New Privacy Law Alert: Washington’s My Health My Data Act

On April 17, the Washington State legislature passed the “My Health My Data Act” (“MHMDA”), which Governor Jay Inslee is expected to sign into law. If passed, the MHMDA’s new rules would take effect on March 31, 2024. In short, the MHMDA reflects a dramatic expansion of protections for consumer health data, including consumer health data not traditionally protected by the federal HIPAA statute.

The passage of the MHMDA is part of a growing trend by some regulators and states moving to protect certain consumer health data, especially in the wake of the Supreme Court’s Dobbs v. Jackson Women’s Health Organization which overturned its ruling in Roe v. Wade. The passage of MHMDA also follows an uptick in class action filings concerning the collection of sensitive data, including health care information, by Metapixel and other online tracking technologies.

My Health My Data Is Applicable to Most Washington Businesses

The MHMDA has broad applicability. It applies to all organizations that collect health-related information or information that can lead to an inference about an individual’s physical or mental health condition of a Washington consumer or if the information is collected/processed in the state. Not-for-profit organizations are included in the law’s scope, and there is no entity-level exemption for healthcare entities already governed by, for example, HIPAA.

Lastly, there is no size threshold for the application of MHMDA – while a “small business” has a three-month enforcement delay, or through June 30, 2024, small businesses that otherwise collect and process in-scope information are subject to the law’s requirements.

Broad Definitions of Consumer Health Data and Health Care Services

“Consumer health data” is also broadly defined in the MHMDA to include personal information that is linked or can be linked to a consumer, and that identifies the consumer’s past, present, or future physical or mental health status.

The categories of consumer health data in the MHMDA include symptoms, conditions, treatments, bodily functions, testing, behavioral interventions, gender-affirming and reproductive care, biometric and genetic data, and the precise location or other data that identifies an individual as seeking health care services. Cookie IDs, which are strings of characters that websites and servers associate with the browser on which the cookie is stored, are included in the MHMDA’s definition of “consumer health data.” Inferences are also covered within the scope of the law. For example, the definition includes instances where health conditions or treatments might be “derived or extrapolated” from non-health information like, for example, where online browsing by a consumer could reflect a healthcare diagnosis or prescription status.

The MHMDA’s definition of “healthcare services” is also broadly defined as any service provided to a person to assess, measure, improve or learn about a person’s mental or physical health. Because of this, some businesses that provide ancillary services to healthcare providers, such as social care services, could be subject to the MHMDA.

Strict Requirements for Opt-In Consent and Restrictions on Data Sharing

Among other things, companies that are subject to the MHMDA must maintain and publish on their website a consumer health data privacy policy that discloses the categories of consumer health data collected and the purposes of collection, the categories of sources from which consumer health data is collected, the categories of consumer health data that is shared and the categories of third parties and specific affiliates with whom the regulated entity shares consumer health data and how a consumer may exercise consumer rights with regard to consumer health data.

Further, businesses must, with limited exceptions, obtain a consumer’s affirmative opt-in consent before collecting or sharing consumer health data. “Sharing” as used in the MHMDA means the disclosure of any health data to a third party or to a corporate affiliate, with certain limited exceptions to, for example, fulfill the request of a consumer. The requirement for affirmative opt-in consent prior to collection is consistent with the Virginia Consumer Data Protection Act’s opt-in requirement for the collection of sensitive personal information but is otherwise a newer requirement under state privacy laws.

Businesses are also required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect consumer health data, including internal enterprise-wide access controls designed to restrict access to consumer health data only to those employees, processors or contractors that need access to further the purposes of the collection; and enter into a written contract with data processors related to their use of consumer health data.

Prohibition on Data Sales Without Written Authorizations

The MHMDA also makes it unlawful for any person or entity to sell consumer health data without first obtaining written authorization that is separate from consent obtained to collect or share consumer health data in the first place.

It is also unlawful to implement a geofence around an entity that provides in-person healthcare services if the geofence is used to identify or track consumers seeking healthcare services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.

Consumer Privacy Rights

The MHMDA includes a range of new privacy rights for Washington consumers. First, the consumer has the right to confirm whether a business is collecting, sharing, or selling consumer health data; the right to access consumer health data, including a list of all third parties and affiliates with whom the business has shared or sold the consumer health data; the right to withdraw consent from the businesses collection and sharing of consumer health data; the right to have consumer health data deleted; and the right to appeal a business’ refusal to act on one of the consumer’s rights enumerated in the MHMDA.

The MHMDA also expands deletion rights well beyond that provided by other State privacy laws. For example, the MHMDA states that data on archived or backup systems must be deleted within six months of the deletion request. For all other requests and consumer appeals, businesses must act on a request without undue delay and within 45 days (and subject to a one-time 45-day extension). And any verified consumer request must also be pushed downstream to all service providers, contractors, third parties, and affiliates.

Businesses subject to the MHMDA must take certain actions to protect the consumer health data they maintain by June 30, 2024. They must restrict access to consumer health data to those who need it to fulfill an appropriate purpose, and they must also implement appropriate safeguards to protect the confidentiality, integrity, and accessibility of consumer health data.

Enforceability & Private Right of Action

Last, violations of the Act are enforceable under the Washington Consumer Protection Act (CPA) as unfair or deceptive acts in trade or commerce and unfair methods of competition. The CPA may be enforced by the Washington Attorney General.

Critically, the Act also permits a private right of action for aggrieved consumers. Civil penalties for unfair or deceptive trade acts and unfair competition under the CPA can rise to $7,500 per violation but can also include treble damages, capped at $25,000, in civil actions brought by consumers.