Washington's My Health My Data Act (MHMDA) goes into effect on March 31, 2024, for most entities subject to the law. The MHMDA imposes new notice and consent requirements for the processing of "consumer health data," with potentially steep penalties enforceable through private lawsuits.
The law applies to any legal entity that conducts business in, or targets products or services to, Washington state and determines the purpose for collecting, processing, sharing, or selling "consumer health data." However, "small businesses" may take advantage of a delayed effective date of June 30, 2024 for most provisions of MHMDA. Given the broad sweep of the law, a variety of entities, brands, and data services companies that do not typically consider themselves to be handling regulated health information could be swept into a new complex and potentially litigious statutory framework.
Consumer Health Data Broadly Defined
MHMDA addresses non-HIPAA-covered health-related information about consumers by broadly defining "consumer health data" to mean personal information that is linked or reasonably linkable to a consumer (i.e., anyone in Washington state, not just residents) and that identifies the consumer's past, present, or future physical or mental health status. MHMDA not only includes items like prescription drugs and reproductive health information within its scope; it also covers non-health data that is used to infer and associate a consumer with a health condition.
Because these provisions may be read expansively, such that a consumer's purchase of toilet paper or skin lotion could be covered, the Washington attorney general issued FAQs to help clarify that information limited to the purchase of toiletries is not consumer health data, but that inferences about consumer health data derived from such purchases would constitute "consumer health data."
Required Notices, Consumer Rights, and Geofencing Prohibitions
If an entity is subject to the law, it must provide a specific consumer health data privacy policy. For example, entities must disclose a list of categories of third-party partners and the specific affiliates that receive "consumer health data" and how a consumer can exercise rights under the law, which include access, deletion, and revocation of consent specific to MHMDA practices. In addition, the law prohibits regulated entities from implementing geofences around any entity that provides in-person healthcare services, where such geofence is used to identify or track consumers seeking healthcare services, collect consumer health data, or send messages (including advertisements) to consumers related to consumer health data or healthcare services.
Consent for Collection and Sharing and Heightened Consent for Sales
MHMDA requires specific, separate consents for a regulated entity to collect, share, or sell consumer health data. Consent for collection must be for a specified purpose, and a consent for sharing must be separate and distinct from the consent for collection (with an exception for collection or sharing to the extent necessary to provide a product or service requested by the consumer).
The statute imposes a new standard of consent for sales of consumer health data, requiring prior written authorization for such sales. The law prescribes several disclosures that must appear in the written authorization and procedures that must be followed for consent that is valid for only one year.
How an Organization Can Prepare
Organizations should use the time before the law's effective date to assess whether they collect and process data subject to MHMDA and ramp up compliance processes. For example, organizations can take the following steps:
- Assessing applicability—Does the organization qualify as a regulated entity, and does the organization collect or process "consumer health data" as defined by MHMDA?
- Updating privacy policies and updating or establishing consumer rights response processes for MHMDA-covered data.
- Data mapping and assessing whether practices constitute collection, sharing, or sale of consumer health data, to determine what level of consent may be required for that activity.
- Evaluating existing geofencing practices for legal compliance, as necessary.