With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization (for an overview of the law, see here).
As a reminder, the definition of consumer health data is broad: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status” (the definition includes as an enumerated example any information that is derived from non-health information). But “consumer” excludes individuals acting in an employment context. Outside of the broad exclusion of employment context data, the My Health My Data Act’s list of exceptions and exemptions is long but is focused mainly on specific medical and health care contexts where health data is more narrowly defined or otherwise another specific law applying to processing of the data.
Data Level
Certain information that would satisfy the definition of consumer health data is not protected because processing of such information is regulated under another law. The My Health My Data Act does not apply to information that meets the definition of:
- Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations;
- Health care information collected, used, or disclosed in accordance with chapter 70.02 RCW; (Chapter 70.02 RCW “Medical Records—Health Care Information Access and Disclosure” establishes a number of safeguards to protect the privacy of medical records);
- Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2 (42 CFR Part 2 “Confidentiality of Substance Use Disorder Patient Records” regulates the conditions under which individuals can access their own substance use disorder patient records, as well as the conditions under which substance use disorder patient records can be disclosed to third parties);
- Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in Sec. 12 (1) (a) (iv) of the act (this bullet point) (45 C.F.R. Part 46 regulates the protection of human subjects in research to provide basic protections to human subjects involved in both biomedical and behavioral research conducted or supported by the Department of Health & Human Services);
- Information and documents created specifically for, and collected and maintained by:
- A quality improvement committee for purposes of RCW 43.70.510, 70.230.080, or 70.41.200 (RCW 43.70.510 “Health Care Services Coordinated Quality Improvement Program—Rules” is designed to improve the quality of health care services in Washington by promoting cooperation and collaboration among healthcare providers; RCW 70.230.080 regulates the coordinated quality improvement program for ambulatory surgical facilities; RCW 70.41.200 regulates the quality improvement and medical malpractice prevention program for hospitals in Washington);
- A peer review committee for purposes of RCW 4.24.250 (RCW 4.24.250 regulates the immunity of health care providers who file charges or present evidence to a professional review committee);
- A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390 (RCW 74.42.640 and RCW 18.20.390 regulate the creation and operation of quality assurance committees in nursing homes and assisted living facilities in Washington);
- A hospital, as defined in RCW 43.70.056, for reporting of health care-associated infections for purposes of RCW 43.70.056, a notification of an incident for purposes of RCW 70.56.040(5), or reports regarding adverse events for purposes of RCW 70.56.020(2)(b) (RCW 43.70.056 regulates the reporting of healthcare-associated infections by acute care hospitals; RCW 70.56.040(5) regulates the notification of incidents by medical facilities and health care workers to an independent entity; and RCW 70.56.020(2)(b) regulates the reporting of adverse events by medical facilities to the Department of Health); or
- A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o) (in Food and Drug Administration Department of Health and Human Services Subchapter H – Medical Devices), when collected, used, or disclosed for purposes specified in chapter 70.02 RCW.
- Information and documents created for purposes of the federal health care quality improvement act of 1986, and related regulations;
- Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26; (42 C.F.R. Part 3 regulates the confidentiality and privilege protections of patient safety work product);
- Information that is (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and (B) derived from any of the health care-related information listed in Sec. 12 (1) (a) (viii) of the act (this bullet point) (45 C.F.R. Part 164 regulates the privacy and security of protected health information held by covered entities and their business associates);
- Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514; or
- Identifiable data collected, used, or disclosed in accordance with chapter 43.371 RCW or RCW 69.43.165. (43.371 RCW regulates the establishment and operation of a statewide all-payer health care claims database; RCW 69.43.165 regulates the use of an electronic sales tracking system to monitor the sale of ephedrine, pseudoephedrine, and phenylpropanolamine).
And the following consumer health data is not protected if it is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or acts:
- The Gramm-Leach-Bliley act (15 U.S.C. 6801 et seq.) and implementing regulations (The Gramm-Leach-Bliley act governs the treatment of nonpublic personal information about consumers by financial institutions);
- Part C of Title XI of the social security act (42 U.S.C. 1320d et seq.);
- The fair credit reporting act (15 U.S.C. 1681 et seq.) (The Fair Credit Reporting Act governs access to consumer credit report records and the privacy of personal information assembled by Credit Reporting Agencies);
- The family educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title 34, C.F.R.) (FERPA protects students with respect to their education records);
- The Washington health benefit exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter 43.71 RCW; or
- Privacy rules adopted by the office of the insurance commissioner pursuant to chapter 48.02 or 48.43 RCW.
Entity Level
Certain information is not protected because it originates from, and is intermingled to be indistinguishable with, information subject to certain data level exemptions or exceptions that is maintained by:
- A covered entity or business associate as defined by the health insurance portability and accountability act of 1996 and related regulations;
- A health care facility or health care provider as defined in RCW 70.02.010; or
- A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2.
Security and Compliance
Beyond the data and entity level exceptions and exemptions above, the obligations imposed on regulated entities (including small businesses) and processors do not restrict such entities’ ability to collect, use, or disclose consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law. Those seeking to rely on the security and compliance exemption bears the burden of demonstrating that such processing qualifies for the exemption.
Outlook
Consumer health data is broadly defined. Outside of the employment and security and compliance context, exceptions and exemptions only apply if (i) another specific law applies or (ii) if data is mixed with data subject to another law and processed by particular types of regulated entities. Taken together, for a majority of businesses that are not subject to the specific laws enumerated above, the applicability of the My Health My Data Act therefore will likely be determined by what personal information they collect about persons in Washington. Applicability will be determined by just how broadly consumer health data will be understood. With the act’s prescriptive requirements and private right of action, businesses should assess applicability now and keep in mind the requirements related to consumer health data in the already operative amendments to Connecticut law (summary here) and the requirements in the Nevada consumer health law (summary here).