[email protected]

An Overview of Washington’s “My Health, My Data” Act

Dale Rappaneau
The flag of Washington state, depicting an image of George Washington's face in a yellow circle, with a green background.
Source: https://en.wikipedia.org/wiki/Flag_of_Washington#/media/File:Flag_of_Washington.svg

On April 27, 2023, Governor Jay Inslee of Washington signed into law HB 1155, the “My Health, My Data” Act (MHMD Act). The MHMD Act claims to address the lack of protections for health data collected by entities not covered by HIPAA, the federal law that regulates how hospitals, health care providers, and other covered entities can handle health data.

To achieve that goal, the MHMD Act was drafted in such a way as to provide sweeping protections that go beyond what most would consider to be protected “consumer health data.” For example, the scope of the definition, as we detail below, may include athletic equipment, footwear, or even groceries such as ginger.

In addition, the MHMD Act introduces consumer rights, privacy policy obligations, contractual requirements, and more. To ensure the MHMD Act is adhered to, the legislature included a private right of action, thereby opening the door to plaintiff litigation to enforce the Act.

Taking this all into consideration, the Washington “My Health, My Data” Act may be the most consequential US privacy legislation enacted in this decade.

Washington My Health, My Data Act 

Scope & Applicability.

  • Covered Entities. The MHMD Act imposes restrictions and obligations on two types of entities, regulated entities and small businesses. The impact of being qualified as a small business rather than a regulated entity is only a three-month delay of the effective date. See Effective Dates, below.

 

    • Regulated Entity. A regulated entity is one that:
      • Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
      • Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Sec. 3(23).

 

    • Small Business. A small business is a regulated entity that satisfies one or both of the following thresholds:
      • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
      • Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers. Sec. 3(28).

 

  • Protected Consumers. A consumer under the MHMD Act is either:
    • a natural person who is a Washington resident; or
    • a natural person whose consumer health data is collected in Washington.
  • “Consumer” does not include individuals acting in an employment context, nor does it include B2B relationships. Sec. 3(7).

 

  • Protected Data. The MHMD Act regulates “consumer health data,” which is defined as information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer and that identifies the consumer’s past, present, or future physical or mental health status. Sec. 3(8)(a); Sec. 3(18)(a). Physical or mental health status includes:
    1. Individual health conditions, treatment, diseases, or diagnosis.
    2. Social, psychological, behavioral, and medical interventions.
    3. Health-related surgeries or procedures.
    4. Use or purchase of prescribed medication,
    5. Bodily functions, vital signs, symptoms, or measurements of any information in this list.
    6. Diagnoses or diagnostic testing, treatment, or medication.
    7. Gender-affirming care information.
    8. Reproductive or sexual health information.
    9. Biometric data.
    10. Genetic data.
    11. Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
    12. Data that identifies a consumer seeking health care services.
    13. Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). Sec 3(8)(b)(i)-(xiii).

 

    • Health Care Services. The most notable among the above list is number 12, data that identifies a consumer seeking health care services. The MHMD Act defines “health care services” to mean any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health. Sec. 3(15). Recognizing that this broad definition could apply to numerous everyday items, Senate members introduced an amendment to expressly exclude such items as athletic equipment, footwear, perfumes, jewelry, toys, cleaning products, recreational cannabis, groceries, and more. However, the amendment was ultimately defeated.

 

    • Biometric Data. It is worth noting that the MHMD Act states that biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted. Sec. 3(4)(a).

 

Substantive Provisions

  • Security Standards. A regulated entity or small business must establish and maintain data security practices that, at a minimum, satisfy the reasonable standard of care within the regulated entity’s or small business’s industry to protect the confidentiality, integrity, and accessibility of consumer health data. Sec. 7(1)(b).

 

  • Geofencing Restrictions. It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to identify or track consumers seeking health care services, collect consumer health data from consumers, or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. Sec. 10.

 

  • Privacy Policy. Regulated entities and small businesses must maintain a privacy policy that discloses:
    • The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used.
    • The categories of sources from which the consumer health data is collected.
    • The categories of consumer health data that is shared.
    • The list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data.
    • How a consumer can exercise the rights provided under the MHMD. Sec. 4(1)(a).

 

  • Restricted Data Collection. A regulated entity or small business cannot collect any consumer health data except (i) with consent from the consumer for such collection for a specified purpose or (ii) to the extent necessary to provide a product or service that the consumer has requested from such regulated entity or small business. Sec. 5(1)(a). Consent under the MHMD Act means a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement. Sec. 3(6)(a). Notably, consent cannot be obtained by acceptance of a general or broad terms of use agreement or similar document. Sec. 3(6)(b)(i).

 

  • No Sales without Valid Authorization. A “sale” under the MHMD Act means the exchange of consumer health data for monetary or other valuable consideration. Sec. 3(26)(a). It is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorized signed by the consumer. Valid authorization is a document containing:
    • The specific consumer health data concerning the consumer that the person intends to sell;
    • The name and contact information of the person collecting and selling the consumer health data;
    • The name and contact information of the person purchasing the consumer health data;
    • A description of the purpose of the sale, including how the consumer health data will be gathered and how it will be used by the purchaser;
    • A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
    • A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to do so;
    • A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
    • An expiration date for the valid authorization that expires one year from when the consumer signs it; and
    • The signature of the consumer and date of signature. Sec. 9(2).

 

  • Data Processor Agreements. The MHMD Act defines a “processor” as any person that processes consumer health data on behalf of a regulated entity or small business. Sect. 3(20). A processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data. Sec. 8(1)(a)(i).

 

Consumer Rights

The MHMD Act provides consumers with several privacy rights, including:

  • Right to Know. A consumer has the right to confirm whether a regulated entity or small business is collecting, sharing, or selling consumer health data concerning the consumer. Sec. 6(1)(a).
  • Right to Access.  A consumer has the right to access data concerning the consumer, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact the third parties. Sec. 6(1)(a).
  • Right to Withdraw Consent. A consumer has the right to withdraw consent from the regulated entity’s or the small business’s collection and sharing of consumer health data concerning the consumer. Sec. 6(1)(b).
  • Right to Delete. A consumer has the right to have their consumer health data deleted. Sec. 6(1)(c).
  • Right to Appeal. A consumer has the right to appeal the regulated entity’s or small business’s refusal to take action on a request. Sec. 6(1)(g).

 

Exemptions

The MHMD Act exempts information subject to HIPAA, GLBA, FCRA, and FERPA. Sec. 12.

 

Enforcement.

Violations of the MHMD Act are enforceable under the Washington Consumer Protection Act (WCPA) as an unfair or deceptive act in trade or commerce and an unfair method of competition. Sec. 11; RCW 19.86.020.

  • State AG Enforcement. The WCPA is enforced by the Washington Attorney General. RCW 19.86.080.

 

  • Private Right of Action. The WCPA includes a private right of action for alleged unfair or deceptive acts or practices. RCW 19.86.093. Civil penalties under the WCPA can rise to $7,500 per violation, RCW 19.86.140, and can include treble damages up to $25,000. RCW 19.86.090.

 

Effective Dates

  • For regulated entities, MHMD’s provisions go into effect on March 31, 2024.
  • For small businesses, MHMD’s provisions go into effect on June 30, 2024.
Privacy Policy
Terms of Use

Copyright © 2018-2023 Metaverse Law Corporation. Metaverse Law is a registered trademark of Metaverse Law Corporation. All rights reserved. You may not link to or republish any content or material on this web site without our prior written consent. Certain images are used under license and may be subject to copyright protection by other parties.