 8. (1)(a)(i) Except as provided in subsection
34 (2) of this section, beginning March 31, 2024, a processor may
35 process consumer health data only pursuant to a binding contract
36 between the processor and the regulated entity or the small business
37 that sets forth the processing instructions and limit the actions the
p. 13 ESHB 1155.PL
1 processor may take with respect to the consumer health data it
2 processes on behalf of the regulated entity or the small business.
3 (ii) A processor may process consumer health data only in a
4 manner that is consistent with the binding instructions set forth in
5 the contract with the regulated entity or the small business.
6 (b) A processor shall assist the regulated entity or the small
7 business by appropriate technical and organizational measures,
8 insofar as this is possible, in fulfilling the regulated entity's and
9 the small business's obligations under this chapter.
10 (c) If a processor fails to adhere to the regulated entity's or
11 the small business's instructions or processes consumer health data
12 in a manner that is outside the scope of the processor's contract
13 with the regulated entity or the small business, the processor is
14 considered a regulated entity or a small business with regard to such
15 data and is subject to all the requirements of this chapter with
regard to such data.16
17 (2) A small business must comply with this section beginning June
30, 2024.18
19 NEW SECTION. Sec. 9. (1) Except as provided in subsection (6)
20 of this section, beginning March 31, 2024, it is unlawful for any
21 person to sell or offer to sell consumer health data concerning a
22 consumer without first obtaining valid authorization from the
23 consumer. The sale of consumer health data must be consistent with
24 the valid authorization signed by the consumer. This authorization
25 must be separate and distinct from the consent obtained to collect or
26 share consumer health data, as required under section 5 of this act.
27 (2) A valid authorization to sell consumer health data is a
28 document consistent with this section and must be written in plain
29 language. The valid authorization to sell consumer health data must
contain the following:30
31 (a) The specific consumer health data concerning the consumer
that the person intends to sell;32
33 (b) The name and contact information of the person collecting and
selling the consumer health data;34
35 (c) The name and contact information of the person purchasing the
36 consumer health data from the seller identified in (b) of this
subsection;37
p. 14 ESHB 1155.PL
1 (d) A description of the purpose for the sale, including how the
2 consumer health data will be gathered and how it will be used by the
3 purchaser identified in (c) of this subsection when sold;
4 (e) A statement that the provision of goods or services may not
5 be conditioned on the consumer signing the valid authorization;
6 (f) A statement that the consumer has a right to revoke the valid
7 authorization at any time and a description on how to submit a
revocation of the valid authorization;8
9 (g) A statement that the consumer health data sold pursuant to
10 the valid authorization may be subject to redisclosure by the
11 purchaser and may no longer be protected by this section;
12 (h) An expiration date for the valid authorization that expires
13 one year from when the consumer signs the valid authorization; and
(i) The signature of the consumer and date.14
15 (3) An authorization is not valid if the document has any of the
following defects:16
(a) The expiration date has passed;17
18 (b) The authorization does not contain all the information
required under this section;19
20 (c) The authorization has been revoked by the consumer;
21 (d) The authorization has been combined with other documents to
create a compound authorization; or22
23 (e) The provision of goods or services is conditioned on the
consumer signing the authorization.24
25 (4) A copy of the signed valid authorization must be provided to
the consumer.26
27 (5) The seller and purchaser of consumer health data must retain
28 a copy of all valid authorizations for sale of consumer health data
29 for six years from the date of its signature or the date when it was
last in effect, whichever is later.30
31 (6) A small business must comply with this section beginning June
30, 2024.32
33 NEW SECTION. Sec. 10. It is unlawful for any person to
34 implement a geofence around an entity that provides in-person health
35 care services where such geofence is used to: (1) Identify or track
36 consumers seeking health care services; (2) collect consumer health
37 data from consumers; or (3) send notifications, messages, or
38 advertisements to consumers related to their consumer health data or
39 health care services.
p. 15 ESHB 1155.PL
1 NEW SECTION. Sec. 11. The legislature finds that the practices
2 covered by this chapter are matters vitally affecting the public
3 interest for the purpose of applying the consumer protection act,
4 chapter 19.86 RCW. A violation of this chapter is not reasonable in
5 relation to the development and preservation of business, and is an
6 unfair or deceptive act in trade or commerce and an unfair method of
7 competition for the purpose of applying the consumer protection act,
8 chapter 19.86 RCW.
