Washington’s My Health My Data Act (MHMDA) was enacted in an effort to close a perceived gap in privacy protection for consumer health data. MHMDA’s focus on consumer health data and right of private action deviate from privacy laws recently enacted in other states and create higher litigation and regulatory risk.
Below, we outline applicability considerations, as well as noteworthy restrictions and requirements for regulated entities.
Applicability and Compliance Timelines
Many recent state data privacy laws apply only if a business processes a certain volume of personal information. MHMDA deviates from such legislation by not containing applicability thresholds (though certain “small businesses” that handle less data are given additional time to comply). MHMDA applies to any legal entity that conducts business in Washington or otherwise targets its products or services to Washington residents when such entity determines the means of processing consumer health data (each, a “regulated entity”). Note that geofencing prohibitions, discussed below, apply to any person (not just regulated entities).
Regulated entities must comply with the majority of MHMDA’s requirements by March 31, 2024, unless they qualify as a “small business.” Small businesses have until July 30, 2024, to comply. Small businesses are those regulated entities that do either of the following:
- Collect, process, sell, or share the consumer health data of less than 100,000 consumers per year.
- Derive less than 50% of gross revenue from collecting, processing, selling, or sharing consumer health data and collect, process, sell, or share the consumer health data of fewer than 25,000 consumers.
“Consumer” refers to natural persons who are Washington residents or whose consumer health data is otherwise collected in Washington. The term “consumer” expressly excludes employees if the information is collected in the employment context.
MHMDA’s protections apply to “consumer health data,” which is personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Examples of what may identify an individual’s physical or mental health status include:
- Health conditions, treatment, diseases, or diagnosis.
- Social, psychological, behavioral, and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Diagnoses or diagnostic testing, treatment, or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data.
- Genetic data.
- Bodily functions, vital signs, symptoms, or measurements of any of the information in this list.
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
- Any information that a regulated entity or small business processes with the purpose of identifying a consumer with certain consumer health data that is derived from non-health information (e.g., if a regulated entity draws inferences about a consumer’s health status from the purchase of certain products).
Exemptions
MHMDA does not apply to information that is already subject to the following laws or regulations:
- Protected Health Information (PHI) for purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations, as well as information originating from, and intermingled to be indistinguishable with, PHI maintained by a Covered Entity or Business Associate (as those terms are defined by HIPAA).
- Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (HCQIA).
- Patient identifying information collected, used or disclosed in accordance with federal substance use disorder privacy regulations (42 CFR Part 2).
- Identifiable private information collected as part of a clinical trial or research study that is otherwise regulated.
- Information governed by certain Washington laws and regulations.
- Personal information otherwise governed by the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), or the Family Educational Rights and Privacy Act (FERPA).
- Other laws and regulations specified in MHMDA.
MHMDA does not apply to de-identified data, which is defined as data that cannot reasonably be used to infer information about or be linked to an identified or identifiable consumer or a device linked to such consumer (if the regulated entity takes certain measures to ensure such de-identification). It also does not apply to information that has been de-identified in accordance with HIPAA.
MHMDA also excludes government agencies, tribal nations, or contracted service providers for government agencies from the definition of regulated entities. Unlike the majority of other privacy laws, MHMDA does not include an exemption for nonprofit organizations.
Healthcare Providers: Understanding the Interplay with HIPAA
MHMDA exempts Covered Entities and Business Associates under HIPAA from complying with MHMDA with respect to the PHI they maintain. For any non-PHI, Covered Entities and Business Associates must comply with MHMDA with respect to that consumer health data unless another exemption applies. A company that maintains consumer health data and PHI will need to map each category of information maintained and comply with the regulations applicable to each category of information.
Homepage Notice Obligations
Each regulated entity must post a prominent link on its homepage website to a consumer health privacy policy that is separate and distinct from the regulated entity’s standard privacy policy. Simply revising a current privacy policy will not be sufficient.
Notably, MHMDA requires that the consumer health policy must list specific affiliates with whom the business shares consumer health data. “Sharing” is broadly defined to include any release, disclosure, access, license, or other disseminations or communications of any kind of consumer health data by a subject business to a third party. Note that sharing does not include disclosure of consumer health data to a processor when the disclosure is to provide goods or services in a manner consistent with the purpose for which the consumer health data was collected and disclosed to the consumer (e.g., as agreed to by a regulated entity and processor in a binding contract, which must include certain requirements as set forth in MHMDA).
