{"id":541,"date":"2023-06-26T12:00:55","date_gmt":"2023-06-26T16:00:55","guid":{"rendered":"https:\/\/pbacyber.com\/?p=541"},"modified":"2023-06-26T12:00:55","modified_gmt":"2023-06-26T16:00:55","slug":"suite-of-new-laws-in-washington-aim-to-strengthen-reproductive-health-privacy-protections","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2023\/06\/26\/suite-of-new-laws-in-washington-aim-to-strengthen-reproductive-health-privacy-protections\/","title":{"rendered":"Suite of New Laws in Washington Aim to Strengthen Reproductive Health Privacy Protections"},"content":{"rendered":"<p>By Jennifer K. Wagner, J.D., Ph.D.<\/p>\n<p>&nbsp;<\/p>\n<p>While people tend to think of California as the state leading the nation on comprehensive data privacy law protections (with <a href=\"https:\/\/oag.ca.gov\/privacy\/ccpa\">CCPA and CPRA<\/a>) and Illinois as the state leading the way on <a href=\"https:\/\/pbacyber.com\/index.php\/2022\/05\/27\/current-status-of-biometrics-data-protections-within-and-beyond-pennsylvania\/\">biometric-specific data protections<\/a> (with <a href=\"https:\/\/www.ilga.gov\/legislation\/ilcs\/ilcs3.asp?ActID=3004&amp;ChapterID=57\">BIPA<\/a>), Washington is worthy of similar attention for its adoption of meaningful reproductive health privacy protections. On April 27, 2023, Washington Governor Jay Inslee <a href=\"https:\/\/medium.com\/wagovernor\/inslee-signs-laws-to-protect-reproductive-health-and-gender-affirming-care-db8917021cd7\">signed<\/a> a suite of bills into law that strengthens reproductive health privacy protections. Because these laws have ramifications extending outside of the state, it is important for Pennsylvania attorneys to be familiar with them.<\/p>\n<p>&nbsp;<\/p>\n<p>As <a href=\"https:\/\/pbacyber.com\/index.php\/2022\/06\/01\/a-post-roe-future-presents-heightened-data-privacy-risks-with-femtech\/\">this blog has detailed previously<\/a>, the June 2022 U.S. Supreme Court decision in <a href=\"https:\/\/www.supremecourt.gov\/opinions\/21pdf\/19-1392_6j37.pdf\"><em>Dobbs v. Jackson Women\u2019s Health Organization<\/em><\/a> introduced extensive digital health privacy risks for everyone across the country. These risks are widely acknowledged to be particularly acute and intense for individuals who could become pregnant, individuals using a wide array of consumer health apps and wearables, and individuals from vulnerable communities or groups historically affected by healthcare and health disparities. The decision prompted the Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) to quickly <a href=\"https:\/\/pbacyber.com\/index.php\/2022\/07\/27\/updated-dhhs-ocr-guidance-on-health-information-privacy-after-dobbs\/\">issue clarifying guidance<\/a> regarding the HIPAA Privacy Rule. On April 12, 2023, DHHS OCR <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/regulatory-initiatives\/hipaa-reproductive-health-fact-sheet\/index.html\">announced<\/a> its issuance of a <a href=\"https:\/\/www.federalregister.gov\/documents\/2023\/04\/17\/2023-07517\/hipaa-privacy-rule-to-support-reproductive-health-care-privacy\">notice of proposed rulemaking<\/a> that would further strengthen reproductive health privacy protections available federal law by narrowing the law enforcement exception (<a href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/45\/164.512\">45 CFR \u00a7164.512(f)<\/a>).<\/p>\n<p>&nbsp;<\/p>\n<p>The five new laws adopted in Washington just two weeks later boost privacy protections and reproductive health protections necessary for the <em>Dobbs<\/em> era and specifically include (1) the \u201cMy Health, My Data\u201d Act, <a href=\"https:\/\/app.leg.wa.gov\/billsummary?BillNumber=1155&amp;Year=2023\">ESHB 1155<\/a>; (2) the \u201cShield Law,\u201d <a href=\"https:\/\/app.leg.wa.gov\/billsummary?BillNumber=1469&amp;Initiative=false&amp;Year=2023\">ESHB 1469<\/a>; (3) an act regarding medical licensing, <a href=\"https:\/\/app.leg.wa.gov\/billsummary?BillNumber=1340&amp;Initiative=false&amp;Year=2023\">ESHB 1340<\/a>; (4) an act regarding cost-sharing <a href=\"https:\/\/app.leg.wa.gov\/billsummary?BillNumber=5242&amp;Initiative=false&amp;Year=2023\">SB 5242<\/a>; and (5) an act regarding access to certain medications by mail, <a href=\"https:\/\/app.leg.wa.gov\/billsummary?BillNumber=5768&amp;Initiative=false&amp;Year=2023\">SB 5768<\/a>. Given the direct focus of the first two on data privacy (as opposed to decisional privacy), those are worth further discussion.