Washington Health Data Act – What does it mean for Clinical Trial Patient Recruitment?

The “Washington My Health My Data Act” (Substitute House Bill 1155) is an act that establishes strict regulations on the collection, sharing, and selling of consumer health data in Washington. Signed On April 27th, the act aims to “close the gap” between current practices and consumers’ understanding of how their health data is collected, stored and utilized. It applies to a broad range of health data including: 

1. Physical Health Information: Data related to a consumer’s physical health, such as medical conditions, diagnoses, treatments, and medications.
2. Mental Health Information: Information pertaining to a consumer’s mental health, including psychological conditions, diagnoses, treatments, and medications.
3. Biometric Data: Data derived from biometric measurements, such as fingerprints, facial recognition, retinal scans, and voiceprints.
4. Genetic Information: Information about a consumer’s genetic makeup, including DNA sequences and genetic test results.
5. Health-Related Behavioral Data: Information related to a consumer’s health-related habits and behaviors, such as diet, exercise routines, and sleep patterns.
6. Geolocation Data: Information that can reveal a consumer’s location in relation to health care services, such as visits to clinics, hospitals, or pharmacies.
7. Any Other Information: Data that can be used to identify a consumer’s health condition or status, including health-related preferences, characteristics, or predispositions.

As a leader in clinical trial patient recruitment and remote data collection solutions, we stay abreast of these new regulations. Here, we summarize the key provisions of the act, its implications for a Clinical Trial Patient Recruitment Platform collecting pre-screening information for clinical trials, how to implement it on a web form page, and what it means in terms of cookie consent pop-ups and session cookies.

Key Provisions of “Washington My Health My Data Act”

1. Consent and Transparency: Websites must obtain clear, informed, and voluntary consent from consumers before collecting, using, or sharing their health data. This consent must be distinct from general terms of service agreements and cannot be coerced by deceptive designs.

2. Data Privacy and Protection: Entities must disclose their data collection and sharing practices in a clear privacy policy accessible on their homepage. They are also required to inform consumers of any changes in data use and obtain re-consent for new data practices.

3. Consumer Rights: Consumers have the right to access their health data, know with whom it has been shared or sold, and request its deletion. Entities must comply with these requests promptly and provide a mechanism for consumers to withdraw consent and manage their data.

4. Prohibitions and Restrictions: Selling consumer health data without explicit, valid authorization from the consumer is prohibited. Additionally, the use of geofencing technology to track or collect data from individuals in healthcare facilities is banned. 

5. Security Measures: Regulated entities must implement strong security practices to protect health data and limit access to necessary personnel only. They also need to maintain comprehensive records of data processing and consumer consent.

Implications for Websites Collecting Clinical Trial Pre-screening Information

• Enhanced Consent Processes: Websites must ensure that their consent forms are explicit and transparent, specifically detailing what health data is collected and how it will be used. Consent for data collection must be separate from other permissions, such as terms of service agreements.
• Robust Privacy Policies: They need to develop and maintain detailed privacy policies that are easily accessible to users, clearly stating data practices and consumer rights regarding their health data.
• Data Management and Compliance: Websites must be equipped to handle requests for data access, correction, and deletion efficiently. They must also ensure that any sharing or selling of data is in strict compliance with the new regulations, including obtaining proper authorizations.
• Security and Data Integrity: Strong security measures must be in place to protect consumer health data from unauthorized access or breaches. Regular audits and updates to security protocols might be necessary to adhere to industry standards.

Overall, the legislation aims to close the gaps in consumer health data protection not covered by HIPAA, extending robust privacy rights to individuals regarding their health information, especially when collected by non-covered entities such as certain websites and apps. Websites dealing with clinical trials pre-screening will need to align their operations with these comprehensive requirements to ensure compliance and protect consumer data.

Strategies to implement a robust consent and data management practices on a web form page

Implementing robust consent and data management practices on a web form page, especially for collecting pre-screening information for clinical trials, requires careful design to ensure compliance with the new health data privacy regulations. Here are some practical examples and strategies to implement these requirements effectively:

1. Clear and Comprehensive Consent Forms

• Separate Consent Checkboxes: Use distinct checkboxes for different consent actions—e.g., one checkbox for agreeing to the privacy policy, another for consenting to participate in the trial, and a third for agreeing to data sharing with third parties.
• Explicit Descriptions: Beside each checkbox, provide a clear, brief description of what the user is consenting to. Include links to more detailed explanations or the full privacy policy.
• Visual Clarity: Design the form so that consent options are not pre-checked, requiring active engagement from the user to opt-in.

