FAQ: Washington State’s ‘My Health My Data Act’

On April 27, 2023, Washington enacted the  “My Health My Data Act” (“MHMDA”) that will become effective March 31, 2024 in most instances.^[1]  Any violation of MHMDA will be resolved through the Washington Consumer Protection Act (the “WCPA”), which is enforceable by both the state Attorney General and through a private right of action by aggrieved consumers.

I. Background

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) currently governs at the federal level the confidentiality of “protected health information” maintained by “covered entities” (i.e., certain providers, health plans and health information exchanges) and the business associates of such covered entities.  Washington’s Uniform Health Care Information Act (“UHCIA”) is the state-level equivalent of HIPAA, but UHCIA and HIPAA are not identical in the protections they offer.  Additionally, the Federal Trade Commission’s Health Breach Notification Rule requires certain vendors of personal health records (“PHRs”), PHR related entities, and any third parties that provide services to the foregoing to notify consumers of an unauthorized acquisition of unsecured PHR identifiable health information. 

The intent of MHMDA is to expand on existing legal frameworks to impose privacy and data protection obligations on entities that are not covered by HIPAA, UHCIA and other similar laws, such as businesses collecting certain health data via apps, websites, and tracking devices.  Below we break down this new law in an FAQ format.

II. Frequently Asked Questions

(1) Who is required to comply with MHMDA? 

MHMDA will apply to a “regulated entity” defined as any legal entity that (i) conducts business in Washington, or produces or provides products or services that are targeted to Washington “consumers” (defined as Washington residents or persons whose consumer health data are collected in Washington), and (ii) alone or jointly with others, determines the purpose and means of collecting^[2], processing, sharing, or selling^[3] of “consumer health data” (defined below).  As the definition makes clear, even an out-of-state regulated entity with no physical presence in Washington must still comply if it produces or provides products or services that are targeted to consumers in Washington.  “Regulated entity” specifically excludes government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency. 

Note that any regulated entity that (i) collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year or (ii) derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers will be deemed a subset known as a “small business,” and a small business will get an extra three months (i.e., until June 30, 2024) to comply with MHMDA. 
In turn, regulated entities and small businesses (collectively, the “Entities”) are required to enter into binding contracts with “processors” (defined as entities that process consumer health data on the Entities’ behalf) that set forth the processing instructions and limit the actions such processors may take with respect to the consumer health data.  To the extent the processors breach by processing consumer health data in violation of the contract, the processors would be considered an Entity with respect to such consumer health data and become subject to all the requirements under MHMDA.

(2) What type of information or data is protected?

MHMDA protects “consumer health data,” which is generally defined as non-deidentified personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status, including but not limited to health conditions, health-related surgeries/procedures, prescribed medication, gender-affirming care information, biometric data, location information indicating consumer’s attempt to receive health care services or supplies, data identifying that a consumer is seeking health care services, and any information that is processed to associate or identify a consumer with “data…that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).”^[4]  Consumer health data excludes publicly available information.

Therefore, a literal reading of the definitions would mean, for example, that a fitness gym in Seattle – an entity that would not ordinarily be covered under HIPAA or UHCIA – that takes down a new member’s weight and height for demographic purposes (and thereby triggering the “collecting…of consumer health data”) may be an Entity for the purpose of MHMDA and thus be subject to the requirements thereunder.

(3) Are there exceptions to MHMDA?

MHMDA has certain categorical exemptions.  Specifically, MHMDA does not apply to consumer health data collected, used, or disclosed pursuant to certain federal and state laws, including but not limited to: (i) protected health information under HIPAA, (ii) health care information under UHCIA, (iii) patient identifying information under 42 C.F.R. Part 2 relating to confidentiality of substance use disorder records, and (iv) identifiable private information for purposes of the federal policy for the protection of human subjects and other private information that is otherwise collected as part of human subjects research. 

Additionally, the various obligations imposed by MHMDA do not restrict the Entities to collect, use, or disclose consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, etc.; provided, however, the Entities bear the burden of demonstrating that such collection, usage, or disclosure qualifies for the exemption. 

(4) What obligations are imposed on the Entities?

As described generally below, with its broad scope, MHMDA will, among other things,  (i) require the Entities to maintain a consumer health data privacy policy that clearly and conspicuously discloses how they use the consumer health data, (ii) prohibit the Entities from collecting and sharing consumer health data without the consumers’ consent, (iii) empower consumers with the right to confirm and access their own consumer health data, withdraw consent, and have their data deleted, (iv) prohibit the consumer health data from being sold without valid authorization signed by the consumer, and (v) restrict geofencing around in-person health care facilities to identify, track, or send messages to a consumer.

A. MHMDA will require the Entities to maintain a consumer health data privacy policy that clearly and conspicuously discloses (i) the categories of consumer health data collected and the purposes of collection and (ii) the categories of sources from which consumer health data is collected, among other information. 