<\/p>\n<p>&nbsp;<\/p>\n<p>The \u201cMy Health, My Data\u201d Act (or MHMDA) is impressive. It acknowledges the reality of the modern datafied culture in which we live: that is, that digital data of all sorts and perhaps in any setting could have health relevance and pose health privacy-related risks even if those data are not collected or used for health purposes by the company possessing those data. Some <a href=\"https:\/\/iapp.org\/news\/a\/washingtons-my-health-my-data-act-welcome-to-bipa-2-0\/\">critics<\/a> consider this a mistaken approach, believe the definition of \u201cconsumer health data\u201d will be a compliance challenge, and warn of looming \u201cconsent fatigue.\u201d A <a href=\"https:\/\/iapp.org\/resources\/article\/washington-my-health-my-data-act-overview\/\">thorough overview of the MHMDA<\/a> is available elsewhere, but here is a summary of its key aspects:<\/p>\n<ul>\n<li><strong><em>When does it take effect?<\/em><\/strong> Most compliance is expected by March 31, 2024, but compliance for small businesses is required by June 30, 2024.<\/li>\n<li><strong><em>Who is protected and who must comply?<\/em><\/strong> The law applies to businesses operating within Washington, which offers protections to individuals who live elsewhere if their data are collected by Washington businesses. Also, it applies to businesses targeting Washington consumers, which means businesses located both in and out of Washington have compliance obligations. Compliance obligations are <em>not<\/em> tied to the size of the business, whether determined by meeting a gross annual revenue or certain number of customers threshold. (By contrast, compliance with <a href=\"https:\/\/oag.ca.gov\/privacy\/ccpa#:~:text=The CCPA applies to for,, households, or devices%3B or\">California\u2019s CCPA\/CPRA<\/a>, is tied to whether businesses have at least $25 million gross annual revenue, are involved with buying\/selling\/sharing personal data of at least 100,000 CA residents, or derive at least 50% of their annual revenue from selling CA residents\u2019 personal information).<\/li>\n<li><strong><em>What data are covered?<\/em><\/strong> The law has a broad definitional scope for what data are subject to the law\u2019s protections. It defines \u201cconsumer health data\u201d as \u201cpersonal information that is linked or reasonably linkable to a consumer and that identifies the consumer\u2019s past, present, or future physical or mental health status.\u201d It offers a lengthy, non-exhaustive list of items that would be considered illustrative of \u201cphysical or mental health status,\u201d including conditions, treatment, diseases, and diagnoses; various health-related interventions and procedures (like surgeries or medications); bodily measurements; biometric and genetic data; various data that could reveal that an individual is seeking health services or products (such as precise location data showing someone\u2019s position within a radius of 1,750 feet); non-health data from which health information can be inferred; and, specifically, gender-affirming care information or reproductive\/sexual health information. The law carves out much scientific research data as not being considered \u201cconsumer health data\u201d provided certain conditions are met, and the expressly law exempts data otherwise covered by the Health Insurance Portability and Accountability Act, The Gramm-Leach-Bliley Act, the Social Security Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act, among others.