Washington state has passed a novel law, the My Health My Data Act (MHMDA), to regulate how businesses collect and use health data about individuals in the state.

Key Takeaways

  • MHMDA applies to nearly all entities that collect health-related information from Washington residents, specifically requiring consumer consent for the use and sharing of that information.
  • MHMDA contrasts significantly with other state privacy laws that only apply to companies that meet thresholds for annual revenue or the number of individuals about whom the entity collects data.
  • Companies in scope must post a health data privacy policy on their website and will need to develop robust consent mechanisms, ensure secure data storage and transmission, and establish procedures for data subject rights management.

As the patchwork of personal data protection regulation evolves at the state level, Washington state has enacted a novel law that specifically targets how companies treat information about individuals' physical and mental health. The MHMDA is particularly notable in that it will significantly impact organizations that are not subject to the Health Insurance Portability and Accountability Act (HIPAA). To comply with the law, these entities will need to review and enhance their health information collection, storage, and processing practices. They will also need to develop robust consent mechanisms, ensure secure storage and transmission of data, and establish procedures for data subject rights management.

Organizations in Scope

Taking effect March 31, 2024 (with the exception of certain "small businesses" that have until June 30, 2024, to comply), the MHMDA aims to safeguard consumer health-related data beyond the confines of HIPAA. Although often misunderstood, HIPAA only protects certain identifiable health information held by healthcare providers, health plans, other entities that receive (or pay) insurance reimbursement for medical services, and their service providers. HIPAA generally does not apply to many companies that collect health-related information for commercial purposes.

Further, in contrast to all the currently adopted comprehensive state privacy laws, the reach of the MHMDA is not limited to companies that collect health data from a minimum number of individuals or that meet an annual revenue threshold. Instead, the MHMDA is data-driven in application. It applies to any entity – including non-profits – that (i) conducts business in Washington or targets products or services to Washington consumers, and (ii) determines the purpose and means of collecting, processing, sharing or selling consumer health data. Importantly, the scope of the MHMDA extends to regulated entities located both within Washington and outside Washington if their commercial activities target Washington consumers.

Data Covered

The MHMDA protects consumer health data, which is broadly defined to include any personal information "linked or reasonably linkable to a consumer, and that identifies the consumer's past, present, or future physical or mental health status." The act specifies that covered information includes biometric data, reproductive or sexual health data, and health data measurements. Notably, the definition draws into scope certain information derived from non-health data, such as inferences, proxies, or algorithms that are used to associate or identify consumers in connection to any physical or mental health data. This is in line with the FTC's recent position that inferences about an individual's health can be considered sensitive data – for example, information about a person who asks a company about mental health services could be considered inferred information on that person's medical status.

Informed Consent to Collection

The law emphasizes the importance of individuals' informed consent and control over their consumer health data. It mandates that businesses obtain explicit and informed consent from individuals before collecting, using, or disclosing their health information for any purpose other than the provision of a product or service. Similarly, the MHMDA requires that any person seeking to sell a consumer's health data obtain additional consent from the consumer (separate from the consent to collect, use or disclose data) before the consumer's health data is sold.

Health Data Privacy Policy

MHMDA requires entities to have a "health data privacy policy" that specifies the

  • categories of sources from which it is collected and the purpose for which the data is collected,
  • purpose and intended use for the collected data,
  • categories of consumer health data that are shared,
  • categories of third parties and affiliates that receive the data, and
  • how consumers can exercise their rights in accordance with the act.

Moreover, individuals have the right to revoke consent at any time. A link to the regulated entity's health data privacy policy must be prominently displayed on the regulated entity's website home page. Additionally, the MDMHA aims to recognize individuals as the key decision-makers of their consumer health data by establishing their right to access, correct, and delete their information. Entities must respond to consumer requests in a 45-day window with limited exceptions.

Data Security

To protect consumer health data from unauthorized access or disclosure, the MHMDA sets forth stringent security measures for businesses. It requires entities to implement reasonable safeguards, such as encryption, access controls, and audits, to protect the confidentiality and integrity of the data.

Enforcement

The MHMDA empowers the Washington State Attorney General's Office to hold accountable entities that violate the law under the state's Consumer Protection Act. This enforcement mechanism requires showing of the consumer's injury, rather than only proving a violation, as is the case with the Illinois Biometric Information Privacy Act. Individuals whose rights have been violated may seek legal remedies and damages through private actions, creating the risk of a new wave of privacy-related litigation.

Looking Ahead

The new law will impact many businesses that provide health-related products, services, and mobile applications that have traditionally fallen outside the scope of HIPAA's regulations. For example, regulated entities could include fitness gyms, grocery stores, and wellness app service providers. Failure to meet these requirements could lead to legal and reputational consequences. Similar legislation is currently being considered in Florida, Connecticut, and several other states. While there is always the potential for the enactment of broader privacy protection at the federal level, recent efforts have not been successful.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.