Washington passes law requiring consent before companies collect health data

A new Washington state law will require companies to receive a user’s explicit consent before they can collect, share, or sell their health data. Washington Governor Jay Inslee signed the My Health, My Data bill into law on Thursday, giving users the right to withdraw consent at any time and have their data deleted.

The law should help shield users’ health data from the companies and organizations not included under the HIPAA Privacy Rule, which prevents certain medical providers from disclosing “individually identifiable” health information without consent. The HIPAA Privacy Rule doesn’t cover many of the health apps and sites that collect medical data, allowing them to freely collect and sell this information to advertisers.

Under Washington’s new law, which comes into effect in March 2024, medical apps and sites must ask a user for permission to collect their health data in a nondeceptive manner that “openly communicates a consumer’s freely given, informed, opt-in, voluntary, specific, and unambiguous written consent.” The site and apps must also disclose what kind of data they plan to collect and if they plan to sell it. Additionally, the bill will block medical providers from using geofencing to collect location information about the patients that visit the facility.

“My Health, My Data protects the independence and dignity of individuals when they make healthcare decisions,” says Representative Vandana Slatter (D), one of the bill’s backers. “It prevents vulnerabilities in the technological era that are being used to target and exploit consumers who may not be aware of the vast data that everything from our watches and phones collect.”