SafeGuard CEO explains the My Health My Data Act and HIPAA shortcomings.
Washington has recently enacted the My Health My Data Act intending to strengthen protections for consumer health data. The My Health My Data Act, set to be enforced in March 2024, is designed to protect the privacy of health data not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), along with other federal and state privacy laws. This new law will affect both businesses and consumers, changing the way in which pertinent health information is collected, stored, and retrieved.
Richy Glassberg, Co-Founder and CEO of SafeGuard Privacy — the Best Privacy Technology Vendor for 2023 awarded by AdExchanger — highlighted the act’s extensive effects, stating, “This impacts companies that collect, disclose, or sell health consumer data [along with] Washington consumers and companies who conduct business operations in Washington.”
Glassberg also noted that there is no small business exemption unlike in other privacy laws that currently exist.
Consumer health data under the My Health My Data Act is defined broadly, giving it expansive coverage in personal consumer data. Any personal data that can reasonably be connected to a consumer’s mental or physical health in the past, present, or future is covered.
This broad definition of consumer health data, combined with the wide range of businesses affected, equals a stringent set of guidelines with which millions of companies must comply.
Along those guidelines is a strict consent requirement to collect and share consumer data. Consumers must opt-in and allow for the collection and sharing of their personal health data. The My Health My Data Act gives extremely specific requirements for these opt-ins, which should inform consumers about businesses’ consumer health data practices.
In addition, consumers have the right to know, access, delete, and withdraw their consent at any time after they opt-in.
If the My Health My Data Act is violated, Glassberg pointed out the “private right of action that could result in numerous individual and class action lawsuits.” For instance, lawsuits could stem from businesses using records to create targeted advertising or for other commercial purposes.
Glassberg also noted the potential effect on large corporations such as Microsoft and Amazon, specifically mentioning their cloud services. The My Health My Data Act could lead to very costly class actions.
Glassberg compared this to Illinois Biometric law, which also has a private right of action, pointing out that this has resulted in “over a billion dollars in settlements.” A similar outcome may occur in the coming years after the act comes into effect early next year.
Glassberg urged businesses and individuals who handle consumer health information to begin looking closely at their collections, stating that “lots of information you may think is innocuous can be health data” (especially considering the broad guidelines under the My Health My Data Act).
Immediate action is important as a portion of the act regarding anti-geofencing is already being imposed.
The My Health My Data Act will revolutionize the use, collection, sharing, and sale of consumer health data. How businesses comply and react will be something to pay close attention to come March 2024.