The My Health, My Data Act applies to businesses that are “regulated entities,” "small businesses," or “processors” of consumer health data. The Act provides specific exemptions for certain types of information, including the following:
- HIPAA: Protected health information for purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations;
- Washington State Health Care Information: Health care information collected, used, or disclosed in accordance with RCW 70.02;
- Drug and Alcohol Abuse Information: Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
- Research: The following research information:
- Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; and,
- Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 or 60; or personal data used or shared in research conducted in accordance with one or more of the above research requirements.
- Quality Improvement: Information and documents created specifically for, and collected and maintained by:
- A quality improvement committee for purposes of RCW 43.70.510, RCW 70.230.080, or RCW 70.41.200;
- A peer review committee for purposes of RCW 4.24.250;
- A quality assurance committee for purposes of RCW 74.42.640 or RCW 18.20.390;
- A hospital, as defined in RCW 43.70.056, for reporting of health care-associated infections for purposes of RCW 43.70.056, a notification of an incident for purposes of RCW 70.56.040(5), or reports regarding adverse events for purposes of RCW 70.56.020(2)(b); or
- A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when collected, used, or disclosed for purposes specified in RCW 70.02.
- Health Care Quality Improvement Act: Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, and related regulations;
- Patient Safety Quality Improvement Act: Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26; and
- Deidentified Information: Information that is (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and (B) derived from any of the health care-related information listed in the Act.
In addition, the Act exempts any information originating from, and “intermingled to be indistinguishable” with, any of the information above that is maintained by the following entities:
- Covered Entity or Business Associate: A covered entity or business associate as defined by HIPAA;
- Health Care Facility or Provider: A health care facility or health care provider as defined in RCW 70.02.010; or
- 42 CFR Part 2 Entities: A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
The Act also exempts the following information:
- Public Health Activities: Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514; or
- State Databases: Identifiable data collected, used, or disclosed in accordance with RCW 43.371 or RCW 69.43.165.
- Other Privacy Laws: Personal information that is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or acts, is exempt from this chapter:
- The Gramm-Leach-Bliley Act;
- Administrative Simplification Provisions of Part C of Title XI of the Social Security Act;
- The Fair Credit Reporting Act;
- The Family Educational Rights and Privacy Act;
- The Washington Health Benefit Exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 and RCW 43.71; and
- Privacy rules adopted by the Washington State Office of the Insurance commissioner pursuant to chapter 48.02 or 48.43 RCW.
Finally, the Act also states that a regulated entity, small business, or processor is not prevented from collecting, using, or disclosing consumer health data to:
- Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
- Preserve the integrity or security of systems; or
- Investigate, report, or prosecute those responsible for any such action that is illegal under Washington state or federal law.
It is important to note that a regulated entity, small business, or processor bears the burden of demonstrating that such processing for the purposes identified above qualifies for the exemption.