9 NEW SECTION. Sec. 12. (1) This chapter does not apply to:
(a) Information that meets the definition of:10
11 (i) Protected health information for purposes of the federal
12 health insurance portability and accountability act of 1996 and
related regulations;13
14 (ii) Health care information collected, used, or disclosed in
accordance with chapter 70.02 RCW;15
16 (iii) Patient identifying information collected, used, or
17 disclosed in accordance with 42 C.F.R. Part 2, established pursuant
to 42 U.S.C. Sec. 290dd-2;18
19 (iv) Identifiable private information for purposes of the federal
20 policy for the protection of human subjects, 45 C.F.R. Part 46;
21 identifiable private information that is otherwise information
22 collected as part of human subjects research pursuant to the good
23 clinical practice guidelines issued by the international council for
24 harmonization; the protection of human subjects under 21 C.F.R. Parts
25 50 and 56; or personal data used or shared in research conducted in
26 accordance with one or more of the requirements set forth in this
subsection;27
28 (v) Information and documents created specifically for, and
collected and maintained by:29
30 (A) A quality improvement committee for purposes of RCW
43.70.510, 70.230.080, or 70.41.200;31
32 (B) A peer review committee for purposes of RCW 4.24.250;
33 (C) A quality assurance committee for purposes of RCW 74.42.640
or 18.20.390;34
35 (D) A hospital, as defined in RCW 43.70.056, for reporting of
36 health care-associated infections for purposes of RCW 43.70.056, a
37 notification of an incident for purposes of RCW 70.56.040(5), or
38 reports regarding adverse events for purposes of RCW 70.56.020(2)(b);
or39
p. 16 ESHB 1155.PL
1 (E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when
2 collected, used, or disclosed for purposes specified in chapter 70.02
RCW;3
4 (vi) Information and documents created for purposes of the
5 federal health care quality improvement act of 1986, and related
regulations;6
7 (vii) Patient safety work product for purposes of 42 C.F.R. Part
8 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
9 (viii) Information that is (A) deidentified in accordance with
10 the requirements for deidentification set forth in 45 C.F.R. Part
11 164, and (B) derived from any of the health care-related information
listed in this subsection (1)(a)(viii);12
13 (b) Information originating from, and intermingled to be
14 indistinguishable with, information under (a) of this subsection that
is maintained by:15
16 (i) A covered entity or business associate as defined by the
17 health insurance portability and accountability act of 1996 and
related regulations;18
19 (ii) A health care facility or health care provider as defined in
RCW 70.02.010; or20
21 (iii) A program or a qualified service organization as defined by
22 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
23 (c) Information used only for public health activities and
24 purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a
25 limited data set, as defined, and is used, disclosed, and maintained
26 in the manner required, by 45 C.F.R. Sec. 164.514; or
27 (d) Identifiable data collected, used, or disclosed in accordance
with chapter 43.371 RCW or RCW 69.43.165.28
29 (2) Personal information that is governed by and collected, used,
30 or disclosed pursuant to the following regulations, parts, titles, or
31 acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15
32 U.S.C. 6801 et seq.) and implementing regulations; (b) part C of
33 Title XI of the social security act (42 U.S.C. 1320d et seq.); (c)
34 the fair credit reporting act (15 U.S.C. 1681 et seq.); (d) the
35 family educational rights and privacy act (20 U.S.C. 1232g; Part 99
36 of Title 34, C.F.R.); (e) the Washington health benefit exchange and
37 applicable statutes and regulations, including 45 C.F.R. Sec. 155.260
38 and chapter 43.71 RCW; or (f) privacy rules adopted by the office of
39 the insurance commissioner pursuant to chapter 48.02 or 48.43 RCW.
p. 17 ESHB 1155.PL
1 (3) The obligations imposed on regulated entities, small
2 businesses, and processors under this chapter does not restrict a
3 regulated entity's, small business's, or processor's ability for
4 collection, use, or disclosure of consumer health data to prevent,
5 detect, protect against, or respond to security incidents, identity
6 theft, fraud, harassment, malicious or deceptive activities, or any
7 activity that is illegal under Washington state law or federal law;
8 preserve the integrity or security of systems; or investigate,
9 report, or prosecute those responsible for any such action that is
10 illegal under Washington state law or federal law.
11 (4) If a regulated entity, small business, or processor processes
12 consumer health data pursuant to subsection (3) of this section, such
13 entity bears the burden of demonstrating that such processing
14 qualifies for the exemption and complies with the requirements of
this section.15
16 NEW SECTION. Sec. 13. A new section is added to chapter 44.28
RCW to read as follows:17
18 (1) The joint committee must review enforcement actions, as
19 authorized in section 11 of this act, brought by the attorney general
and consumers to enforce violations of this act.20
(2) The report must include, at a minimum:21
22 (a) The number of enforcement actions reported by the attorney
23 general, a consumer, a regulated entity, or a small business that
24 resulted in a settlement, including the average settlement amount;
25 (b) The number of complaints reported, including categories of
26 complaints and the number of complaints for each category, reported
27 by the attorney general, a consumer, a regulated entity, or a small
business;28
29 (c) The number of enforcement actions brought by the attorney
30 general and consumers, including the categories of violations and the
number of violations per category;31
32 (e) The number of civil actions where a judge determined the
33 position of the nonprevailing party was frivolous, if any;
34 (f) The types of resources, including associated costs, expended
35 by the attorney general, a consumer, a regulated entity, or a small
business for enforcement actions; and36
37 (g) Recommendations for potential changes to enforcement
provisions of this act.38
p. 18 ESHB 1155.PL
1 (3) The office of the attorney general shall provide the joint
2 committee any data within their purview that the joint committee
considers necessary to conduct the review.3
4 (4) The joint committee shall submit a report of its findings and
5 recommendations to the governor and the appropriate committees of the
legislature by September 30, 2030.6
(5) This section expires June 30, 2031.7
8 NEW SECTION. Sec. 14. If any provision of this act or its
9 application to any person or circumstance is held invalid, the
10 remainder of the act or the application of the provision to other
11 persons or circumstances is not affected.
12 NEW SECTION. Sec. 15. Sections 1 through 12 of this act
13 constitute a new chapter in Title 19 RCW.
--- END ---
p. 19 ESHB 1155.PL
ENGROSSED SUBSTITUTE HOUSE BILL 1155
68th Legislature
2023 Regular Session
Passed by the House April 17, 2023
Yeas 57 Nays 40
Speaker of the House of
Representatives
Passed by the Senate April 5, 2023
Yeas 27 Nays 21
President of the Senate
CERTIFICATE
I, Bernard Dean, Chief Clerk of the
House of Representatives of the
State of Washington, do hereby
certify that the attached is
ENGROSSED SUBSTITUTE HOUSE BILL
1155 as passed by the House of
Representatives and the Senate on
the dates hereon set forth.
Chief Clerk
Approved FILED
Governor of the State of Washington
Secretary of State
State of Washington
1 AN ACT Relating to the collection, sharing, and selling of
2 consumer health data; adding a new section to chapter 44.28 RCW;
3 adding a new chapter to Title 19 RCW; and providing an expiration
date.4
5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
6 NEW SECTION. Sec. 1. This act may be known and cited as the
7 Washington my health my data act.
8 NEW SECTION. Sec. 2. (1) The legislature finds that the people
9 of Washington regard their privacy as a fundamental right and an
10 essential element of their individual freedom. Washington's
11 Constitution explicitly provides the right to privacy. Fundamental
12 privacy rights have long been and continue to be integral to
13 protecting Washingtonians and to safeguarding our democratic
14 republic.
