Locke Lord QuickStudy: Washington State My Health, My Data ‎Act

Washington state recently enacted the My Health, My Data Act (House Bill 1155) (the “MHMD Act”), which aggressively requires all entities that collect, share, or sell consumer health data in Washington to comply with very broad and stringent privacy obligations. There is no minimum revenue, minimum number of data subjects, or amount of health data threshold to trigger regulation under the MHMD Act, although as discussed below, small businesses have a delayed compliance date.

Unlike the California Consumer Privacy Act and other similar comprehensive consumer privacy laws recently enacted in several other states, the MHMD Act is focused narrowly on “consumer health data,” which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”^[1]   

The MHMD Act exempts certain categories of information, but does not provide entity level exemptions. Most notably, the MHMD Act exempts data that is otherwise regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); 42 CFR Part 2 information (Confidentiality of Substance Use Disorder Patient Records); The Financial Services Modernization Act (the “Gramm–Leach–Bliley Act” or “GLBA”); The Fair Credit Reporting Act (“FCRA”); and de-identified information. The MHMD Act defines “regulated entit[ies]” as any legal entity, other than governmental or that (1) conducts business in Washington or targets products or services toward Washington residents and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.^[2]

Like other privacy regulations, the MHMD Act can be broken down into three broad categories:  (1) required conduct of regulated entities, (2) prohibitive conduct, and (3) rights of consumers. Below is a brief summary of the key points of the MHMD Act:

Requirements of Regulated Entities: 

The MHMD Act requires that a regulated entity publish a privacy policy on its homepage that discloses:

The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;

The categories of sources from which the consumer health data is collected;

The categories of consumer health data that is shared;

A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and

How a consumer can exercise the rights provided by the MHMD Act.

Regulated entities must obtain consent from consumers:

To collect or share health data for any purposes other than as necessary to provide a product or service that the consumer to whom such consumer health data relates has requested;

To sell consumer health data (separate from consent to collect or share), which is effective for one year from obtaining consent and must be retained for six years; and

Both of which can be withdrawn by the consumer.

The MHMD requires a written agreement between the regulated entity and any data processor that will process consumer health data on behalf of the regulated entity.

Prohibited Conduct: The MHMD Act prohibits:

Geo-fencing around in-person health-care facilities that (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

Rights: The MHMD Act grants consumers the right to request deletion of the information regulated by the MHMD Act.

Compliance Date

The MHMD Act is effective March 31, 2024 for regulated entities, or June 30, 2024, for small businesses. A small business is a business that collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Enforcement

Both the attorney general and consumers can file suit for alleged violations of the MHMD Act and damages can range from the lesser of $25,000 or an amount of up to three times the actual damages, at the discretion of the court.

—

Regulated entities should begin now to prepare the required disclosures, internal procedures to respond to consumer requests, and to implement or amend agreements with processors to comply with the contractual requirements of the MHMD Act.