The MHMDA consumer health privacy policy must also disclose:
- Categories of consumer health data collected and purpose(s) for such collection (including how the consumer health data will be used).
- Categories of sources from which consumer health data is collected.
- Categories of consumer health data that are shared.
- Categories of third parties with whom consumer health data is shared.
- Specific affiliates with whom the consumer health data is shared.
- How a consumer can exercise specific rights afforded to them under MHMDA.
Consent, Consent, and Consent
Obtaining consent is a critical compliance component under MHMDA. MHMDA prohibits regulated entities and small businesses from collecting or sharing consumer health data except (1) with consent or (2) if necessary to provide a product or service the consumer has requested from the entity. MHMDA also makes it unlawful to sell consumer health data without a valid consent from the consumer. Such consumer consent must be obtained prior to any collection, disclosure, or selling of consumer health data. Further, a consent is not valid if collected by a consumer’s acceptance of general terms of use that include unrelated information, a consumer hovering over, muting, pausing, or closing a given piece of content or from other ambiguous actions. Unlike other states’ laws, posting a conspicuous privacy policy does not satisfy the need for consent.
Collection and Sharing
For either collecting or sharing, a valid (separate) request for consent must clearly disclose the following:
- The categories of consumer health data to be collected and/or shared.
- The purpose of such activity (for sharing consumer health data, this must also include the specific ways in which the consumer health data will be used by the recipient).
- The categories of entities with whom consumer health data will be shared.
- How the consumer can withdraw consent for future collection/sharing.
The consent for sharing of consumer health data must be separate and distinct from the consent for the collection of consumer health data in the first instance.
Sale
The sale of consumer health data requires a distinct, valid consent that must be executed by the consumer and expires after one year. Both sellers and purchasers of consumer health data must retain copies of all valid consents for six years. Consents to sell consumer health data (MHMDA refers to such consents as an “authorization”) must include certain information, including:
- Identification of the specific consumer health data that is intended to be sold.
- Name and contact information for the entity collecting, selling, and purchasing the consumer health data.
- Description of purpose for the sale, including how consumer health data will be gathered and how it will be used by the purchaser once sold.
Consumer Rights
MHMDA provides consumers with many of the same standard rights that are covered by other state data privacy legislation for all personal information, including:
- The right to know if their consumer health data is collected, shared, or sold by a regulated entity or small business.
- The right to access their consumer health data collected, shared, or sold by a regulated entity or small business.
- The right to delete consumer health data related to that consumer.
- The right to withdraw consent to/authorization of a regulated entity’s or small business’s collecting, sharing, or selling consumer health data.
- The right to appeal a regulated entity’s or small business’s refusal to take action on request.
Geofencing Prohibition
MHMDA prohibits any person from implementing a geofence around a facility that provides in-person healthcare services. Geofencing refers to technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of special or location detection to establish a virtual boundary around a specific physical location. Geofences are often used to identify when a particular individual is within a given virtual boundary and/or to evaluate other data points about the individual (e.g., frequency of visits, duration, movements within virtual boundaries, etc.).
Enforcement
Unlike many of the other state data privacy legislation, MHMDA enforcement is not limited by Attorney General enforcement resources and priorities. MHMDA violations are treated as a per se violation of Washington’s Consumer Protection Act and enforceable through a private right of action. As a result, risks relating to violations of MHMDA may be significantly greater than under similar state privacy laws. We anticipate that plaintiffs will be keenly aware of the statute and aggressive in bringing claims.
Next Steps
In preparation for MHMDA, we recommend considering what data you have that may be subject to MHMDA and how to comply with these new requirements. This may include updating internal policies around the data of Washington residents, drafting and publishing a new consumer health data privacy policy, implementing appropriate security safeguards, entering into data processing agreements, revising or drafting additional consumer consents, and considering what business practices may need to be modified (such as limiting geofencing-related activities around facilities that provide healthcare services).
Our team will continue to monitor MHMDA. We also are following Nevada’s similar “Senate Bill 370,” which also focuses on consumer health data and will be previewed in a separate, forthcoming update from our team.