On April 17, the Washington legislature passed the My Health My Data Act (MHMD Act), which includes some of the most restrictive provisions in any U.S. state privacy law. The MHMD Act is the result of Washington state’s multi-year effort to pass comprehensive privacy legislation fueled by new fears about access to reproductive health care services following the U.S. Supreme Court’s decision overturning Roe v. Wade in Dobbs v. Jackson Women’s Health Organization. The act will apply to many organizations that may not immediately realize they are processing data within the law’s scope. And those processing covered data will likely need to adjust existing programs designed to comply with other U.S. state privacy laws to address the act’s unique requirements. This post briefly describes the act’s history and stated purpose. We will follow it with a series of posts addressing the law’s nuances and practical takeaways on how the law will affect organizations’ privacy compliance programs.
Never let a crisis go to waste
The Washington legislature failed to enact a comprehensive privacy law in each legislative session since 2019. Despite watching Colorado, Connecticut, Utah, and Virginia enact privacy laws modeled largely on Washington’s original legislation, Washington’s efforts were doomed each session by the House’s insistence on providing – and the Senate’s refusal to provide – a private right of action that would allow private parties to sue regulated entities for alleged violations.
But then, in the summer of 2022, Dobbs emboldened conservative-leaning states to enact aggressive civil and criminal laws to pursue those seeking an abortion or those who would aid them. Some of these laws include extraterritorial provisions that penalize travel to, or activity in, other states related to reproductive health care services. The laws fueled unprecedented concern that law enforcement agencies and anti-abortion private litigants would gain access to personal information held by private organizations that could reveal details about an individual’s pregnancy or attempts to obtain reproductive health care services.
Washington’s governor quickly positioned the state as a safe harbor for those seeking reproductive health care services, taking protective actions available to him by executive order. Then, in October 2022, the governor and Democratic lawmakers announced a “choice-defending agenda” for the 2023 legislative session. While some proposed legislation was narrowly designed to protect those seeking access to, or providing, reproductive health care services or gender-affirming care (see our post on the Shield Law), the agenda also included the MHMD Act with, according to its sponsors, a broad intent to “close an egregious legal loophole that allows non-health care organizations to collect, share or sell private health information,” including “collecting data on specific locations related to reproductive and gender-affirming care.” The Washington attorney general also supported the legislation, noting that “non-HIPAA entities do not have the same obligation to keep people’s medical information confidential” and focusing on “apps, websites, and non-HIPAA covered medical facilities” that “collect, share, and sell sensitive medical information” such as data connected to “medical history, diagnosis, and treatment.”
The act’s provisions regulate data that goes well beyond traditional concepts of “health data”
As originally drafted, the act defined “consumer health data” broadly, extending well beyond what most typically conceive of as medical history, diagnosis and treatment information. For example, the act generally covers information about “bodily functions” and defines “health care services” as “any service provided to a person to assess, measure, improve, or learn about a person’s health.” The act’s coverage of “consumer health data” expanded further as it moved through the legislative process. A provision covering biometric data related to other data concerning a person’s past, present, or future physical or mental health became a provision simply covering all biometric data (which has its own broad definition). Were the act’s enforcement limited to action only by the attorney general, we might expect a narrower interpretation aligned to the act’s stated goals and its sponsors’ originally stated intent. But the act’s private right of action incentivizes the plaintiffs’ bar to test expansive interpretations, creating risk for any “regulated entity” that interprets the provisions too narrowly.
Washington’s legislature finally reaches consensus on a private right of action
This brings us to the private right of action, which consistently stalled the legislature’s past efforts to enact privacy legislation. In past years, the Senate reliably blocked privacy bills with a private right of action. In this legislative session, the Senate not only endorsed the MHMD Act’s private right of action but expanded it. On April 5, on a near-party-line vote, Senate Democrats coalesced behind an amendment making it easier to file a private action under the state’s consumer protection act. The Senate also inserted language to delay most of the act’s provisions from taking effect until March 2024.
What’s next?
On April 17, the two chambers reconciled their bills, with the House adopting the Senate’s version without further revision. The governor’s signature is now almost certain, meaning the act’s broad definitions, sweeping coverage, and onerous requirements will create significant compliance burdens for a wide range of regulated entities that may not consider themselves to be processing consumer health data.
Most of the act’s provisions should be effective on March 31, 2024, although the act’s geofencing restrictions will take effect in July of this year. An apparent drafting error has created uncertainty on other provisions’ effective dates. We will address this issue in a future post.
We will follow this introductory post with another summarizing the MHMD Act’s provisions as passed on April 17. Additional articles will address specific issues, including the act’s broad definitions of “consumer health data” and “consumer”; its restrictive “selling” and “sharing” provisions, unique security requirements, and privacy policy requirements; its minimal exceptions; and its treatment of data subject rights. Each article will focus on the act’s practical implications, especially for organizations with existing compliance programs looking to understand what changes this law’s unique provisions will require for covered data.
You can also click here for information about Washington’s new Shield Law, which addresses out-of-state criminal and civil process related to protected health care services. The legislature passed the Shield Law as another part of this session’s “choice-defending agenda.”
[View source.]