B. MHMDA will prohibit the Entities from collecting and sharing consumer health data without the consumers’ “consent” (defined below).  Notably, a consumer’s consent to share consumer health data must be “separate and distinct” from the consumer’s consent to collect consumer health data.  MHMDA defines “consent” as a clear affirmative act that signifies a consumer’s freely given, informed, opt-in, and voluntary agreement (which may include written consent through electronic means), but a consent may not be obtained, for example, by (i) a consumer’s acceptance of a general or broad terms of a use agreement or a similar document containing general descriptions of personal data processing along with other unrelated information, or (ii) a consumer hovering over, muting, pausing, or closing a given piece of content.

C. MHMDA will empower consumers with the right to confirm and access their own consumer health data, withdraw their consent, and have their data deleted upon request.  Notably, MHMDA emphasizes the consumer’s right to have his/her consumer health data deleted, describing how an Entity that receives a consumer’s deletion request must delete the consumer health data from its records/networks/system.  The MHMDA does not give the consumer the right to delegate such access and other requests to authorized agents or representatives.  Such Entity must also notify all affiliates, processors, contractors, and other third parties with whom the Entity has shared the consumer health data of the consumer’s deletion request (at which time such affiliates, processors, contractors, and other third parties must also delete the consumer’s deletion request).  It is unclear from its text whether MHMDA could be enforced against such affiliates, processors, contractors, and other third parties in the event they fail to delete the consumer health data (in which case MHMDA would most likely be enforced against the Entity instead), so as a proactive measure Entities are advised to include appropriate terms in their vendor contracts requiring the counterparty to comply with a data deletion request, among other requirements under MHMDA. 

D. MHMDA will prohibit the consumer health data from being sold without valid authorization signed by the consumer.  Importantly, such valid authorization must be separate and distinct from the consent to share consumer health data or the consent to collect consumer health data described earlier.  The valid authorization must be written in plain language and contain such information as (i) the name and contact information of the seller and the purchaser of the consumer health data, and (ii) a description of the purpose for the sale, including how the consumer health data will be gathered and used.

E. MHMDA will restrict geofencing around in-person health care facilities to identify, track, or send messages to a consumer.  Specifically, once MHMDA takes effect it will become unlawful for any person to implement a “geofence” (defined below) around an entity that provides in-person “health care services” (defined below) where such geofence is used to: (i) identify or track consumers seeking health care services, (ii) collect consumer health data from consumers, or (iii) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.  “Geofence” is defined as a 2,000-feet-or-less virtual boundary created using global positioning technology, while “health care service” is defined as any service provided to assess, measure, improve, or learn about such person’s mental or physical health, including but not limited to (i) individual health conditions, status, diseases, or diagnoses, (ii) social, psychological, behavioral, and medical interventions, and (iii) surgeries/procedures. 

F. MHMDA will require the Entities to establish, implement, and maintain information security measures appropriate to their respective industries to protect the consumer health data.  This requirement should be generally familiar to the Entities given existing state data protection statutes (e.g., California Civil Code Section 1798.81.5(b)) and regulations (e.g., Massachusetts 201 CMR 17.00).  As such, the Entities should review and confirm that their information security measures are designed and implemented to protect the confidentiality, integrity, and accessibility of consumer health data, with consideration to the volume and nature of the consumer health data being processed.

(5) What are the penalties imposed on the Entities in the event of breach?

All MHMDA violations will be resolved through the WCPA.  In addition to an action brought by the state Attorney General, WCPA is enforceable through a private right of action directly by aggrieved consumers once such consumers are able to prove the five elements of a WCPA claim, which are (i) an unfair or deceptive act or practice, (ii) occurring in trade or commerce, (iii) public interest impact, (iv) injury to plaintiff in his/her business or property, and (v) causation^[5].  Each WCPA violation carries a maximum $7,500 civil penalty, but the courts in their discretion may increase damage awards up to three times the actual damages sustained or $25,000, whichever is less.

(6) What are some immediate compliance steps that Entities should take?

As already stated, MHMDA becomes a requirement for regulated entities come March 31, 2024 (and for small businesses come June 30, 2024), and given the law’s broad scope and extensive obligations, applicable businesses are advised to promptly begin working with counsel to come into compliance.  The MHMDA does not reference any forthcoming implementing rules.  As a start, businesses should closely analyze their products and services to see if they qualify as an Entity and, if so, how their products and services collect, create, use, maintain, sell, etc. consumer health data.  Entities must subsequently, among other things, (i) prepare a privacy policy that is compliant with MHMDA, (ii) implement and operationalize policies and procedures (and train employees and vendors, etc. accordingly) for obtaining required consents and allowing consumers to exercise their rights under MHMDA (e.g., their right to request deletion), and (iii) work with their website and app vendors/developers to remove any existing notices or terms/conditions that could be deceptive or contrary to MHMDA guidelines, etc.  More broadly, many of the requirements in the MHMDA are similar or incremental to ones in general state privacy laws, such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act, among others.  As such, a holistic approach encompassing an analysis of compliance requirements across these various laws should be considered for Entities conducting business in or otherwise subject to the requirements of these laws.  For completeness, Washington does not have a general privacy law, although a bill (SB 5643) was introduced in January 2023.

This legal alert is merely informational—not legal advice or an exhaustive treatment of MHMDA and its rights and obligations.  For more information, please contact any of the authors who can assess your applicability and risks under MHMDA and help your business come into compliance.