Last month, Washington Governor Jay Inslee signed the My Health My Data Act ("MHMDA" or the "Act") into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents ("consumers") regarding certain personal information. The MHMDA's unique features are unlike any privacy law we have seen in the last few years - making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know.

What Type of Data Does the Act Regulate?

Contrary to its name, the MHMDA covers more than just health data. The Act regulates "Consumer Health Data" which is defined very broadly to mean "personal information relating to the past, present, or future physical or mental health of a consumer." This definition encompasses virtually any data remotely related to health, including:

  • individual health conditions, treatment, status, diseases, or diagnoses;
  • social, psychological, behavioral, and medical interventions;
  • health-related surgeries or procedures;
  • use or purchase of medication;
  • bodily functions, vital signs, symptoms, or measurements of the information;
  • Diagnoses or diagnostic testing, treatment, or medication;
  • gender-affirming care information;
  • reproductive or sexual health information;
  • biometric data;
  • genetic data;
  • location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; or
  • any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the examples listed above.

Thus, entities in the fitness, nutrition, wellness, and health space are subject to the Act. Notably, the Act does not cover protected health information that is subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") or employee data.

Which Entities are Regulated?

Despite being a Washington law, the reach of the MHMDA extends far beyond the Pacific Northwest. The MHMDA regulates any legal entity that collects, processes, or shares or sells "consumer health data" and either conducts business in Washington or targets products or services to Washington consumers. The term "collect" means "to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner." All entities covered under the Act are "regulated entities." The extraterritorial scope of the Act casts a wide net given "collect" covers processing data in virtually any manner. Thus, the MHMDA, much like the CCPA, is a law that should be on most companies' radars.

Small Businesses. All requirements of the MHMDA apply to small businesses. A "small business" means "a regulated entity that satisfies one or both of the following thresholds: (i) Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers." One unique feature of the Act is that it does not contain a revenue threshold (e.g., a $25 million annual revenue threshold), unlike other state privacy laws.

