Client Alerts

Washington Enacts First In the Nation Health Data Protection Law

By: Frances Floriano Goins

About: Cybersecurity & Privacy

May 1, 2023 – Last week, the Governor of Washington signed a package of legislation aimed at protecting the health care of women in response to the United States Supreme Court’s reversal of Roe vs. Wade. One of the new laws, the Washington My Health, My Data Act, seeks to protect consumers’ health care data that is currently not protected by the Health Information Portability and Accountability Act (HIPAA). The new Washington law, unlike HIPAA, applies to health data collected by non-covered entities, including certain apps and websites like tele-health websites and period-tracking apps, and broadly defines health data.

The Washington My Health, My Data Act requires regulated entities to obtain consumer consent regarding the collection, sharing, and use of certain health information. The Act also gives consumers the right to have their health data deleted by the regulated companies, prohibits the companies from selling consumer health data without valid authorization signed by the consumer, requires entities that collect health data to provide consumers with a privacy policy disclosing the use of health data, and makes it unlawful to utilize a geofence around a facility that provides health care services.

If a company violates the Act, the Act empowers Washington’s Attorney General to bring an enforcement action. In addition, individual consumers may bring a civil lawsuit through a private right of action for a violation of the Act, a right typically not available to consumers. 

Covered entities must comply with the Act by March 31, 2024 while small businesses were given additional time and must comply by June 30, 2024. 

Washington’s extension of privacy rights to health data is unique. In light of the current furor over abortion rights, however, we may see more such statutes enacted in other states.

Ulmer’s Cybersecurity & Privacy Practice Group continues to follow this developing issue. If you have any additional questions, please reach out to our experienced data privacy attorneys.

The information provided in this client alert speaks only to the information and guidance we have available as of the date of publication and is subject to change. We will continue to follow further issued guidance and regulations and endeavor to post those updates via our website. Please continue to follow these updates at This legal update was created by Ulmer & Berne LLP, and is not intended as a substitute for professional legal advice. Receipt of this client alert, by itself, does not create an attorney client relationship. For any questions, or for further information, please contact Frances Floriano Goins at