Privacy bill aims to protect health data – If lawmakers pass the My Health, My Data Act, consumers in Washington state will gain new privacy protections for their health data.
The act would prohibit websites and apps from collecting and selling consumer health data without user consent.
The proposed legislation also grants consumers the right to have their health data erased and to withdraw their consent to share it. “Geofencing” technology, including abortion clinics, would also be prohibited around healthcare facilities for purposes such as identifying or messaging a consumer entering the geofenced area.
Healthcare privacy has become more important as states such as Missouri pass abortion bans and seek to limit women’s access to abortions in other states, according to Washington state Rep. Vandana Slatter (D-Redmond), the bill’s House sponsor (HB 1155). Period tracking apps, for example, can reveal information about abortions or miscarriages, and the new law would protect such information. [Privacy bill aims to protect health data]
“Recent attacks on bodily autonomy and reproductive healthcare have demonstrated the critical importance of protecting health data, which is what this bill does,” Slatter told TechNewsForum.
In California, a related bill was signed into law last year that restricts companies from providing data such as search requests in response to out-of-state warrants.
Most healthcare providers’ health data is protected by federal regulations, but consumer apps and websites’ data is not.
According to a recent investigation by STAT News and The Markup, many direct-to-consumer telehealth companies share sensitive medical data with large advertising platforms. Trackers collecting medical intake data were present on 13 of the 50 websites examined, and all but one shared the URLs that people visited as well as their IP addresses.
The Washington state attorney general requested the My Health, My Data Act, which would be enforceable under the state’s Consumer Protection Act. [Privacy bill aims to protect health data]
The act “affects pretty much everyone doing business in Washington, not just healthcare providers,” according to Ari Friedman, a physician at the University of Pennsylvania who studies digital health privacy. According to Friedman, another strength of the legislation is its broad definition of health data, which includes efforts to research health services and supplies.
The draught bill also governs how consent is given, such as requiring websites to obtain separate consent for data collection and sharing, and prohibiting privacy statements from being included in a document with unrelated information.
Friedman, on the other hand, is concerned that the bill may not go far enough.
According to Friedman, consumers should be able to access a website’s services whether or not they accept the privacy policy. “Posting a privacy policy at the bottom of your website and forcing busy, overwhelmed consumers to check a box saying they have read it isn’t really meaningful consent,” he said. [Privacy bill aims to protect health data]
Following a hearing in late January, the House Committee on Civil Rights and Judiciary is revising the bill, which is scheduled for a vote Friday.
Planned Parenthood, the American Civil Liberties Union of Washington, Pro-Choice Washington, the League of Women Voters of Washington, and other organisations have endorsed the legislation.
Andrew Kingman, a representative from the State Privacy and Security Coalition, stated at a hearing last week that the industry group “supports the intent of this bill.” He did, however, object to the draught bill’s definition of consumer health data as being too broad. “Consumers will receive opt-in requests for routine purchases, such as health-related books or various types of clothing,” said Kingman.
The Washington Technology Industry Association’s vice president of governmental and community affairs, Kelly Fukai, has also asked legislators to narrow the definition of consumer health data. “There is no doubt that the subjects highlighted in this legislation are sensitive, important, and on the minds of many Washington residents,” she added. [Privacy bill aims to protect health data]
Responding to industry concerns, Washington Assistant Attorney General Andrea Alegrett stated, “we hope to continue to have ongoing conversations to find a middle ground.” A senate version of the bill (SB5351) is also being considered.
“We’ve been listening and working with stakeholders on this legislation for months,” Slatter said.
If passed, the Washington bill could eventually help set up a regulatory framework and process for comprehensive privacy regulations, according to Friedman, which is something Washington state has struggled with, with little success, in previous legislative sessions.
According to Slatter, health data is in its own category. “This is extremely personal and vulnerable. It could be harmful if we share or sell it,” she explained.
Microsoft, based in Seattle, mentioned the legislation’s broader potential in a recent blog post about its legislative priorities. [Privacy bill aims to protect health data]
“While we still believe that Washingtonians need and deserve comprehensive data privacy protections, we recognise that the issues surrounding health data are particularly important and timely. While we will review the legislation’s details, we are hopeful that enacting data privacy protections in one area will be a step toward comprehensive legislation,” Microsoft stated in the post.
We’ve reached out to Amazon for comment, which provides a growing suite of online health services, and will update this story if we hear back.