Regulated Entity/Small Business Obligations

  • Prior Consent Requirement for Collecting and Sharing Data. Before collecting or sharing consumer health data, entities must obtain the consumer's consent, unless providing a product or service that the consumer has requested from the entity. Under the MHMDA "Sharing" means the disclosure of data. Washingtonians also have the right to withdraw consent and request data deletion.
  • MHMDA Consent Must be Separate. Consent to collect or share consumer health information cannot be combined with other consents. Additionally, each request for consent must include disclosures regarding the entity's collection and sharing practices similar to what individuals might see in a privacy policy. The consent obtained for sharing does not have to identify the entities receiving data by name. However, other provisions of the Act give consumers the right to request identification of those entities (e.g., when their data is being sold). Tracking how consumer health data will be shared/sold is vital because, at any given moment, a consumer could request this information. Failure to provide such information is a violation of the Act.
  • Consent Disclosure. As stated above, certain disclosures must be made to consumers when obtaining consent. These disclosures require entities to notify consumers of (i) the categories of consumer health data collected or shared; (ii) the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used; (iii) the categories of entities with whom the consumer health data is shared; and (iv) how the consumer can withdraw consent from future collection or sharing of the consumer's health data.
  • Consumer Health Data Privacy Policy. The Act also requires regulated entities and small businesses to have a "consumer health data privacy policy." Whether this policy can be part of a larger privacy policy or must be a standalone policy is unclear. The Act explicitly requires "a link to its consumer health data privacy policy on its homepage." The content requirements of the consumer health data privacy policy mirror those requirements found in other data privacy laws. Under the MHMDA, such privacy policies must include:
    • the categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
    • the categories of sources from which the consumer health data is collected;
    • the categories of consumer health data that is shared;
    • a list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
    • how a consumer can exercise their rights provided under the MHMDA.
  • Authorization for Sale of Consumer Health Data. In addition to requiring separate consents for the collection and sharing of consumer health data, the MHMDA requires additional obligations before the sale of such data. The Act broadly defines the term "sale" as "the exchange of consumer health data for monetary or other valuable consideration." Before a sale occurs, entities must obtain "valid authorization" from the relevant consumer.
  • Authorization Content Requirements. MHMDA authorizations must identify (i) the specific consumer health data to be sold; (ii) the name and contact information of the buyer and seller; (iii) the purpose of the sale; and (iv) an expiration date for the authorization, which can only be valid one year after the consumer signs it; (v) a statement that the provision of goods or services may not be conditioned on the consumer signing the authorization; and (vi) a statement that the consumer health data sold under the authorization may be subject to re-disclosure by the buyer of the data, which may no longer be protected under the Act. What these authorizations look like is unclear. Authorizations could be as simple as a check box or as elaborate as obtaining an e-signature from each consumer. Additional guidance from regulators will be needed to best determine how companies may satisfy this authorization requirement.
  • Authorization Retention Period. The seller and purchaser of consumer health data must retain a copy of all valid authorizations for the sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later.
  • Honoring Consumer Rights. Under the MHMDA, consumers have a right to access their consumer health data and receive a list of all third parties and affiliates (including contact information) who receive their individual data from the regulated entity or small business. Consumers also have the right to deletion. These rights are not new for entities already subject to the CCPA or other U.S. data protection laws. If a consumer requests to have their health data deleted, the regulated entity or small business must also delete it from archives and backups, and notify all affiliates and third parties, who must honor the deletion request as well.
  • Responding to Consumer Requests. Like other U.S. privacy laws, regulated entities and small businesses are required to respond to consumer requests regarding their data within 45 days, with one 45-day extension permitted when "reasonably necessary." The Act also mandates an appeals process for a regulated entity's or small business' refusal to take action on a request. The appeal process must be "conspicuously available" and similar to the process for submitting initial consumer requests. Regulated entities or small businesses have an additional 45 days from receipt of an appeal to inform the consumer, in writing, of any action taken or not taken in response to the appeal, including providing a written explanation of the reasons for the decision(s). If the appeal is denied, the regulated entity or small business must provide the consumer with an online mechanism (if available) or other method through which the consumer may contact the attorney general to submit a complaint.
  • Contract Requirements.The Act requires regulated entities and small businesses to enter binding contracts with their service providers (i.e., "processors" under the Act). The Act specifically provides that these contracts must: (i) provide documented processing instructions and limit the actions processors may take when processing consumer health data and (ii) require processors to assist the regulated entity or the small business by implementing appropriate technical and organizational measures to safeguard consumer health data. A processor's failure to comply with these contractual obligations will make the regulated entity or small business subject to stricter scrutiny under the MHMDA and its penalties.
  • Prohibition on Geofencing. The MHMDA outright bans Geofencing around any entity that provides in-person health services for the purposes of (i) identifying and tracking consumers seeking health services; (ii) collecting consumer health data, or (iii) sending messages or advertisements to consumers related to their consumer health data or health services. Under the Act, a "Geofence" is defined as "technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary."

When Does the MHMDA Go Into Effect?

The MHMDA takes effect on March 31, 2024, for regulated entities and June 30, 2024, for small businesses. This means companies will have a year or less to get up to speed on this new law.

What are the Risks of Noncompliance?

Violations of the Act may constitute "unfair trade practices" that are subject to enforcement under Washington's Consumer Protection Act. Under the Consumer Protection Act, consumers have a private right of action - meaning consumers do not have to wait for the government to enforce their rights under the MHMDA. Additionally, the Washington attorney general may enforce violations of the MHMDA.

Looking Ahead

The MHMDA and other legislative and administrative efforts, such as the Federal Trade Commission's expanded definition of Protected Health Information ("PHI") under HIPAA show that legislators and agencies at the state and federal level are placing a greater emphasis on securing health and health-related data - especially such data collected on apps and other emerging technologies. While the FTC rule expands HIPAA's PHI definition (which is exempt from the MHMDA), Washington's MHMDA covers much more than traditional health data. Entities doing business in the state - significant or not - must evaluate whether the Act applies and in what capacity (e.g., as a regulated entity or small business) and get up to speed on their obligations quickly. Given that this Act has a private right of action, we may see an increase in class action lawsuits against regulated entities and small businesses in violation of the Act. We also anticipate seeing more data processing agreements addressing the Act and imposing obligations on service providers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.