15 (2) Information related to an individual's health conditions or
16 attempts to obtain health care services is among the most personal
17 and sensitive categories of data collected. Washingtonians expect
18 that their health data is protected under laws like the health
19 information portability and accountability act (HIPAA). However,
20 HIPAA only covers health data collected by specific health care
ENGROSSED SUBSTITUTE HOUSE BILL 1155
AS AMENDED BY THE SENATE
Passed Legislature - 2023 Regular Session
State of Washington 68th Legislature 2023 Regular Session
By House Civil Rights & Judiciary (originally sponsored by
Representatives Slatter, Street, Reed, Ryu, Berg, Alvarado, Taylor,
Bateman, Ramel, Senn, Goodman, Fitzgibbon, Macri, Simmons, Reeves,
Lekanoff, Orwall, Duerr, Thai, Gregerson, Wylie, Ortiz-Self, Stonier,
Pollet, Riccelli, Donaghy, Fosse, and Ormsby; by request of Attorney
General)
READ FIRST TIME 02/07/23.
p. 1 ESHB 1155.PL
1 entities, including most health care providers. Health data collected
2 by noncovered entities, including certain apps and websites, are not
3 afforded the same protections. This act works to close the gap
4 between consumer knowledge and industry practice by providing
5 stronger privacy protections for all Washington consumers' health
data.6
7 (3) With this act, the legislature intends to provide heightened
8 protections for Washingtonian's health data by: Requiring additional
9 disclosures and consumer consent regarding the collection, sharing,
10 and use of such information; empowering consumers with the right to
11 have their health data deleted; prohibiting the selling of consumer
12 health data without valid authorization signed by the consumer; and
13 making it unlawful to utilize a geofence around a facility that
provides health care services.14
15 NEW SECTION. Sec. 3. The definitions in this section apply
16 throughout this chapter unless the context clearly requires
17 otherwise.
18 (1) "Abortion" means the termination of a pregnancy for purposes
other than producing a live birth.19
20 (2) "Affiliate" means a legal entity that shares common branding
21 with another legal entity and controls, is controlled by, or is under
22 common control with another legal entity. For the purposes of this
definition, "control" or "controlled" means:23
24 (a) Ownership of, or the power to vote, more than 50 percent of
25 the outstanding shares of any class of voting security of a company;
26 (b) Control in any manner over the election of a majority of the
27 directors or of individuals exercising similar functions; or
28 (c) The power to exercise controlling influence over the
management of a company.29
30 (3) "Authenticate" means to use reasonable means to determine
31 that a request to exercise any of the rights afforded in this chapter
32 is being made by, or on behalf of, the consumer who is entitled to
33 exercise such consumer rights with respect to the consumer health
data at issue.34
35 (4) "Biometric data" means data that is generated from the
36 measurement or technological processing of an individual's
37 physiological, biological, or behavioral characteristics and that
38 identifies a consumer, whether individually or in combination with
39 other data. Biometric data includes, but is not limited to:
p. 2 ESHB 1155.PL
1 (a) Imagery of the iris, retina, fingerprint, face, hand, palm,
2 vein patterns, and voice recordings, from which an identifier
template can be extracted; or3
4 (b) Keystroke patterns or rhythms and gait patterns or rhythms
that contain identifying information.5
6 (5) "Collect" means to buy, rent, access, retain, receive,
7 acquire, infer, derive, or otherwise process consumer health data in
any manner.8
9 (6)(a) "Consent" means a clear affirmative act that signifies a
10 consumer's freely given, specific, informed, opt-in, voluntary, and
11 unambiguous agreement, which may include written consent provided by
electronic means.12
(b) "Consent" may not be obtained by:13
14 (i) A consumer's acceptance of a general or broad terms of use
15 agreement or a similar document that contains descriptions of
16 personal data processing along with other unrelated information;
17 (ii) A consumer hovering over, muting, pausing, or closing a
given piece of content; or18
19 (iii) A consumer's agreement obtained through the use of
deceptive designs.20
21 (7) "Consumer" means (a) a natural person who is a Washington
22 resident; or (b) a natural person whose consumer health data is
23 collected in Washington. "Consumer" means a natural person who acts
24 only in an individual or household context, however identified,
25 including by any unique identifier. "Consumer" does not include an
individual acting in an employment context.26
27 (8)(a) "Consumer health data" means personal information that is
28 linked or reasonably linkable to a consumer and that identifies the
29 consumer's past, present, or future physical or mental health status.
30 (b) For the purposes of this definition, physical or mental
health status includes, but is not limited to:31
32 (i) Individual health conditions, treatment, diseases, or
diagnosis;33
34 (ii) Social, psychological, behavioral, and medical
interventions;35
(iii) Health-related surgeries or procedures;36
37 (iv) Use or purchase of prescribed medication;
38 (v) Bodily functions, vital signs, symptoms, or measurements of
39 the information described in this subsection (8)(b);
40 (vi) Diagnoses or diagnostic testing, treatment, or medication;
p. 3 ESHB 1155.PL
(vii) Gender-affirming care information;1
2 (viii) Reproductive or sexual health information;
(ix) Biometric data;3
(x) Genetic data;4
5 (xi) Precise location information that could reasonably indicate
6 a consumer's attempt to acquire or receive health services or
supplies;7
8 (xii) Data that identifies a consumer seeking health care
services; or9
10 (xiii) Any information that a regulated entity or a small
11 business, or their respective processor, processes to associate or
12 identify a consumer with the data described in (b)(i) through (xii)
13 of this subsection that is derived or extrapolated from nonhealth
14 information (such as proxy, derivative, inferred, or emergent data by
15 any means, including algorithms or machine learning).
