Propel provides innovative insurance solutions to thousands of companies across the country. We make it our business to know your world inside and out.
Cyber Security, Insights, Senior Care
My Health My Data Act
A new chapter in Washington state’s regulation of health data went into effect April 1, 2024.
This new regulation was determined as needed due to advances in technologies involving collection of health data for market targeting and the portability of collection and sharing. Most health-related commercial data collection does not meet the criteria of Health Insurance Portability and Accountability Act (HIPAA), and health-related data is being managed through devices, apps, and online services now more than ever.
My Health My Data Act protects the consumer from casual collection and use of health information without knowledge and consent of the consumer. This law will require companies to focus on and strengthen data security, driven by policy as well as acknowledgement by posting a detailed consumer health data privacy policy on their website.
Consumer health data is personal information linked or reasonably linkable to a consumer, identifying their past, present, or future physical or mental health status.
Senior Living care communities not currently subject to HIPAA, such as independent living or private pay assisted living, which receive or obtain information from residents through wellness programs or information about pre-existing conditions, health status, or medications may be subject to this regulation.
The My Health My Data Act also requires covered entities to obtain an opt-in consent before sharing or processing any health data and further restricts any downstream use of health data by requiring companies to develop and execute specific responsibility contracts with third parties. Geofencing is referenced as a tool used in marketing to identify potential consumers based on proximity and limits the use of this information collecting tool within 2000 feet of an entity providing in-person healthcare service if is used to identify and track consumers or send notification or advertisements related to health data.
What are the first steps?
- Familiarize yourself with My Health My Data Act.
- Determine if this new regulation applies to your business model.
- Complete an internal risk evaluation to identify what data is collected, how it is collected, how it is protected, and how it is used.
- Plan for compliance requirements:
- Review existing data processing agreements with business partners
- Create a new privacy policy including data access, consent to collect, and right to delete
- Plan your notification process for website inclusion