Suite of New Laws in Washington Aim to Strengthen Reproductive Health Privacy Protections
By Jennifer K. Wagner, J.D., Ph.D.
While people tend to think of California as the state leading the nation on comprehensive data privacy law protections (with CCPA and CPRA) and Illinois as the state leading the way on biometric-specific data protections (with BIPA), Washington is worthy of similar attention for its adoption of meaningful reproductive health privacy protections. On April 27, 2023, Washington Governor Jay Inslee signed a suite of bills into law that strengthens reproductive health privacy protections. Because these laws have ramifications extending outside of the state, it is important for Pennsylvania attorneys to be familiar with them.
As this blog has detailed previously, the June 2022 U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization introduced extensive digital health privacy risks for everyone across the country. These risks are widely acknowledged to be particularly acute and intense for individuals who could become pregnant, individuals using a wide array of consumer health apps and wearables, and individuals from vulnerable communities or groups historically affected by healthcare and health disparities. The decision prompted the Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) to quickly issue clarifying guidance regarding the HIPAA Privacy Rule. On April 12, 2023, DHHS OCR announced its issuance of a notice of proposed rulemaking that would further strengthen reproductive health privacy protections available federal law by narrowing the law enforcement exception (45 CFR §164.512(f)).
The five new laws adopted in Washington just two weeks later boost privacy protections and reproductive health protections necessary for the Dobbs era and specifically include (1) the “My Health, My Data” Act, ESHB 1155; (2) the “Shield Law,” ESHB 1469; (3) an act regarding medical licensing, ESHB 1340; (4) an act regarding cost-sharing SB 5242; and (5) an act regarding access to certain medications by mail, SB 5768. Given the direct focus of the first two on data privacy (as opposed to decisional privacy), those are worth further discussion.
The “My Health, My Data” Act (or MHMDA) is impressive. It acknowledges the reality of the modern datafied culture in which we live: that is, that digital data of all sorts and perhaps in any setting could have health relevance and pose health privacy-related risks even if those data are not collected or used for health purposes by the company possessing those data. Some critics consider this a mistaken approach, believe the definition of “consumer health data” will be a compliance challenge, and warn of looming “consent fatigue.” A thorough overview of the MHMDA is available elsewhere, but here is a summary of its key aspects:
- When does it take effect? Most compliance is expected by March 31, 2024, but compliance for small businesses is required by June 30, 2024.
- Who is protected and who must comply? The law applies to businesses operating within Washington, which offers protections to individuals who live elsewhere if their data are collected by Washington businesses. Also, it applies to businesses targeting Washington consumers, which means businesses located both in and out of Washington have compliance obligations. Compliance obligations are not tied to the size of the business, whether determined by meeting a gross annual revenue or certain number of customers threshold. (By contrast, compliance with California’s CCPA/CPRA, is tied to whether businesses have at least $25 million gross annual revenue, are involved with buying/selling/sharing personal data of at least 100,000 CA residents, or derive at least 50% of their annual revenue from selling CA residents’ personal information).
- What data are covered? The law has a broad definitional scope for what data are subject to the law’s protections. It defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” It offers a lengthy, non-exhaustive list of items that would be considered illustrative of “physical or mental health status,” including conditions, treatment, diseases, and diagnoses; various health-related interventions and procedures (like surgeries or medications); bodily measurements; biometric and genetic data; various data that could reveal that an individual is seeking health services or products (such as precise location data showing someone’s position within a radius of 1,750 feet); non-health data from which health information can be inferred; and, specifically, gender-affirming care information or reproductive/sexual health information. The law carves out much scientific research data as not being considered “consumer health data” provided certain conditions are met, and the expressly law exempts data otherwise covered by the Health Insurance Portability and Accountability Act, The Gramm-Leach-Bliley Act, the Social Security Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act, among others.