16 (c) "Consumer health data" does not include personal information
17 that is used to engage in public or peer-reviewed scientific,
18 historical, or statistical research in the public interest that
19 adheres to all other applicable ethics and privacy laws and is
20 approved, monitored, and governed by an institutional review board,
21 human subjects research ethics review board, or a similar independent
22 oversight entity that determines that the regulated entity or the
23 small business has implemented reasonable safeguards to mitigate
24 privacy risks associated with research, including any risks
associated with reidentification.25
26 (9) "Deceptive design" means a user interface designed or
27 manipulated with the effect of subverting or impairing user autonomy,
decision making, or choice.28
29 (10) "Deidentified data" means data that cannot reasonably be
30 used to infer information about, or otherwise be linked to, an
31 identified or identifiable consumer, or a device linked to such
32 consumer, if the regulated entity or the small business that
33 possesses such data (a) takes reasonable measures to ensure that such
34 data cannot be associated with a consumer; (b) publicly commits to
35 process such data only in a deidentified fashion and not attempt to
36 reidentify such data; and (c) contractually obligates any recipients
37 of such data to satisfy the criteria set forth in this subsection
(10).38
39 (11) "Gender-affirming care information" means personal
40 information relating to seeking or obtaining past, present, or future
p. 4 ESHB 1155.PL
1 gender-affirming care services. "Gender-affirming care information"
includes, but is not limited to:2
3 (a) Precise location information that could reasonably indicate a
4 consumer's attempt to acquire or receive gender-affirming care
services;5
6 (b) Efforts to research or obtain gender-affirming care services;
or7
8 (c) Any gender-affirming care information that is derived,
9 extrapolated, or inferred, including from nonhealth information, such
10 as proxy, derivative, inferred, emergent, or algorithmic data.
11 (12) "Gender-affirming care services" means health services or
12 products that support and affirm an individual's gender identity
13 including, but not limited to, social, psychological, behavioral,
14 cosmetic, medical, or surgical interventions. "Gender-affirming care
15 services" includes, but is not limited to, treatments for gender
16 dysphoria, gender-affirming hormone therapy, and gender-affirming
surgical procedures.17
18 (13) "Genetic data" means any data, regardless of its format,
19 that concerns a consumer's genetic characteristics. "Genetic data"
includes, but is not limited to:20
21 (a) Raw sequence data that result from the sequencing of a
22 consumer's complete extracted deoxyribonucleic acid (DNA) or a
portion of the extracted DNA;23
24 (b) Genotypic and phenotypic information that results from
analyzing the raw sequence data; and25
26 (c) Self-reported health data that a consumer submits to a
27 regulated entity or a small business and that is analyzed in
connection with consumer's raw sequence data.28
29 (14) "Geofence" means technology that uses global positioning
30 coordinates, cell tower connectivity, cellular data, radio frequency
31 identification, Wifi data, and/or any other form of spatial or
32 location detection to establish a virtual boundary around a specific
33 physical location, or to locate a consumer within a virtual boundary.
34 For purposes of this definition, "geofence" means a virtual boundary
35 that is 2,000 feet or less from the perimeter of the physical
location.36
37 (15) "Health care services" means any service provided to a
38 person to assess, measure, improve, or learn about a person's mental
or physical health, including but not limited to:39
40 (a) Individual health conditions, status, diseases, or diagnoses;
p. 5 ESHB 1155.PL
1 (b) Social, psychological, behavioral, and medical interventions;
(c) Health-related surgeries or procedures;2
(d) Use or purchase of medication;3
4 (e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;5
6 (f) Diagnoses or diagnostic testing, treatment, or medication;
(g) Reproductive health care services; or7
(h) Gender-affirming care services.8
9 (16) "Homepage" means the introductory page of an internet
10 website and any internet webpage where personal information is
11 collected. In the case of an online service, such as a mobile
12 application, homepage means the application's platform page or
13 download page, and a link within the application, such as from the
14 application configuration, "about," "information," or settings page.
15 (17) "Person" means, where applicable, natural persons,
16 corporations, trusts, unincorporated associations, and partnerships.
17 "Person" does not include government agencies, tribal nations, or
18 contracted service providers when processing consumer health data on
behalf of a government agency.19
20 (18)(a) "Personal information" means information that identifies
21 or is reasonably capable of being associated or linked, directly or
22 indirectly, with a particular consumer. "Personal information"
23 includes, but is not limited to, data associated with a persistent
24 unique identifier, such as a cookie ID, an IP address, a device
25 identifier, or any other form of persistent unique identifier.
26 (b) "Personal information" does not include publicly available
information.27
28 (c) "Personal information" does not include deidentified data.
29 (19) "Precise location information" means information derived
30 from technology including, but not limited to, global positioning
31 system level latitude and longitude coordinates or other mechanisms,
32 that directly identifies the specific location of an individual with
33 precision and accuracy within a radius of 1,750 feet. "Precise
34 location information" does not include the content of communications,
35 or any data generated by or connected to advanced utility metering
36 infrastructure systems or equipment for use by a utility.
37 (20) "Process" or "processing" means any operation or set of
operations performed on consumer health data.38
39 (21) "Processor" means a person that processes consumer health
40 data on behalf of a regulated entity or a small business.
p. 6 ESHB 1155.PL
1 (22) "Publicly available information" means information that (a)
2 is lawfully made available through federal, state, or municipal
3 government records or widely distributed media, and (b) a regulated
4 entity or a small business has a reasonable basis to believe a
5 consumer has lawfully made available to the general public. "Publicly
6 available information" does not include any biometric data collected
7 about a consumer by a business without the consumer's consent.
