If you work at a HIPAA-regulated entity, you can stop reading right now. Washington’s My Health My Data Act (MHMD) aims to cover all of the health-related information that consumers believe are protected by some federal law but are not, such as information collected by websites and apps.
Requirements of the MHMD look very similar to those in other comprehensive state privacy laws, such as providing consumers with a privacy notice, obtaining consent, and providing the rights to access and delete information, but are narrower in some regards and broader in others than the (currently eight—likely soon to be more) comprehensive state privacy laws.
Entities should first determine if they are a “regulated entity” or a “small business.” Regulated entities do business in Washington or with Washington consumers and need to comply with MHMD beginning on March 31, 2024. Small businesses are regulated entities that touch health data of fewer than 100,000 consumers per year or derive less than 50% gross revenue from health data and touch health data of fewer than 25,000 consumers. Small businesses need to comply with MHMD beginning on June 30, 2024. The exception to this timing is the geofencing provision, which applies to both businesses and individuals, and goes into effect on July 22, 2023.
Washington legislators remind businesses—front and center—that Washingtonians view the right to privacy as a fundamental right. So fundamental that it’s enmeshed in the Washington Constitution. In order to protect these indelible rights, businesses (but not government agencies, businesses when acting on behalf of government agencies, and tribal nations) are prohibited from taking certain actions and are required to take other actions relating to health data.
“Consumer health data” is broadly defined to include personal information that is linked or reasonably linkable to individuals who are Washington residents or whose health data is collected in Washington where the personal information identifies the individual’s past, present, or future physical or mental health status. In addition to what is generally considered to be health-related (such as a diagnosis, surgery, or medication), health data under MHMD also includes biometric data (which includes voice recording and keystroke patterns), location information related to health services or supplies (such as IP address), data that identifies a consumer seeking health care services (such as a cookie or device ID), researching abortions, measurements of reproductive bodily functions, and any information that is derived or extrapolated from non-health information that is used to identify an individual with health data.
Businesses will need to:
- Implement role-based access controls.
- Maintain administrative, technical, and physical data security practices.
- Enter into a contract with its vendors and services providers (“processors”) to ensure those entities are only using the data for specific, approved purposes.
Business will no longer be able to:
- Collect, use, or share data without obtaining affirmative consent from a consumer, unless an exception applies.
Businesses and individuals (any “person”) will no longer be able to:
- Sell or offer to sell data without obtaining valid authorization. This valid authorization is separate and distinct from the affirmative consent to collect, use, or share data. A copy of the signed authorization must be provided to the consumer and retained by the business for six years. In order to obtain authorization, specific information, including the name and contact information of the person purchasing the health data and a statement that it is not necessary to agree to the sale in order to obtain the offered goods or services, must be provided separately from any other document signed by the consumer. Note that “sell” includes the exchange of data for both monetary and “other valuable consideration.”
- Geofence within 2,000 feet of the perimeter of an entity that provides in-person health care services, if the geofencing is used to (1) identify or track consumers seeking health care services; (2) collect health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their health data or health care services.
Consumers will have the right to:
- Find out what data is being collected, shared, or sold about them (the “right to confirm”) and obtain a list of all entities with whom the business shared or sold the data (the “right to access”) free of charge, twice annually. Not contained in other comprehensive privacy laws is an enhanced right to access that includes a requirement that the business provide an active email address or other online mechanism to the consumer so the consumer can contact the other entities that received the data from the business.
- Withdraw consent for the collection and sharing of data.
- Request the deletion of data. Upon receiving a deletion request, the business must delete data in its possession (including any data on archived or backup systems within six months of the request) and notify all entities with whom it shared information that they need to delete the data from their records, as well.
- Appeal a business’s failure to take action after receiving a consumer request.
A business may not discriminate against a consumer for exercising the rights provided by MHMD.
A violation of MHMD is a violation of the state’s consumer protection law. This means that the Attorney General or an injured consumer may take action to enforce the law.
There are some limited exceptions to the general definitions and requirements outlined above. If you need assistance with determining your company’s obligations under MHMD, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.