Washington: My Health, My Data Act


All Employers with WA Employees


March 31, 2024


Contact HR On-Call

(888) 378-2456

Quick Look

  • Washington consumers have specific data privacy rights for health data that is collected, processed, shared, or sold.
  • The definition of consumer does not include individuals acting in an employment context.


HB 1155 or the My Health, My Data Act (Act) protects health data collected by certain apps and websites and not just entities covered by HIPAA. It applies to entities who conduct business in Washington or provide products or services targeted to consumers in Washington and determine the purposes and means of collecting, processing, sharing, or selling consumer health data. Small businesses are also covered if they collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year or derive less than 50% of gross revenue from such activity of fewer than 25,000 consumers. The definition of consumer does not include individuals acting in an employment context.

Consumer health data is defined broadly and includes, but is not limited to, individual health conditions and treatments, social and psychological interventions, surgeries, medications, bodily functions, biometric data, genetic data, and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies. The Act provides consumers with several rights mirroring other data privacy rights legislation: 1) the right to know; 2) the right to consent or deny; 3) the right to withdraw consent; 4) the right to delete; and 5) the right to receive clear and conspicuous disclosure of the right to consent or deny collection or sharing of health data.

Covered entities must include a consumer health data privacy policy on their homepages which includes the categories of health data collected and their purpose, categories of sources, categories of health data that is shared, categories of third parties with whom health data is shared, and how a consumer can exercise their rights under the Act. Violations of the Act can result in private rights of action or through prosecution by the State’s Attorney General.


Action Items

  1. Review and revise privacy policies as required.
  2. Review and map collection of consumer health data to respond to rights requests.
  3. Have appropriate personnel trained on the requirements.
  4. Subscribers can call our HR On-Call Hotline at (888) 378-2456 for further assistance.

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2023 ManagEase