8 (23) "Regulated entity" means any legal entity that: (a) Conducts
9 business in Washington, or produces or provides products or services
10 that are targeted to consumers in Washington; and (b) alone or
11 jointly with others, determines the purpose and means of collecting,
12 processing, sharing, or selling of consumer health data. "Regulated
13 entity" does not mean government agencies, tribal nations, or
14 contracted service providers when processing consumer health data on
behalf of the government agency.15
16 (24) "Reproductive or sexual health information" means personal
17 information relating to seeking or obtaining past, present, or future
18 reproductive or sexual health services. "Reproductive or sexual
19 health information" includes, but is not limited to:
20 (a) Precise location information that could reasonably indicate a
21 consumer's attempt to acquire or receive reproductive or sexual
health services;22
23 (b) Efforts to research or obtain reproductive or sexual health
services; or24
25 (c) Any reproductive or sexual health information that is
26 derived, extrapolated, or inferred, including from nonhealth
27 information (such as proxy, derivative, inferred, emergent, or
algorithmic data).28
29 (25) "Reproductive or sexual health services" means health
30 services or products that support or relate to a consumer's
31 reproductive system or sexual well-being, including but not limited
to:32
33 (a) Individual health conditions, status, diseases, or diagnoses;
34 (b) Social, psychological, behavioral, and medical interventions;
35 (c) Health-related surgeries or procedures including, but not
limited to, abortions;36
37 (d) Use or purchase of medication including, but not limited to,
medications for the purposes of abortion;38
39 (e) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection;40
p. 7 ESHB 1155.PL
1 (f) Diagnoses or diagnostic testing, treatment, or medication;
and2
3 (g) Medical or nonmedical services related to and provided in
4 conjunction with an abortion, including but not limited to associated
5 diagnostics, counseling, supplies, and follow-up services.
6 (26)(a) "Sell" or "sale" means the exchange of consumer health
data for monetary or other valuable consideration.7
8 (b) "Sell" or "sale" does not include the exchange of consumer
9 health data for monetary or other valuable consideration:
10 (i) To a third party as an asset that is part of a merger,
11 acquisition, bankruptcy, or other transaction in which the third
12 party assumes control of all or part of the regulated entity's or the
13 small business's assets that complies with the requirements and
obligations in this chapter; or14
15 (ii) By a regulated entity or a small business to a processor
16 when such exchange is consistent with the purpose for which the
17 consumer health data was collected and disclosed to the consumer.
18 (27)(a) "Share" or "sharing" means to release, disclose,
19 disseminate, divulge, make available, provide access to, license, or
20 otherwise communicate orally, in writing, or by electronic or other
21 means, consumer health data by a regulated entity or a small business
to a third party or affiliate.22
23 (b) The term "share" or "sharing" does not include:
24 (i) The disclosure of consumer health data by a regulated entity
25 or a small business to a processor when such sharing is to provide
26 goods or services in a manner consistent with the purpose for which
27 the consumer health data was collected and disclosed to the consumer;
28 (ii) The disclosure of consumer health data to a third party with
29 whom the consumer has a direct relationship when: (A) The disclosure
30 is for purposes of providing a product or service requested by the
31 consumer; (B) the regulated entity or the small business maintains
32 control and ownership of the data; and (C) the third party uses the
33 consumer health data only at direction from the regulated entity or
34 the small business and consistent with the purpose for which it was
collected and consented to by the consumer; or35
36 (iii) The disclosure or transfer of personal data to a third
37 party as an asset that is part of a merger, acquisition, bankruptcy,
38 or other transaction in which the third party assumes control of all
39 or part of the regulated entity's or the small business's assets and
40 complies with the requirements and obligations in this chapter.
p. 8 ESHB 1155.PL
1 (28) "Small business" means a regulated entity that satisfies one
or both of the following thresholds:2
3 (a) Collects, processes, sells, or shares consumer health data of
4 fewer than 100,000 consumers during a calendar year; or
5 (b) Derives less than 50 percent of gross revenue from the
6 collection, processing, selling, or sharing of consumer health data,
7 and controls, processes, sells, or shares consumer health data of
fewer than 25,000 consumers.8
9 (29) "Third party" means an entity other than a consumer,
10 regulated entity, processor, small business, or affiliate of the
regulated entity or the small business.11
12 NEW SECTION. Sec. 4. (1)(a) Except as provided in subsection
13 (2) of this section, beginning March 31, 2024, a regulated entity and
14 a small business shall maintain a consumer health data privacy policy
15 that clearly and conspicuously discloses:
16 (i) The categories of consumer health data collected and the
17 purpose for which the data is collected, including how the data will
be used;18
19 (ii) The categories of sources from which the consumer health
data is collected;20
21 (iii) The categories of consumer health data that is shared;
22 (iv) A list of the categories of third parties and specific
23 affiliates with whom the regulated entity or the small business
shares the consumer health data; and24
25 (v) How a consumer can exercise the rights provided in section 6
of this act.26
27 (b) A regulated entity and a small business shall prominently
28 publish a link to its consumer health data privacy policy on its
homepage.29
30 (c) A regulated entity or a small business may not collect, use,
31 or share additional categories of consumer health data not disclosed
32 in the consumer health data privacy policy without first disclosing
33 the additional categories and obtaining the consumer's affirmative
34 consent prior to the collection, use, or sharing of such consumer
health data.35
36 (d) A regulated entity or a small business may not collect, use,
37 or share consumer health data for additional purposes not disclosed
38 in the consumer health data privacy policy without first disclosing
39 the additional purposes and obtaining the consumer's affirmative
p. 9 ESHB 1155.PL
1 consent prior to the collection, use, or sharing of such consumer
health data.2
3 (e) It is a violation of this chapter for a regulated entity or a
4 small business to contract with a processor to process consumer
5 health data in a manner that is inconsistent with the regulated
6 entity's or the small business's consumer health data privacy policy.
