Washington's My Health My Data Act Application to Research Activities

Washington's My Health My Data Act Application to Research Activities

June 5, 2023, Covington Alert

Washington’s My Health My Data Act (the “Act” or “HB 1155”) garnered immediate attention when it passed, given that it creates new consent obligations for the processing of “consumer health data” and can be enforced through a private right of action. This client alert considers the scope of several exemptions that may be relevant to companies conducting clinical trials, marketing products regulated by the U.S. Food and Drug Administration (“FDA”), and/or providing clinical care to individuals in Washington state.

As background, the Act generally applies to “regulated entities,” defined to include any legal entity that (1) conducts business in the state of Washington or produces or provides services targeted to Washington consumers, and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of “consumer health data.” The Act defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health,” and provides a number of examples of what could constitute consumer health data, including individual health conditions, treatment, diseases, or diagnosis; health-related surgeries or procedures; bodily functions, vital signs, or symptoms; and certain biometric and genetic data.

Importantly, the Act contains a number of exemptions. Of particular note, the Act carves out certain research activities in two sections: (1) in the definition of “consumer health data,” and (2) within the list of exemptions in Section 12 of the Act.

• Definition of “Consumer Health Data”: The definition of “consumer health data” explicitly carves out personal information — i.e., “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer”[1] — used to engage in “public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws” and is overseen by an institutional review board (“IRB”), human subjects research ethics review board, or other similar independent oversight agency.[2]
• Statutory Exceptions: Section 12 of the Act contains a number of exemptions implicating research activities. Specifically, the Act excludes “identifiable private information for purposes of the Federal Policy for the Protection of Human Subjects” (often referred to as the Common Rule).[3] The Act also appears to exclude identifiable private information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization (“ICH”) or under the FDA’s regulations governing informed consent and IRB requirements.[4]

The statutory exceptions in Section 12, coupled with the definitional limitation of “consumer health data,” likely exempt most clinical trial data from the Act’s requirements.[5] There is some potential ambiguity, however, about the applicability of the research carve-outs to certain observational studies. For example, data collected through privately-funded observational studies that are not intended to be made public or peer-reviewed, nor are intended to be submitted or made available to FDA as part of a clinical trial or marketing application — and therefore are not subject to FDA’s informed consent or IRB requirements — could be subject to the Act. This understanding assumes that the exemption in Section 12 applies to identifiable private information obtained from a clinical trial that is subject to the Common Rule or FDA’s informed consent and IRB requirements (see footnote 4).

In addition to these research exceptions, there may also be exceptions that are relevant to consumer health data obtained from health care providers or health care facilities for adverse event tracking and reporting. Section 12 of the Act exempts health care information collected, used, or disclosed in accordance with Chapter 70.02 of the Washington Revised Code. This is a provision of Washington law that permits health care providers and health care facilities to disclose without patient authorization information to a person subject to FDA’s jurisdiction in regards to an FDA-regulated product for which the person has responsibility for quality, safety, or effectiveness.[6] Therefore, it appears that disclosure of adverse event information to drug and device manufacturers by health care providers or health care facilities would not be subject to the Act’s requirements.[7]

In addition to the aforementioned research exemptions, the Act also exempts data covered by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”). The Act also excludes information that has been de-identified in accordance with HIPAA.

Particularly given that the Act not only grants enforcement authority to the state Attorney General, but also contains a private right of action, we recommend considering how the Act and its exemptions may impact your business operations. The Act’s requirements generally become effective March 2024, though “small businesses” have until June 2024 to come into compliance.[8]

If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity practice.