Privacy & Information Security Law Blog

On April 27, 2023, Washington adopted the My Health My Data Act (“WMHMDA”). Most of the law’s provisions are not effective until March 31, 2024 (or June 30, 2024 for small businesses). The law’s geofencing prohibition, however, is set to take effect on July 23, 2023. The prohibition is part of stringent requirements that Washington added when it became the first state to enact a comprehensive consumer health information privacy law in the United States.

The WMHMDA prohibits any “person” (including entities or individuals) from implementing a geofence around an entity that provides in-person health care services where the geofence is used to: (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages or advertisements to consumers relating to their consumer health data or health care services.

“Geofence” under the law means a virtual boundary that uses spatial or location detection technology and is 2,000 feet or less from the perimeter of the physical location. Notably, the law defines health care services and consumer health data very broadly.

• “Health care services” means any service provided to a person to assess, measure, improve or learn about a person’s mental or physical health, including but not limited to individual health conditions or status; social, psychological, behavioral and medical interventions; use or purchase of medication (which does not expressly exclude non-prescription medication); bodily functions, vital signs, symptoms or measurements of such information; diagnoses or diagnostic testing, treatment or medication; reproductive health care services; or gender-affirming care services.
• “Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present or future “physical or mental health status,” which includes, for example, individual health conditions, treatment, diseases or diagnosis and use or purchase of prescribed medications, as well as precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.

Importantly, the WMHMDA provides for a private right of action in addition to regulatory enforcement.