On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (“MHMDA”) to strengthen protections for health data. The MHMDA has the potential to significantly impact how organizations of many types collect, use, and share health data, not only that of Washington residents but also health data collected in the state. The majority of the law’s provisions will take effect on June 30, 2024 for small businesses and March 31, 2024 for other regulated entities.
The MHMDA’s preamble notes that privacy is a fundamental right and information related to one’s health is “among the most personal and sensitive categories of data collected.” As explained in the preamble, the Health Insurance Portability and Accountability Act (“HIPAA”) does not apply to significant swaths of health data, contrary to the expectations of many consumers. Such data remains largely unregulated, though efforts are ramping up to close the gap. The MHMDA is the latest effort by a state legislature to protect data privacy and the first of its kind to focus on consumer health data privacy and help close this gap by strengthening protections for Washington consumers’ health data that is not protected under HIPAA.
I. Scope
Aside from a couple provisions that apply more broadly, the majority of the MHMDA applies to “regulated entities” that control the processing of “consumer health data.” There are various exceptions to the scope of the MHMDA, including protected health information subject to HIPAA. Nonetheless, given the breadth of these definitions, the MHMDA is likely to impact a wide variety of entities, not just those focused on health care services.
A. “Regulated Entity”
“Regulated entity” is defined broadly as any legal entity that (1) conducts business in Washington or produces or provides products or services targeted to consumers in Washington, and (2) determines the purpose and means of collecting, processing, sharing, or selling of consumer health data, whether alone or jointly with others. This means that even businesses that are not physically located within the state of Washington may be considered regulated entities as long as they have a commercial nexus to Washington. Further, unlike many other state data protection laws such as the California Consumer Privacy Act (“CCPA”), there is no threshold (e.g., based on revenue or volume of data handled) to be a regulated entity subject to the MHMDA. In addition, there is no exception for non-profit organizations.
A “small business” is defined as a regulated entity that either:
- collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
- derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
Small businesses are considered a subset of regulated entities and are subject to the MHMDA, though they have an extra three months to comply with most provisions.
B. “Consumer”
The definition of “consumer” includes not only a natural person who is a Washington resident, but also any natural person whose consumer health data is collected in Washington. The second part of this definition could be very impactful since many large technology companies are headquartered or use large data centers in Washington. The definition of consumer is limited to individuals acting in an individual or household context and expressly excludes individuals acting in an employment context.
C. “Consumer Health Data”
“Consumer health data” is defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. The MHMDA lists various examples of “physical or mental health status,” which include:
- Individual health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- The use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements related to physical or mental health status;
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric data;
- Genetic data;
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- Data that indicates a consumer seeking health care services; or
- Any information that a regulated entity (or its processor) processes to associate or identify a consumer with these types of data that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
The types of information covered under the MHMDA, which expressly includes information related to social services, biometric data, location information, and information where a health status is derived or extrapolated from non-health information, is broader than those covered under other health privacy regimes, which typically focus on health information relating to services received from a health care provider or payment for such services.
II. Requirements
The MHMDA imposes several impactful requirements, which are summarized below.
A. Opt-In Consent Requirements
Perhaps most notably, the MHMDA requires obtaining consent from consumers before collecting or sharing their consumer health data for a purpose other than providing the product or service requested by the consumer. This requirement to obtain opt-in consent goes beyond the data protection regimes in some states such as California, which generally require honoring opt-outs but do not require opt-in consent except in very limited circumstances (e.g., selling a minor’s personal information). However, some states (e.g., Colorado, Connecticut, and Virginia) require obtaining opt-in consent before collecting sensitive information, including health information.
The MHMDA also requires obtaining an authorization to sell consumer health data. Unlike most of the law’s requirements, this applies to any person selling consumer health data. The MHMDA prescribes specific requirements for what must be included in an authorization to sell consumer health data, and such authorizations must be separate and distinct from any consent to collect or share consumer health data. The elements that must be included in an authorization to sell consumer health data are generally similar to those for a valid HIPAA authorization. The MHMDA defines a “sale” broadly as the exchange of consumer health data for monetary or other valuable consideration.
B. Consumer Rights
The MHMDA grants consumers various rights regarding their consumer health data, including the right to:
- Confirm whether a regulated entity is collecting, sharing, or selling their consumer health data;
- Withdraw consent from the regulated entity’s collection and sharing of their consumer health data;
- Access their consumer health data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data; and
- Delete their consumer health data.
Requests to exercise these rights are to be made through the means established by the regulated entity and described in its consumer health data privacy policy.
C. Consumer Health Data Privacy Policies
The MHMDA requires regulated entities to maintain consumer health data privacy policies, which must clearly and conspicuously disclose (1) the categories of consumer health data collected, the purpose for collection, and how the data will be used; (2) the categories of sources from which the consumer health data is collected; (3) the categories of consumer health data shared; (4) the categories of third parties and affiliates with whom consumer health data will be shared; and (5) how consumers can exercise their MHMDA rights. A link to this privacy policy must be displayed prominently on the homepage. A regulated entity must make additional disclosures and affirm the consumer’s affirmative consent in order to (1) collect, use, or share additional categories of consumer health data not listed in the privacy policy; or (2) collect, use, or share consumer health data for additional purposes not disclosed in the privacy policy.
D. Other Requirements
The MHMDA also imposes several other requirements, notably:
- Geofencing prohibition. The MHMDA prohibits any person from implementing a geofence around an entity that provides in-person health care services in order to (1) identify or track consumers seeking health care services; (2) collect consumer health data; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. Note that this provision in particular does not include an effective date and will therefore be enforceable within Washington’s default timeframe of 90 days after the end of the session in which the bill was passed.
- Access controls and security. Regulated entities are required to restrict access to consumer health data to only those employees, processors, and contractors for which access is necessary (1) to provide the product or service requested by the consumer, or (2) for the purposes for which the consumer provided consent. The law also requires establishing, implementing, and maintaining administrative, technical, and physical data security practices that satisfy the “reasonable standard of care” within the regulated entity’s industry to protect consumer health data appropriate to the volume and nature of the consumer health data at issue.
- Processors are only permitted to process consumer health data pursuant to a binding contract with the regulated entity. The contract must set forth the processing instructions and limit the actions the processor may take with respect to the consumer health data. If a processor fails to adhere to these contractual requirements, it will be considered a regulated entity.
III. Enforcement
The MHMDA provides that violations of the law will be considered unfair trade practices subject to enforcement under Washington’s Consumer Protection Act. Importantly, this means that in addition to state attorney general enforcement, there is also a private right of action for aggrieved consumers.
IV. Takeaways
The MHMDA is noteworthy in the breadth of its scope, both with respect to the entities as well as the types of data subject to the law, and is likely to impact businesses in a variety of industries. Organizations in varying industries should immediately begin efforts to evaluate their nexus to Washington and the types of data they collect to determine how the MHMDA might impact their operations and legal obligations. Given the MHMDA’s private right of action, non-compliance could lead to significant exposure to civil lawsuits.
Particularly in light of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, many federal and state agencies and legislatures are moving to implement laws and regulations to protect the confidentiality of health data. Some, like the Federal Trade Commission, are also ramping up the use of their authority under existing regimes to take enforcement action against companies for the misuse of health data. We expect that other states, including those that already have general data protection regimes in place, will follow in Washington’s footsteps and pass laws bolstering protections for consumers’ health data.
For further information, please contact:
Jodi G. Daniel, Partner, Crowell & Moring
jdaniel@crowell.com