2 minute read
State’s ‘Health Data’ Act Could Apply to Car Dealers
By Eric D. Mulligan and Webb McArthur*
House Bill 1155, known as “My Health, My Data Act,” was signed into law by Washington Gov. Jay Inslee on April 27, 2023. While the purpose of the law is to limit the sharing of consumers’ health care data, including data relating to sexual and reproductive health and gender-affirming care, the law is broad enough that some of its provisions will apply to car dealers, banks, and auto finance companies.
The MHMDA, by its terms, applies to consumer health data. The MHMDA defines the term “consumer health data” to include precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies. The MHMDA defines the term “precise location information” to mean “information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.”
As a result, if a vehicle has a location monitoring or tracking device, the information from that device could be subject to the MHMDA to the extent that it reveals a consumer’s attempt to access health care (for example, if the information shows that the consumer’s vehicle is or has been at a doctor’s office). In practical terms, any vehicle with a tracking device may collect data subject to the MHMDA and therefore cause the holder of the associated credit contract to be subject to the MHMDA.
The definition of “consumer health data” includes additional categories of information that could cause the seller of a vehicle or the holder of a vehicle-secured credit obligation to be subject to the MHMDA. For example, the term includes “genetic data,” which the MHMDA defines to mean “any data, regardless of its format, that concerns a consumer’s genetic characteristics.” The term also includes “biometric information,” which the MHMDA defines to mean “data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.” The definition of “biometric information” expressly includes “imagery” of the face, and, unlike some other definitions, it does not exclude photographs. Interpreted broadly, the definition of “consumer health data” could include data about the consumer’s sex, height, and other physi- cal descriptors, plus photographs of the consumer’s face, whether or not the entity collecting the information uses it to provide health care to the consumer.
The MHMDA excludes data subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Health Information Portability and Accountability Act, as well as de-identified data under 45 C.F.R. Part 164.
The MHMDA requires a regulated entity to disclose certain information in its consumer health data privacy policy, including the categories of consumer health information that the entity collects, the categories of sources from which it collects the data, why the entity collects the data, how the entity will use the data, with whom the entity will share the data, and how a consumer may exercise his or her rights under
Continued on page 14