- What does the law do? It mandates transparency—i.e., a privacy policy must be maintained and contain clear and conspicuous disclosure of five different elements: what consumer health data are collected, the purposes for which the consumer health data are collected, the consumer health data that are shared, a list of third-parties with which the consumer health data are shared, and how consumers can exercise their MHMDA rights over their consumer health data. It prohibits collection or sharing of consumer health data without consent and also prohibits the sale of consumer health data to third parties without the consumer’s authorization. The law imposes obligations to establish administrative, physical, and technical security safeguards for consumer health data and also imposes limits on geofencing around healthcare facilities. It allows consumers to withdraw their consent and gives consumers the right to request their consumer health data be deleted. Businesses have 45 days to comply with consumer MHMDA requests. It also contains a provision that prohibits businesses from discriminating against consumers who exercise their MHMDA rights. Finally, the law establishes a joint committee to keep a close watch on the law’s implementation and effects and to issue a report to the governor and legislature by September 2030 that includes its recommendations for any appropriate changes to the law.
- How is the law enforced? The law can be enforced by individuals through a private cause of action as well as by the state’s Attorney General pursuant to its general consumer protection act.
The Shield Law (ESHB 1469) was introduced as a companion to the My Health, My Data Act as a “robust legal response” to other states that have used the Dobbs decision to push forward forced birth laws with criminal and civil liability. Recognizing that states (such as Texas, Oklahoma, and Idaho) have “bounty” laws incentivizing private citizens to sue licensed medical professionals providing certain reproductive health services and also that several states (including Florida, Idaho, North Dakota, South Carolina, South Dakota, Tennessee, West Virginia, and Wyoming) have ushered in new forced birth laws that ban all or most abortions, legislators in Washington have sought to close the legal loopholes and gaps in health information privacy laws that would put individuals at substantial risk. Medical professionals (including genetic counselors and OB-GYN doctors) have been worried about the possibility that they could face criminal or civil court action simply for performing their jobs even in places where abortion and other reproductive health services are legal should that information become subject to law enforcement investigations. Some states have been trying to assuage those fears. For example, in 2022 Connecticut enacted a safe harbor law (HB 5414) and Michigan Governor Gretchen Whitmer signed an executive order to protect medical providers in Michigan from extradition orders. The shield law just passed in Washington takes aim at obligations regarding other states’ criminal and civil process.
- What does the shield law do? It shields both patients and providers from out-of-state prosecutions and shields providers from threats or harassment related to protected reproductive health services (such as abortions or gender-affirming care). The law prohibits compliance with out-of-state subpoenas related to protected reproductive health services and prevents cooperation with out-of-state investigations. It also bans extraditions to abortion and gender-affirming care services that are legally performed in Washington. It creates a cause of action for interference with a patient’s attempted receipt of or a provider’s attempted provision of protected reproductive health services, allowing recovery of actual damages including court costs, attorney’s fees necessary to defend the underlying action, and up to $10,000 in statutory damages if underlying actions are deemed to be frivolous.
- When does it take effect? The law contained an emergency clause which allows it to take immediate effect (April 27, 2023)
The shield law acknowledges the connection it has to the extradition/rendition clause found in Article IV, Section 2, Clause 2 of the U.S. Constitution. It is plausible that critics of the Washington shield law (as well as critics of other efforts to protect patients and providers from reproductive health services from criminal and civil liability in hostile states) will rely upon that constitutional provision as the basis for a legal challenge; however, it is apt to consider, as legal scholar Christopher Lasch has written over a decade ago (in the context of Civil War era Northern resistance to extraditions involving slavery), “rendition resistance” in the name of civil rights allows us to “differentiate between fugitives from justice and fugitives to justice.”
Washington is not alone in passing its shield law. For example, Colorado enacted SB 23-188 in April 2023 that includes some similar provisions. A bill in Pennsylvania, H.B. 924 introduced on April 17, 2023 as the “Women’s Reproductive Health Care Compact Act,” would address some similar issues; however, a robust effort to strengthen reproductive health privacy protections similar to what Washington has now achieved with the My Health, My Data Act and the Shield Act has not yet taken shape or gained momentum in Pennsylvania.
Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy, and Engineering at Penn State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report, and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.