Washington’s My Health My Data Act targets entities not subject to HIPAA and provides certain consumers with a private right of action

MHMDA is specifically designed to cover health data collected by entities not subject to the federal Health Insurance Portability and Accountability Act (HIPAA).  HIPAA only covers “protected health information” (PHI) collected by “covered entities,” (namely health plans, health care clearing houses and health care providers who transmit health information in electronic form), and their “business associates.”  As described in more detail below, non-covered entities (i.e., entities that are not subject to HIPAA), that collect or process consumer health data from Washington residents and/or collecte or process personal health data of non-Washington residents in Washington (including advertisers, mobile app providers, wearable device manufacturers, website providers, health and wellness trackers and wellness industry providers), could be subject to MHMDA.

What companies are subject to MHMDA?

MHMDA applies to “regulated entities,” defined as “any legal entity that:  (a) conducts business in Washington or produces or provides products or services that are targeted to “consumers” in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing or selling of consumer health data.”  Government agencies, tribal agencies, and contracted service providers processing consumer health data on behalf of government agencies are specifically excluded.  Regulated entities may include not-for profit entities.

“Consumer” is defined as a natural person who is a Washington resident or whose consumer health data is collected or processed in Washington.  This definition includes people acting in an individual/household context, (including consumers identified through unique identifiers such as cookie IDs, IP addresses or device identifiers), but excludes persons acting in an employment context.

MHMDA also specifies that “small businesses” are subject to the act; however, the term “small business” is subsumed within the term “regulated entity,” so in essence, all obligations on regulated entities under MHMDA also apply to small businesses.

Unlike other general state privacy laws, such as the California Consumer Privacy Act as modified by the California Privacy Rights Act, MHMDA does not have an applicability threshold based on revenue or the number of consumer data it is collected from. 

What information is covered by the Act?

MHMDA applies to “consumer health data,” broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present or future physical or mental health.”  The act specifically includes the following as consumer health data:   

• Individual health conditions, treatment, diseases or diagnoses;
• Social, psychological, behavioral and medical interventions;
• Health-related surgeries or procedures;
• Use or purchase of prescribed medication;
• Bodily functions, vital signs, symptoms, or measurements of the information expressly identified in the definition of “consumer health data;”
• Diagnoses or diagnostic testing, treatment or medication;
• Gender-affirming care information;
• Reproductive or sexual health information;
• Certain types of biometric and genetic data; 
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
• Data that identifies a consumer seeking “health care services” which is broadly defined as any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health; and
• Any information included in the definition of “consumer health data” that could be reasonably derived or extrapolated from non-health information such as proxy, derivative, inferred or emergent data, including algorithms and machine learning. 

MHMDA specifically excludes the following from the definition of consumer health data:  (a) PHI governed by HIPAA, information intermingled with PHI maintained by HIPAA-regulated entities, and health records governed by or created pursuant to other healthcare-related state and federal laws; (b) data regulated by the Gramm Leach Bliley Act, Fair Credit Reporting Act, Administrative Simplification provisions of the Social Security Act, Family Educational Rights and Privacy Act, statutes and regulations applicable to the Washington Health Benefit Exchange, and certain privacy rules adopted by the Washington Office of the Insurance Commissioner; and (c) de-identified data (i.e., data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such a consumer, so long as certain requirements are met).

MHMDA also does not prohibit the collection, use or disclosure of consumer health data to prevent, detect, protect against or respond to and prosecute security incidents, theft, fraud, harassment, malicious or deceptive activities or any illegal activity under Washington or federal law.

What must companies subject to MHMDA do to comply with the act?