<\/li>\n<li><strong><em>What does the law do? <\/em><\/strong>It mandates transparency\u2014i.e., a privacy policy must be maintained and contain clear and conspicuous disclosure of five different elements: what consumer health data are collected, the purposes for which the consumer health data are collected, the consumer health data that are shared, a list of third-parties with which the consumer health data are shared, and how consumers can exercise their MHMDA rights over their consumer health data. It prohibits collection or sharing of consumer health data without consent and also prohibits the sale of consumer health data to third parties without the consumer\u2019s authorization. The law imposes obligations to establish administrative, physical, and technical security safeguards for consumer health data and also imposes limits on geofencing around healthcare facilities. It allows consumers to withdraw their consent and gives consumers the right to request their consumer health data be deleted. Businesses have 45 days to comply with consumer MHMDA requests. It also contains a provision that prohibits businesses from discriminating against consumers who exercise their MHMDA rights. Finally, the law establishes a joint committee to keep a close watch on the law\u2019s implementation and effects and to issue a report to the governor and legislature by September 2030 that includes its recommendations for any appropriate changes to the law.<\/li>\n<li><strong><em>How is the law enforced? <\/em><\/strong>The law can be enforced by individuals through a private cause of action as well as by <a href=\"https:\/\/www.atg.wa.gov\/\">the state\u2019s Attorney General<\/a> pursuant to its <a href=\"https:\/\/apps.leg.wa.gov\/rcw\/default.aspx?cite=19.86\">general consumer protection act<\/a>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The Shield Law (<a href=\"https:\/\/lawfilesext.leg.wa.gov\/biennium\/2023-24\/Pdf\/Bills\/Session%20Laws\/House\/1469-S.SL.pdf#page=1\">ESHB 1469<\/a>) was introduced as a companion to the My Health, My Data Act as a \u201c<a href=\"https:\/\/housedemocrats.wa.gov\/hansen\/2023\/04\/10\/shield-law-passes-wa-senate\/\">robust legal response<\/a>\u201d to other states that have used the <em>Dobbs <\/em>decision to push forward forced birth laws with criminal and civil liability. <a href=\"https:\/\/www.hrw.org\/news\/2023\/04\/18\/human-rights-crisis-abortion-united-states-after-dobbs\">Recognizing<\/a> that states (such as Texas, Oklahoma, and Idaho) have \u201cbounty\u201d laws incentivizing private citizens to sue licensed medical professionals providing certain reproductive health services and also that <a href=\"https:\/\/www.guttmacher.org\/state-legislation-tracker\">several states<\/a> (including Florida, Idaho, North Dakota, South Carolina, South Dakota, Tennessee, West Virginia, and Wyoming) have ushered in new forced birth laws that ban all or most abortions, legislators in Washington have sought to close the legal loopholes and gaps in health information privacy laws that would put individuals at substantial risk. Medical professionals (including genetic counselors and OB-GYN doctors) have been worried about the possibility that they could face criminal or civil court action simply for performing their jobs even in places where abortion and other reproductive health services are legal should that information become subject to law enforcement investigations. Some states have been trying to assuage those fears. For example, in 2022 Connecticut enacted <a href=\"https:\/\/www.cnn.com\/2022\/05\/05\/politics\/connecticut-abortion-protection-law-out-of-state-lawsuits\/index.html\">a safe harbor law (HB 5414)<\/a> and Michigan Governor Gretchen Whitmer signed <a href=\"https:\/\/www.michigan.gov\/whitmer\/news\/press-releases\/2022\/07\/13\/whitmer-signs-executive-order-refusing-to-extradite-those-seeking-reproductive-freedom-in-michigan\">an executive order to protect medical providers in Michigan<\/a> from extradition orders. The shield law just passed in Washington takes aim at obligations regarding other states\u2019 criminal and civil process.<\/p>\n<ul>\n<li><strong><em>What does the shield law do?