A new Washington State bill works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data.
The bill provides heightened protections for Washingtonian’s health data by requiring additional disclosures and consumer consent regarding the collection, sharing, and use of such information. It also empowers consumers with the right to have their health data deleted, prohibits the selling of consumer health data and makes it unlawful to utilize a geofence around a facility that provides health care services.
The bill applies to any legal entity that: conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; collects, shares, or sells consumer health data; and determines the purpose and means of the processing of consumer health data. The bill uses the GDPR definition of consent: “a clear affirmative act by a consumer that openly communicates a consumer’s freely given, informed, opt-in, voluntary, specific, and unambiguous written consent, which may include written consent provided by electronic means.” The bill uses the CPRA et al definition of deidentification. A detailed privacy disclosure is required. You can’t collect, use or share information for an additional purpose without first disclosing and getting consent. You can only collect health information if strictly necessary for the service or if you got consent. There are rights to confirm processing and deletion, as well as the right to revoke consent. A processing agreement is