Regulated entities and small businesses:

• Must post a Consumer Health Data Privacy Policy that complies with the requirements of MHMDA, and post a prominent link to the policy on the company’s home page.
• Must not collect any consumer health data unless they have affirmative consent for the specified purpose for which it will be used, or to the extent necessary, to provide the product or service requested by the consumer.  To obtain valid consumer consent, regulated entities and small businesses must obtain a “clear affirmative act that signifies a consumer’s freely given, specific informed opt-in, voluntary, and unambiguous agreement.”  A consumer’s acceptance of a general terms of use or privacy policy, or hovering over content does not constitute valid consent.
• May not share consumer health data except with affirmative consent that isseparate and distinct from the consent to collect, or to the extent necessary, to provide the product or service requested by the consumer.  (It is important to note that the definition of “share” includes disclosures to affiliates; however, it excludes disclosing consumer health data to a processor in order to provide products or services in a manner consistent with the purpose disclosed to the consumer, and a third party with whom the consumer has a direct relationship (subject to certain conditions)).  The definition of “share” also excludes disclosures of consumer health data as an asset in the M&A context if the data recipient complies with MHMDA.
• Must enter into binding contracts with service providers that specify how such providers may process the consumer health data and the actions it may take regarding consumer health data.  If a service provider fails to adhere to the contractual obligations, it will be considered a regulated entity under MHMDA.
• May not use a geofence or virtual boundary around a facility that provides health care services for the purpose of identifying or tracking consumers seeking services from the facility, collecting consumer health data from such consumers or sending them notifications, messages or advertisements related to their consumer health data or health care services.  This restriction applies even if the consumer provides consent or opts-in.
• Must only permit employees and contractors to access consumer health data if it is necessary for them to help provide the product or service requested by the consumer.
• Must establish and maintain administrative, technical and physical data security practices satisfying a reasonable industry standard to protect consumer health data appropriate for the volume and nature of the data.
• Must obtain a customer’s separate authorization to sell or offer to sell consumer health data that is not related to the provision of goods or services.  This requires providing the consumer with a plain-language disclosure that includes the purpose of the sale and the buyer’s name and contact information.  Each authorization is only valid for one year and can be revoked sooner, and the regulated entity or small business must provide a copy of the signed authorization to the consumer.  Both the seller and buyer of the data must keep a copy of the authorization for six (6) years.

What rights do consumers have under the act?

Consumers have a number of rights under the act, including the following:

• To confirm whether a regulated entity or small business is collecting, sharing or selling the consumer’s health data.
• Requiring the regulated entity or small business to delete all consumer health data regarding the consumer.  Such deletion includes all copies of the data on the regulated entity’s network, including archival and backup systems.  Regulated entities and small businesses have 45 days to comply with such a request unless the regulated entity or small business is unable to authenticate the request after using commercially reasonable efforts to do so. 
• Withdrawing consent from the regulated entity or small business collecting and sharing the consumer’s consumer health data.
• Accessing the consumer’s consumer health data and a list of all third parties and affiliates with whom the regulated entity or small business has shared or sold the information, and an active email address or other online mechanism to contact such parties.
• Appealing a regulated entity or small business’s refusal to take action on one of the foregoing requests.

Like CCPA/CPRA, regulated entities and small businesses cannot discriminate against a consumer who exercises their data rights under MHMDA.

When does MHMDA come into effect?

MHMDA specifies effective dates on a clause by clause basis.  Most sections of MHMDA come into effect on March 31, 2024 for regulated entities, and for small businesses, three (3) months later on June 30, 2024.  The statute does not specify an effective date with respect to the provision that prohibits geofencing, which means it could go into effect as early as July 22, 2023.

What are the penalties for breaching MHMDA?

MHMDA is enforceable by both the Washington Attorney General and through a private right of action for consumers.  Both the Attorney General and individual consumers can bring a civil action to:  (1) enjoin deceptive acts or practices; (2) recover actual damages sustained; and (3) recover reasonable attorneys’ fees and costs.  Damages are awarded in the direction of the court, and can range from the lesser of $25,000 or an amount of up to three times the actual damages.

It is likely MHMDA will spur a wave of litigation given the private right of action and significant and unclear obligations on companies.  Regulated entities and small businesses collecting information from Washington residents, or collecting or processing data from any consumer in Washington, should consider whether they may be subject to MHMDA and come into compliance.