<\/em><\/strong> It shields both patients and providers from out-of-state prosecutions and shields providers from threats or harassment related to protected reproductive health services (such as abortions or gender-affirming care). The law prohibits compliance with out-of-state subpoenas related to protected reproductive health services and prevents cooperation with out-of-state investigations. It also bans extraditions to abortion and gender-affirming care services that are legally performed in Washington. It creates a cause of action for interference with a patient\u2019s attempted receipt of or a provider\u2019s attempted provision of protected reproductive health services, allowing recovery of actual damages including court costs, attorney\u2019s fees necessary to defend the underlying action, and up to $10,000 in statutory damages if underlying actions are deemed to be frivolous.<\/li>\n<li><strong><em>When does it take effect?<\/em><\/strong> The law contained an emergency clause which allows it to take immediate effect (April 27, 2023)<\/li>\n<\/ul>\n<p>The shield law acknowledges the connection it has to the <a href=\"https:\/\/constitution.congress.gov\/browse\/article-4\/section-2\/clause-2\/#:~:text=Clause%202%20Interstate%20Extradition,having%20Jurisdiction%20of%20the%20Crime.\">extradition\/rendition clause<\/a> found in Article IV, Section 2, Clause 2 of the U.S. Constitution. It is plausible that critics of the Washington shield law (as well as critics of other efforts to protect patients and providers from reproductive health services from criminal and civil liability in hostile states) will rely upon that constitutional provision as the basis for a legal challenge; however, it is apt to consider, as <a href=\"https:\/\/scholarship.law.unc.edu\/cgi\/viewcontent.cgi?referer=&amp;httpsredir=1&amp;article=4632&amp;context=nclr\">legal scholar Christopher Lasch has written<\/a> over a decade ago (in the context of Civil War era Northern resistance to extraditions involving slavery), \u201crendition resistance\u201d in the name of civil rights allows us to \u201cdifferentiate between fugitives <em>from<\/em> justice and fugitives <em>to<\/em> justice.\u201d<\/p>\n<p>Washington is not alone in passing its shield law. For example, Colorado enacted <a href=\"https:\/\/leg.colorado.gov\/sites\/default\/files\/2023a_188_signed.pdf\">SB 23-188<\/a> in <a href=\"https:\/\/leg.colorado.gov\/bills\/sb23-188\">April 2023<\/a> that includes some similar provisions. A bill in Pennsylvania, <a href=\"https:\/\/www.legis.state.pa.us\/CFDOCS\/Legis\/PN\/Public\/btCheck.cfm?txtType=PDF&amp;sessYr=2023&amp;sessInd=0&amp;billBody=H&amp;billTyp=B&amp;billNbr=0924&amp;pn=0912\">H.B. 924<\/a> introduced on April 17, 2023 as the \u201cWomen\u2019s Reproductive Health Care Compact Act,\u201d would address some similar issues; however, a robust effort to strengthen reproductive health privacy protections similar to what Washington has now achieved with the My Health, My Data Act and the Shield Act has not yet taken shape or gained momentum in Pennsylvania.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy, and Engineering at Penn State University. She has been a member of the PBA Cybersecurity &amp; Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report, and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law &amp; Biosciences; Journal of Law, Medicine, &amp; Ethics; Albany Law Journal of Science &amp; Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator\u2019s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Jennifer K. Wagner, J.D., Ph.D. &nbsp; While people tend to think of California as the state leading the nation on comprehensive data privacy law protections (with CCPA and CPRA) and Illinois as the state leading the way on biometric-specific data protections (with BIPA), Washington is worthy of similar attention for its adoption of meaningful <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2023\/06\/26\/suite-of-new-laws-in-washington-aim-to-strengthen-reproductive-health-privacy-protections\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,10],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/541"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=541"}],"version-history":[{"count":3,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/541\/revisions"}],"predecessor-version":[{"id":544,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/541\/revisions\/544"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}