7 (2) A small business must comply with this section beginning June
30, 2024.8
9 NEW SECTION. Sec. 5. (1)(a) Except as provided in subsection
10 (2) of this section, beginning March 31, 2024, a regulated entity or
11 a small business may not collect any consumer health data except:
12 (i) With consent from the consumer for such collection for a
specified purpose; or13
14 (ii) To the extent necessary to provide a product or service that
15 the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.16
17 (b) A regulated entity or a small business may not share any
consumer health data except:18
19 (i) With consent from the consumer for such sharing that is
20 separate and distinct from the consent obtained to collect consumer
health data; or21
22 (ii) To the extent necessary to provide a product or service that
23 the consumer to whom such consumer health data relates has requested
from such regulated entity or small business.24
25 (c) Consent required under this section must be obtained prior to
26 the collection or sharing, as applicable, of any consumer health
27 data, and the request for consent must clearly and conspicuously
28 disclose: (i) The categories of consumer health data collected or
29 shared; (ii) the purpose of the collection or sharing of the consumer
30 health data, including the specific ways in which it will be used;
31 (iii) the categories of entities with whom the consumer health data
32 is shared; and (iv) how the consumer can withdraw consent from future
33 collection or sharing of the consumer's health data.
34 (d) A regulated entity or a small business may not unlawfully
35 discriminate against a consumer for exercising any rights included in
this chapter.36
37 (2) A small business must comply with this section beginning June
30, 2024.38
p. 10 ESHB 1155.PL
1 NEW SECTION. Sec. 6. (1)(a) Except as provided in subsection
2 (2) of this section, beginning March 31, 2024, a consumer has the
3 right to confirm whether a regulated entity or a small business is
4 collecting, sharing, or selling consumer health data concerning the
5 consumer and to access such data, including a list of all third
6 parties and affiliates with whom the regulated entity or the small
7 business has shared or sold the consumer health data and an active
8 email address or other online mechanism that the consumer may use to
9 contact these third parties.
10 (b) A consumer has the right to withdraw consent from the
11 regulated entity's or the small business's collection and sharing of
consumer health data concerning the consumer.12
13 (c) A consumer has the right to have consumer health data
14 concerning the consumer deleted and may exercise that right by
15 informing the regulated entity or the small business of the
consumer's request for deletion.16
17 (i) A regulated entity or a small business that receives a
18 consumer's request to delete any consumer health data concerning the
consumer shall:19
20 (A) Delete the consumer health data from its records, including
21 from all parts of the regulated entity's or the small business's
22 network, including archived or backup systems pursuant to (c)(iii) of
this subsection; and23
24 (B) Notify all affiliates, processors, contractors, and other
25 third parties with whom the regulated entity or the small business
26 has shared consumer health data of the deletion request.
27 (ii) All affiliates, processors, contractors, and other third
28 parties that receive notice of a consumer's deletion request shall
29 honor the consumer's deletion request and delete the consumer health
30 data from its records, subject to the same requirements of this
chapter.31
32 (iii) If consumer health data that a consumer requests to be
33 deleted is stored on archived or backup systems, then the request for
34 deletion may be delayed to enable restoration of the archived or
35 backup systems and such delay may not exceed six months from
authenticating the deletion request.36
37 (d) A consumer may exercise the rights set forth in this chapter
38 by submitting a request, at any time, to a regulated entity or a
39 small business. Such a request may be made by a secure and reliable
40 means established by the regulated entity or the small business and
p. 11 ESHB 1155.PL
1 described in its consumer health data privacy policy. The method must
2 take into account the ways in which consumers normally interact with
3 the regulated entity or the small business, the need for secure and
4 reliable communication of such requests, and the ability of the
5 regulated entity or the small business to authenticate the identity
6 of the consumer making the request. A regulated entity or a small
7 business may not require a consumer to create a new account in order
8 to exercise consumer rights pursuant to this chapter but may require
a consumer to use an existing account.9
10 (e) If a regulated entity or a small business is unable to
11 authenticate the request using commercially reasonable efforts, the
12 regulated entity or the small business is not required to comply with
13 a request to initiate an action under this section and may request
14 that the consumer provide additional information reasonably necessary
15 to authenticate the consumer and the consumer's request.
16 (f) Information provided in response to a consumer request must
17 be provided by a regulated entity and a small business free of
18 charge, up to twice annually per consumer. If requests from a
19 consumer are manifestly unfounded, excessive, or repetitive, the
20 regulated entity or the small business may charge the consumer a
21 reasonable fee to cover the administrative costs of complying with
22 the request or decline to act on the request. The regulated entity
23 and the small business bear the burden of demonstrating the
24 manifestly unfounded, excessive, or repetitive nature of the request.
