The State of Washington passed a groundbreaking consumer health data privacy law earlier this year called the Washington My Health My Data Act (the “MHMDA”). The MHMDA is designed to protect an individual's rights in their “consumer health data”. Under the statute, “consumer health data” is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.” The MHMDA was designed to “close the gap” between current health care industry practices, which are regulated under the Health Insurance Portability and Accessibility Act (“HIPAA”) and corollary state laws, and consumer’s understanding of how their health data is collected, stored and transferred.
The MHMDA impacts a wide array of healthcare related companies not generally regulated under HIPAA. Those healthcare related companies swept up under the MHMDA include providers of health care devices and their app developers, pharmaceutical companies, genetic testing and genealogy businesses, health data technology companies, web-based services, cash-only services, fitness and lifestyle apps and wearable devices.
The MHMDA covers both Washington consumers and consumers of other states whose consumer health data is processed in the State of Washington.
While a small portion of the MHMDA went into effect in July, most entities covered by the MHMDA have until March 31, 2024, to comply with the remaining requirements. However, businesses that qualify as a “small business” under the MHMDA have until June 31, 2024.
It is very important to prepare for compliance with the MHMDA now, because there are a number of operational impacts of the MHMDA. There are also strong enforcement mechanisms under the law, since the Attorney General has the right to enforce the MHMDA, and the law includes a private right of action.
Does the MHMDA apply to my organization?
Determining whether your organization falls within the scope of the MHMDA requires an in-depth analysis of the MHMDA and your business activities. Consider taking the following steps to determine your obligations under MHMDA:
1. Is your organization a “Regulated Entity”?
Under the MHMDA, a “Regulated Entity” is any legal entity that both:
(a) conducts business in Washington State or provides products or services targeted to Washington consumers; and
(b) alone or with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data. – i.e.- the data controller.
Unlike other state consumer privacy laws, the MHMDA does not include carveouts for entity-level exemptions based on revenue, data processing, or consumer thresholds. There is also no exemption for non-profits.
2. Are you collecting “Consumer Health Data”?
This inquiry takes into account three key definitions in the MHMDA: consumers, collect, and consumer health data.
a. Does your organization collect data from consumers?
The MHMDA applies to “consumers”, defined as either a Washington state resident or an individual whose consumer health data is collected in Washington. “Collect” under the MHMDA means “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.”
If a consumer who meets either of these thresholds is able to be identified, including by “any unique identifier” (e.g., IP address), that individual meets the definition of a “consumer” under the MHMDA.
b. Is the data collected by your organization “consumer health data”?
The definition of “consumer health data” means “personal information” that is linked or reasonably linkable to a consumer, and that identifies the consumer’s past, present, or future “physical or mental health status” including (as defined under the MHMDA):
- Individual health conditions, treatment, diseases, or diagnoses.
- Social, psychological, behavioral, and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms, or measurements of the information expressly identified in the definition of consumer health data.
- Diagnoses or diagnostic testing, treatment, or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data.
- Genetic data.
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
- Data that identifies a consumer seeking “health care services,” which is defined broadly as any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.
- Any information that a regulated entity, or its respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)
3. Do any of the data exclusions apply?
The MHMDA excludes certain categories of personal information from the definition of “consumer health data.” By way of example, under the MHMDA, consumer health data excludes personal information used in public or peer-reviewed scientific research; protected health information governed by HIPAA; or personal information regulated under the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act or the Family Educational Rights and Privacy Act.
How Do I Meet the Requirements of the MHMDA?
We have set forth below an overview of the steps you can take to meet the requirements of the MHMDA before the March 31, 2024, deadline:
1.Conduct data mapping to analyze what “consumer health data” your organization processes, including where and how the data is collected and maintained and to whom it is disclosed.
In order to comply with the requirements of the MHMDA, regulated entities should review their data processing activities in a granular manner to accurately track the categories of consumer health data, the purposes of the processing, where and how the consumer health data is collected and maintained, and to whom it is disclosed.
2. Design and implement a compliant consumer health data privacy policy.
Organizations governed by the MHMDA must maintain a separate and distinct “consumer health data privacy policy” which must be prominently posted on their webpage. The consumer health data privacy policy cannot be combined or incorporated into the entity’s usual privacy policy. It must include the following information:
- The categories of sources from which the consumer health data is collected.
- The categories of consumer health data that is shared.
- A list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data.
- How a consumer can exercise the rights granted under the MDMHA.
3. Obtain opt-in consent from consumers prior to collecting or sharing consumer health data.
An organization collecting consumer health data regulated under the MDMHA must affirmatively obtain consent prior to collecting or sharing any consumer health data with a third party. The organization must have one form of consent for collecting consumer health data and a second form of consent for sharing consumer health data. Organizations cannot use the same form of consent for both purposes. These consents may not be combined with a general terms of use policy and or obtained by hovering over, muting, pausing, or closing a piece of consent. Rather, the consent must be “a clear affirmative act that signifies a consumer’s freely given, specific informed, opt-in, voluntary, and unambiguous agreement.” The applicable consent must clearly and conspicuously disclose:
- The categories of consumer health data collected or shared.
- The purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used.
- The categories of entities with whom the consumer health data is shared.
- How the consumer can withdraw consent from future collection or sharing of the consumer's health data.
4. Obtain valid authorizations from consumers to sell consumer health data.
Prior to selling or offering to sell consumer health data, regulated entities must obtain valid authorizations from the consumer that meet the specific requirements set forth in the MHMDA. Authorizations are only valid for one year, and the seller and buyers must retain a copy of the authorization for six years.
5. The MHMDA allows consumers to exercise certain rights with regard to the consumer health data as described below. Therefore, organizations must develop and implement a secure and reliable mechanism for receiving and processing consumer health data rights requests:
a. Right to Deletion. Consumers have the right to delete their consumer health data, which includes the right to have consumer health data deleted from a regulated entity’s network, including archived or backup systems. Regulated entities must flow down the requirement to processors and sub-processors, who are also required under the MHMDA to comply with the deletion requirements. Regulated entities cannot decline, or delay, deletion requests for the common exceptions found in other consumer data privacy laws.
b. Right to Withdraw Consent. Consumers have the right to withdraw their consent for consumer health data collection and sharing.
c. Right to Confirm/Access. Consumers have the right to confirm whether a regulated entity is collecting, sharing or selling their consumer health data. Consumers also have the right to access their consumer health data, including the right to obtain a list of all third parties and affiliates with whom the regulated entity has shared or sold such consumer health data, and the third parties or affiliates email addresses or other contact information.
d. Right to Appeal. Consumers have the right to appeal the regulated entity’s decision with respect to a consumer rights request. In addition to other requirements, the appeal process must be conspicuously available to the consumer.
Regulated entities have 45 days to respond to a consumer request (including an appeal), unless the regulated entity is unable to authenticate a consumer request. The private right of action applies to violations of consumer rights requests.
6. Service Provider Agreements.
Organizations which share consumer health data regulated under MHMDA with service providers must include provisions such as a data processing addendum, which address privacy and security protections for consumer health data.
7. Data Security Standards.
Confirm the organization has established and maintains administrative, technical, and physical data security practices satisfying a reasonable industry standard to protect consumer health data appropriate for the volume and nature of the data.
8. Comply with geofencing restrictions.
Geofencing restrictions went into effect under the MHMDA in July 2023.
This law is extremely complicated and has a major impact on many health-related entities which have not been heavily regulated in the past. If you need more information, or seek assistance in complying with the MHMDA, contact one of our healthcare privacy team members.