Digital Health companies seeking to scale their businesses nationwide have a new privacy law to contend with now.  Washington has passed a first-of-its-kind state law that safeguards consumer health data collected by companies that traditionally fit into a regulatory gap (Read here).   Digital health is a broad term that includes telehealth, consumer healthcare applications (mHealth), digital therapeutics, wearable devices, health information technology and personalized medicine. 

The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically.  Therefore, federal law generally does not extend to digital health applications or websites.  The Federal Trade Commission (FTC) announced that its Health Breach Notification Rule applies to healthcare apps. Still, the law’s language leaves open questions about whether or how it applies to nutrition, health, or fitness applications. 

New Privacy Law Protecting Consumer Health Data

Washington’s new privacy law, the My Health My Data Act, was motivated by a legislative effort to protect abortion access after the U.S. Supreme Court’s Dobbs decision overturning Row v. Wade.   The Act protects consumer location data, restricts the gathering and sharing of health data for targeted advertisements, and gives consumers privacy rights over the personal health data the digital health application or website collects. 

Tech companies have raised concerns about the Act’s broad definition of health data far exceeding the definition of personal health information under HIPAA. 

The Act provides for government enforcement actions and private rights of action for consumers whose privacy rights under the Act have been violated. 

Digital Health companies are interested in scaling their businesses must be aware of not only federal privacy laws but also state privacy laws in the states where they intend to operate or offer services.  In the future, other states may pass similar legislation as use of digital health applications becomes more prevalent.