25 (g) A regulated entity and a small business shall comply with the
26 consumer's requests under subsection (1)(a) through (c) of this
27 section without undue delay, but in all cases within 45 days of
28 receipt of the request submitted pursuant to the methods described in
29 this section. A regulated entity and a small business must promptly
30 take steps to authenticate a consumer request but this does not
31 extend the regulated entity's and the small business's duty to comply
32 with the consumer's request within 45 days of receipt of the
33 consumer's request. The response period may be extended once by 45
34 additional days when reasonably necessary, taking into account the
35 complexity and number of the consumer's requests, so long as the
36 regulated entity or the small business informs the consumer of any
37 such extension within the initial 45-day response period, together
with the reason for the extension.38
39 (h) A regulated entity and a small business shall establish a
40 process for a consumer to appeal the regulated entity's or the small
p. 12 ESHB 1155.PL
1 business's refusal to take action on a request within a reasonable
2 period of time after the consumer's receipt of the decision. The
3 appeal process must be conspicuously available and similar to the
4 process for submitting requests to initiate action pursuant to this
5 section. Within 45 days of receipt of an appeal, a regulated entity
6 or a small business shall inform the consumer in writing of any
7 action taken or not taken in response to the appeal, including a
8 written explanation of the reasons for the decisions. If the appeal
9 is denied, the regulated entity or the small business shall also
10 provide the consumer with an online mechanism, if available, or other
11 method through which the consumer may contact the attorney general to
submit a complaint.12
13 (2) A small business must comply with this section beginning June
30, 2024.14
15 NEW SECTION. Sec. 7. (1) Except as provided in subsection (2)
16 of this section, beginning March 31, 2024, a regulated entity and a
17 small business shall:
18 (a) Restrict access to consumer health data by the employees,
19 processors, and contractors of such regulated entity or small
20 business to only those employees, processors, and contractors for
21 which access is necessary to further the purposes for which the
22 consumer provided consent or where necessary to provide a product or
23 service that the consumer to whom such consumer health data relates
24 has requested from such regulated entity or small business; and
25 (b) Establish, implement, and maintain administrative, technical,
26 and physical data security practices that, at a minimum, satisfy
27 reasonable standard of care within the regulated entity's or the
28 small business's industry to protect the confidentiality, integrity,
29 and accessibility of consumer health data appropriate to the volume
and nature of the consumer health data at issue.30
31 (2) A small business must comply with this section beginning June
30, 2024.32
33 NEW SECTION. Sec. 8. (1)(a)(i) Except as provided in subsection
34 (2) of this section, beginning March 31, 2024, a processor may
35 process consumer health data only pursuant to a binding contract
36 between the processor and the regulated entity or the small business
37 that sets forth the processing instructions and limit the actions the
p. 13 ESHB 1155.PL
1 processor may take with respect to the consumer health data it
2 processes on behalf of the regulated entity or the small business.
3 (ii) A processor may process consumer health data only in a
4 manner that is consistent with the binding instructions set forth in
5 the contract with the regulated entity or the small business.
6 (b) A processor shall assist the regulated entity or the small
7 business by appropriate technical and organizational measures,
8 insofar as this is possible, in fulfilling the regulated entity's and
9 the small business's obligations under this chapter.
10 (c) If a processor fails to adhere to the regulated entity's or
11 the small business's instructions or processes consumer health data
12 in a manner that is outside the scope of the processor's contract
13 with the regulated entity or the small business, the processor is
14 considered a regulated entity or a small business with regard to such
15 data and is subject to all the requirements of this chapter with
regard to such data.16
17 (2) A small business must comply with this section beginning June
30, 2024.18
19 NEW SECTION. Sec. 9. (1) Except as provided in subsection (6)
20 of this section, beginning March 31, 2024, it is unlawful for any
21 person to sell or offer to sell consumer health data concerning a
22 consumer without first obtaining valid authorization from the
23 consumer. The sale of consumer health data must be consistent with
24 the valid authorization signed by the consumer. This authorization
25 must be separate and distinct from the consent obtained to collect or
26 share consumer health data, as required under section 5 of this act.
27 (2) A valid authorization to sell consumer health data is a
28 document consistent with this section and must be written in plain
29 language. The valid authorization to sell consumer health data must
contain the following:30
31 (a) The specific consumer health data concerning the consumer
that the person intends to sell;32
33 (b) The name and contact information of the person collecting and
selling the consumer health data;34
35 (c) The name and contact information of the person purchasing the
36 consumer health data from the seller identified in (b) of this
subsection;37
p. 14 ESHB 1155.PL
1 (d) A description of the purpose for the sale, including how the
2 consumer health data will be gathered and how it will be used by the
3 purchaser identified in (c) of this subsection when sold;
4 (e) A statement that the provision of goods or services may not
5 be conditioned on the consumer signing the valid authorization;
6 (f) A statement that the consumer has a right to revoke the valid
7 authorization at any time and a description on how to submit a
revocation of the valid authorization;8
9 (g) A statement that the consumer health data sold pursuant to
10 the valid authorization may be subject to redisclosure by the
11 purchaser and may no longer be protected by this section;
12 (h) An expiration date for the valid authorization that expires
13 one year from when the consumer signs the valid authorization; and
(i) The signature of the consumer and date.14
15 (3) An authorization is not valid if the document has any of the
following defects:16
(a) The expiration date has passed;17
18 (b) The authorization does not contain all the information
required under this section;19
20 (c) The authorization has been revoked by the consumer;
21 (d) The authorization has been combined with other documents to
create a compound authorization; or22
23 (e) The provision of goods or services is conditioned on the
consumer signing the authorization.24
25 (4) A copy of the signed valid authorization must be provided to
the consumer.26
27 (5) The seller and purchaser of consumer health data must retain
28 a copy of all valid authorizations for sale of consumer health data
29 for six years from the date of its signature or the date when it was
last in effect, whichever is later.30
31 (6) A small business must comply with this section beginning June
30, 2024.32
33 NEW SECTION. Sec. 10. It is unlawful for any person to
34 implement a geofence around an entity that provides in-person health
35 care services where such geofence is used to: (1) Identify or track
36 consumers seeking health care services; (2) collect consumer health
37 data from consumers; or (3) send notifications, messages, or
38 advertisements to consumers related to their consumer health data or
39 health care services.
p. 15 ESHB 1155.PL
1 NEW SECTION. Sec. 11. The legislature finds that the practices
2 covered by this chapter are matters vitally affecting the public
3 interest for the purpose of applying the consumer protection act,
4 chapter 19.86 RCW. A violation of this chapter is not reasonable in
5 relation to the development and preservation of business, and is an
6 unfair or deceptive act in trade or commerce and an unfair method of
7 competition for the purpose of applying the consumer protection act,
8 chapter 19.86 RCW.