2. Accessible Privacy Policy Link

• Homepage and Form Accessibility: Include a prominent, easily accessible link to the privacy policy both on the homepage of the website and within the form itself, preferably near the consent checkboxes. 
• Use Tooltips and Modals: Implement tooltips or modal dialogs that can provide more information on the privacy policy and data usage directly in the form without requiring navigation away from the page.

3. Transparent Data Use and Sharing Disclosure

• Detailed Descriptions in Form: Directly on the form, list the types of data collected, the purposes of collection, and who the data will be shared with. Use collapsible sections if the information is extensive to keep the form tidy.
• Regular Updates and Notifications: Implement a system to notify users via email or through their user dashboard about updates to data practices or the privacy policy.

4. User Rights Fulfillment Interface

• Dashboard Features: Provide a user account dashboard where users can view the data collected from them, submit requests to update or delete their data, and manage their consent preferences.
• Automated Response Systems: Develop backend systems that can automatically process requests for data access or deletion, ensuring timely compliance with the regulation’s requirements.

5. Robust Security Measures

• Data Encryption: Implement SSL/TLS encryption for data in transit between the user’s device and your servers. Ensure that stored data is encrypted to protect it from unauthorized access.
• Regular Audits: Conduct regular security audits and vulnerability scans to identify and mitigate risks, ensuring your data protection measures meet industry standards.

6. Audit Trails and Compliance Documentation

• Logging and Monitoring: Keep detailed logs of data access, consent history, and user interactions with data management requests. This documentation will be crucial for compliance audits and any legal scrutiny.
• Data Processing Agreements: For any third-party services used (like cloud hosting or analytics), ensure that contracts clearly define data handling responsibilities and comply with privacy laws.

By implementing these strategies, websites collecting clinical trials pre-screening information can enhance user trust and ensure compliance with stringent data protection laws. These measures protect both the user’s privacy and the integrity of the clinical trial process.

What to consider when handling cookie consent pop-ups and the use of session cookies?

Under the stringent regulations provided by the “Washington my health my data act,” cookie consent pop-ups and the use of session cookies require careful handling to ensure compliance. Here’s what you need to consider:

Cookie Consent Pop-ups

The act requires clear, informed consent for any data collection, which includes the use of cookies. Here’s how you can manage cookie consent pop-ups in compliance:

• Explicit Consent: Consent must be an active, clear affirmative action by the user. This means your cookie consent pop-up should not have pre-ticked boxes. Users must actively opt-in for non-essential cookies.
• Detailed Information: The pop-up should clearly categorize the types of cookies being used (e.g., necessary, performance, advertising, etc.) and explain what each category does. Provide a link to a more detailed cookie policy where users can get comprehensive information.
• Granular Choices: Users should be able to choose which types of cookies they allow. This means providing options to accept or reject non-essential cookies, with only essential cookies being the default setting.
• Easy Access to Modify Consent: There should be a straightforward way for users to change their cookie preferences at any time, not just at the initial visit.

Session Cookies

Session cookies, which are essential for maintaining the state of a user’s session (like keeping them logged in, remembering form inputs), fall under a different category compared to persistent tracking cookies. Here’s how they are typically handled:

• Necessary for Functionality: Session cookies are often considered “strictly necessary” as they are required for basic website functionality and the integrity of the user session. They usually don’t require consent prior to use because they do not track users across websites or collect data for advertising purposes.
• Limited Data Collection: Ensure that session cookies are only used for their intended purpose without collecting or storing additional information unnecessarily. This aligns with data minimization principles under privacy laws.
• Disclosure: Although consent might not be required for session cookies, it’s important to still disclose their use in your privacy or cookie policy to maintain transparency with users.

In the context of the new law, cookie consent mechanisms must be more robust, offering clear explanations, user control, and transparency. Session cookies, while typically exempt from consent requirements due to their essential nature, must still be managed responsibly and disclosed to users. Ensuring these practices are in place not only complies with the law but also builds trust with your users by respecting their privacy rights.

Key Dates 

The My Health My Data Act includes effective dates on a section-by-section basis. The majority of the provisions in the act took effect on March 31, 2024. This means businesses must have systems and processes in place to obtain explicit consumer consent, protect health data, and respond to consumer requests for data access, correction, and deletion. Specific provisions regarding the sale of health data and requirements for small businesses (with fewer than 100,000 consumers’ health data) have an extended deadline, effective June 30, 2024. The sole exception to these operational dates is the provision banning geofencing, which lacks a specified effective date. Consequently, this provision will become enforceable within Washington’s standard default period of 90 days.

These dates are crucial for ensuring that clinical trial patient recruitment platforms and other businesses handling health data are prepared to meet the new regulatory requirements and avoid potential penalties. Check out this link for more FAQ’s.