Washington's My Health My Data Act (MHMD) is set to go into effect as early as March 31, 2024, and it will impact companies of all sizes and across many different industries, from startups to technology giants, car rental companies, online stores, app developers, spas, and some senior living and care communities. Although MHMD governs the use of "consumer health data," its intentionally expansive definitions render it applicable to many entities with no ties to the health care industry.

MHMD is the first law of its kind in the U.S., and it will create far-reaching implications for how businesses with a commercial nexus to Washington will handle their customers' health-related data. Even with its significant carveout for information subject to the Health Insurance Portability and Accountability Act (HIPAA) and information collected in the employment context, MHMD fundamentally changes the landscape of data governance in Washington. From a risk standpoint, because this law creates a private right of action, it is virtually guaranteed that class actions will follow. This article breaks down the key provisions of MHMD and provides strategic insights to help businesses navigate the complexities of MHMD compliance.

Are You Collecting "Consumer Health Data"?

Because of the broad definitions used in MHMD, your business might be collecting "consumer health data" without ever suspecting it. Consumer health data is personal information linked or reasonably linkable to a consumer, identifying their past, present, or future physical or mental health status. Statutory examples of information identifying "health status" include:

Conditions, treatments, diseases, diagnoses, interventions, surgeries, procedures, use or purchase of prescription medication, bodily functions, vital signs, symptoms, measurements of covered information, diagnostic testing, treatment or medication, gender-affirming care information, reproductive/sexual health information, biometric data, genetic data, geolocation data, data that identifies a consumer seeking health care services, and any information processed to associate a consumer with the above data that is derived or extrapolated from non-health data.

If you are receiving any of this information, whether through customer forms, automated data collection technologies, or other means, you might be subject to MHMD. Below are a few surprising examples of the types of businesses that may need to navigate MHMD compliance:

  • App developers and device manufacturers that receive blood pressure data, fitness, sleep, fertility, or any other health-related pattern information;
  • Online stores that sell diabetes kits, glucose kits, DNA test kits, pregnancy kits, etc., and that associate such purchases/online searches with names, IP addresses, cookie IDs, device IDs, etc.;
  • Senior living and care communities not currently subject to HIPAA (such as independent living communities and private pay assisted living) that receive or obtain information from residents through wellness programs or information about preexisting conditions, health status, medication, and the like;
  • Spas that need to know about the use of retinol or other prescription products before performing a service; and
  • Gyms and yoga studios that ask their customers to fill out forms inquiring about pregnancies, respiratory conditions, etc.

Notably, MHMD's definition of a "consumer" encompasses not only Washington residents but also any other individuals whose health data is "collected" in Washington (with the exception of employees). The definition of collecting is (again) very broad and includes buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or "otherwise process(ing) consumer health data in any manner." Such broad definitions can make applicability assessments exceedingly challenging, particularly for technology companies.

What Types of Entities Are Subject to MHMD?

MHMD applies to "regulated entities," defined as legal entities that (1) conduct business in Washington or provide products/services targeted to consumers in Washington, and (2) alone or jointly with others, determine "the purpose and means of collecting, processing, sharing, or selling of consumer health data." In other words, MHMD governs entities that control consumer health data and that have a commercial nexus to Washington, regardless of a physical location in the state. Unlike many other privacy laws, MHMD does not specify an annual revenue or data volume threshold, which means that it applies to regulated entities of all types and all sizes, including single-member LLCs and non-profits.

There is a subset of regulated entities called "small businesses," which include (1) entities that collect, process, sell, or share consumer health data of fewer than 100,000 consumers (as defined above) per year, and (2) entities that control, process, sell, or share consumer health data of fewer than 25,000 consumers and derive less than 50% of annual revenue from doing so. Regulated entities that meet the MHMD's definition of a small business have until June 30, 2024, to comply. All other regulated entities must be in compliance by March 31, 2024.

Companies that process data on behalf of regulated entities (defined as "processors") are also governed by MHMD. The agreements between the regulated entities and the processors will have to include special processing clauses. Failure to honor such clauses will turn processors into regulated entities, thus making them subject to the Attorney General's enforcement as well as private lawsuits and class actions.

What Types of Data Are Excluded?

Several MHMD exclusions are designed to avoid conflicts with sector-specific privacy laws. The most notable exclusion pertains to the protected health information (PHI) governed by HIPAA. Both PHI and any information that originates from HIPAA-regulated entities (including employer-sponsored group health plans and most health care providers) and becomes "intermingled to be indistinguishable" with PHI maintained by such entities, is not subject to MHMD. The same rule applies to health care information collected under the Uniform Health Care Information Act and several other health care laws. Other sector-specific exclusions apply to information governed by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act, among others.

Finally, companies collecting health data from their employees are exempt from MHMD but only to the extent of data collected in the employment context. Individuals acting in the employment context are not considered "consumers."

What Are the MHMD Compliance Requirements?

MHMD imposes a number of significant compliance requirements on the entities it regulates. Unless an exception applies, regulated entities will need to obtain the consumer's consent before collecting consumer health data. Separate and distinct consents must also be obtained before sharing, selling, or offering to sell such data.

Second, MHMD requires creating and maintaining a new type of privacy policy designed specifically for consumer health data. The policy will need to meet numerous statutory requirements, such as making the requisite disclosures and informing consumers about their MHMD rights (the right to confirm and access data, the right to withdraw consent to collect/share/sell data, and the right to delete). MHMD limits the permissible use of geofencing around businesses that provide in-person health care services, and it requires regulated entities to establish data access restrictions and to implement certain data security practices.

Finally, processors are permitted to handle consumer health data only pursuant to binding contracts with special processing instructions that limit the actions that the processors may take with regard to the consumer health data. This may require adding special clauses to the existing data processing agreements and other types of contracts.

What Are the Consequences of Non-Compliance?

The most striking feature of MHMD is that it creates a private right of action for any violation of this new law. The majority of the state privacy laws either do not provide a private right of action or limit it in significant ways. MHMD, however, is designed to make it easy for consumers to pursue individual claims as well as class actions for any violations. In addition, Washington's Attorney General is prepared to receive consumers' reports of non-compliance and begin investigations once MHMD goes into effect. Between the private right of action and the government enforcement, MHMD is likely to draw litigants' and the media's attention in the near future. Compliance should not be taken lightly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.