9 NEW SECTION. Sec. 12. (1) This chapter does not apply to:
(a) Information that meets the definition of:10
11 (i) Protected health information for purposes of the federal
12 health insurance portability and accountability act of 1996 and
related regulations;13
14 (ii) Health care information collected, used, or disclosed in
accordance with chapter 70.02 RCW;15
16 (iii) Patient identifying information collected, used, or
17 disclosed in accordance with 42 C.F.R. Part 2, established pursuant
to 42 U.S.C. Sec. 290dd-2;18
19 (iv) Identifiable private information for purposes of the federal
20 policy for the protection of human subjects, 45 C.F.R. Part 46;
21 identifiable private information that is otherwise information
22 collected as part of human subjects research pursuant to the good
23 clinical practice guidelines issued by the international council for
24 harmonization; the protection of human subjects under 21 C.F.R. Parts
25 50 and 56; or personal data used or shared in research conducted in
26 accordance with one or more of the requirements set forth in this
subsection;27
28 (v) Information and documents created specifically for, and
collected and maintained by:29
30 (A) A quality improvement committee for purposes of RCW
43.70.510, 70.230.080, or 70.41.200;31
32 (B) A peer review committee for purposes of RCW 4.24.250;
33 (C) A quality assurance committee for purposes of RCW 74.42.640
or 18.20.390;34
35 (D) A hospital, as defined in RCW 43.70.056, for reporting of
36 health care-associated infections for purposes of RCW 43.70.056, a
37 notification of an incident for purposes of RCW 70.56.040(5), or
38 reports regarding adverse events for purposes of RCW 70.56.020(2)(b);
or39
p. 16 ESHB 1155.PL
1 (E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when
2 collected, used, or disclosed for purposes specified in chapter 70.02
RCW;3
4 (vi) Information and documents created for purposes of the
5 federal health care quality improvement act of 1986, and related
regulations;6
7 (vii) Patient safety work product for purposes of 42 C.F.R. Part
8 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
9 (viii) Information that is (A) deidentified in accordance with
10 the requirements for deidentification set forth in 45 C.F.R. Part
11 164, and (B) derived from any of the health care-related information
listed in this subsection (1)(a)(viii);12
13 (b) Information originating from, and intermingled to be
14 indistinguishable with, information under (a) of this subsection that
is maintained by:15
16 (i) A covered entity or business associate as defined by the
17 health insurance portability and accountability act of 1996 and
related regulations;18
19 (ii) A health care facility or health care provider as defined in
RCW 70.02.010; or20
21 (iii) A program or a qualified service organization as defined by
22 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
23 (c) Information used only for public health activities and
24 purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a
25 limited data set, as defined, and is used, disclosed, and maintained
26 in the manner required, by 45 C.F.R. Sec. 164.514; or
27 (d) Identifiable data collected, used, or disclosed in accordance
with chapter 43.371 RCW or RCW 69.43.165.28
29 (2) Personal information that is governed by and collected, used,
30 or disclosed pursuant to the following regulations, parts, titles, or
31 acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15
32 U.S.C. 6801 et seq.) and implementing regulations; (b) part C of
33 Title XI of the social security act (42 U.S.C. 1320d et seq.); (c)
34 the fair credit reporting act (15 U.S.C. 1681 et seq.); (d) the
35 family educational rights and privacy act (20 U.S.C. 1232g; Part 99
36 of Title 34, C.F.R.); (e) the Washington health benefit exchange and
37 applicable statutes and regulations, including 45 C.F.R. Sec. 155.260
38 and chapter 43.71 RCW; or (f) privacy rules adopted by the office of
39 the insurance commissioner pursuant to chapter 48.02 or 48.43 RCW.
p. 17 ESHB 1155.PL
1 (3) The obligations imposed on regulated entities, small
2 businesses, and processors under this chapter does not restrict a
3 regulated entity's, small business's, or processor's ability for
4 collection, use, or disclosure of consumer health data to prevent,
5 detect, protect against, or respond to security incidents, identity
6 theft, fraud, harassment, malicious or deceptive activities, or any
7 activity that is illegal under Washington state law or federal law;
8 preserve the integrity or security of systems; or investigate,
9 report, or prosecute those responsible for any such action that is
10 illegal under Washington state law or federal law.
11 (4) If a regulated entity, small business, or processor processes
12 consumer health data pursuant to subsection (3) of this section, such
13 entity bears the burden of demonstrating that such processing
14 qualifies for the exemption and complies with the requirements of
this section.15
16 NEW SECTION. Sec. 13. A new section is added to chapter 44.28
RCW to read as follows:17
18 (1) The joint committee must review enforcement actions, as
19 authorized in section 11 of this act, brought by the attorney general
and consumers to enforce violations of this act.20
(2) The report must include, at a minimum:21
22 (a) The number of enforcement actions reported by the attorney
23 general, a consumer, a regulated entity, or a small business that
24 resulted in a settlement, including the average settlement amount;
25 (b) The number of complaints reported, including categories of
26 complaints and the number of complaints for each category, reported
27 by the attorney general, a consumer, a regulated entity, or a small
business;28
29 (c) The number of enforcement actions brought by the attorney
30 general and consumers, including the categories of violations and the
number of violations per category;31
32 (e) The number of civil actions where a judge determined the
33 position of the nonprevailing party was frivolous, if any;
34 (f) The types of resources, including associated costs, expended
35 by the attorney general, a consumer, a regulated entity, or a small
business for enforcement actions; and36
37 (g) Recommendations for potential changes to enforcement
provisions of this act.38
p. 18 ESHB 1155.PL
1 (3) The office of the attorney general shall provide the joint
2 committee any data within their purview that the joint committee
considers necessary to conduct the review.3
4 (4) The joint committee shall submit a report of its findings and
5 recommendations to the governor and the appropriate committees of the
legislature by September 30, 2030.6
(5) This section expires June 30, 2031.7
8 NEW SECTION. Sec. 14. If any provision of this act or its
9 application to any person or circumstance is held invalid, the
10 remainder of the act or the application of the provision to other
11 persons or circumstances is not affected.
12 NEW SECTION. Sec. 15. Sections 1 through 12 of this act
13 constitute a new chapter in Title 19 RCW.
--- END ---
p. 19 ESHB 1155.PL
