On April 27, 2023, the state of Washington enacted a landmark privateness regulation aimed toward defending the privateness of well being information not coated by HIPAA. This regulation, named the “,” covers a really big selection of entities, customers, and information. It additionally incorporates a personal proper of motion. Firms ought to quickly start evaluating the scope of this regulation and its necessities earlier than it comes into impact March 31, 2024 (for “small companies,” June 30, 2024).

There are numerous nuances and complexities to this regulation that transcend HIPAA or another current state “complete” privateness regulation. We spotlight among the key parts under:

• Applicability. In contrast to different state shopper privateness legal guidelines, this regulation incorporates no income or quantity of processing thresholds. The regulation applies to “regulated entities” accumulating “shopper well being information” from “customers.” Every of those key phrases is outlined broadly. Non-governmental entities, together with non-profits, that conduct enterprise in Washington or produce or present services or products focused to Washington customers, and alone or collectively with others, determines the needs and meanings of accumulating, processing, sharing, or promoting shopper well being information are in scope.

“Customers” embody Washington residents in addition to any particular person whose well being information is “collected” in Washington (and “acquire” doesn’t imply “acquire” within the conventional sense of the phrase). The regulation doesn’t apply to people in an employment context or to worker information. The broad definition of “shopper well being information” consists of even information derived from non-health info which will point out a shopper’s try and obtain well being companies or provides. There are exceptions for information that’s topic to sure enumerated privateness legal guidelines similar to HIPAA, GLBA, FCRA, FERPA, and current Washington state legal guidelines associated to well being care and insurance coverage. For extra particulars on these key definitions and the scope of the regulation learn our publish .

• Discover. Like different privateness legal guidelines, the regulation requires entities topic to the regulation to have a privateness coverage with sure content material necessities. It stays to be seen whether or not current web site privateness insurance policies can be utilized, or whether or not a separate discover will probably be required.

• Rights. Whereas the varieties of rights and procedural necessities will probably be usually acquainted to firms topic to different shopper privateness legal guidelines, there are particular features that go additional than current US privateness legal guidelines. For instance, the small print that have to be supplied in an entry request, and the dearth of typical exceptions to customers’ proper to delete will create burdensome operational challenges. For extra particulars on shopper rights requests, learn our publish .

• Consent. The regulation requires opt-in consent for any assortment, use, disclosure, or different processing of knowledge past what is important to supply a consumer-requested services or products. There are additionally necessities for “sharing” (although the definition doesn’t observe CCPA’s definition). As well as, there may be an onerous authorization requirement for any “sale” of shopper well being information. The broad definition of “sale,” coupled with the requirement to have a written and signed authorization for any “gross sales” might influence how firms have interaction in focused promoting actions. For extra particulars on the consent necessities, learn our publish .

• Geo-fencing ban. Geo-fencing is to create a digital perimeter for a selected geographic space. The regulation prohibits firms from utilizing a geofence to determine customers, acquire shopper well being information, or ship adverts or notifications primarily based a shopper’s proximity to in-person well being care companies amenities.

The regulation could also be enforced by a personal proper of motion, along with enforcement by the Washington Legal professional Common. This regulation matches a rising development in direction of elevated scrutiny and protections for well being information not coated by HIPAA. (See for a dialogue on the FTC’s focus).