Washington Enacts My Health My Data Act | Practical Law

Washington Enacts My Health My Data Act | Practical Law

Washington has enacted the My Health My Data Act that protects broadly defined consumer health data by requiring additional disclosures and consumer consent and authorization regarding data collection, sharing, and sales, granting consumers access and deletion rights, imposing security and processor obligations, and prohibiting the use of geofencing around health care service facilities.

Washington Enacts My Health My Data Act

Practical Law Legal Update w-039-3253 (Approx. 6 pages)

Washington Enacts My Health My Data Act

by Practical Law Data Privacy & Cybersecurity
Published on 01 May 2023Washington
Washington has enacted the My Health My Data Act that protects broadly defined consumer health data by requiring additional disclosures and consumer consent and authorization regarding data collection, sharing, and sales, granting consumers access and deletion rights, imposing security and processor obligations, and prohibiting the use of geofencing around health care service facilities.
On April 27, 2023, Washington Governor Jay Inslee signed HB 1155, the My Health My Data (MHMD) Act. The law protects Washington residents and individuals whose consumer health data is collected in Washington but excludes individuals acting in employment contexts. The law also prohibits geofencing around an entity that provides in-person health care services to:
  • Identify or track consumers seeking health care services.
  • Collect consumer health data.
  • Send consumers health data or health care service-related notifications, messages, or advertisements.
The MHMD Act broadly defines consumer health data as personal information, including a persistent unique identifier, that is linked or reasonably linkable to a consumer and identifies the consumer's past, present, or future physical or mental health status, including:
  • Individual health conditions, treatment, diseases, or diagnosis.
  • Social, psychological, behavioral, and medical interventions.
  • Health-related surgeries and procedures.
  • Use or purchase of prescribed medication.
  • Bodily functions, vital signs, symptoms, or measurements of physical or mental health status.
  • Diagnoses or diagnostic testing, treatment, or medication.
  • Gender-affirming care information.
  • Reproductive or sexual health information.
  • Biometric data, which includes data generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics that identifies a consumer, individually or with other data.
  • Genetic data.
  • Precise location information that reasonably indicates a consumer's attempt to receive or acquire health services or supplies.
  • Data identifying a consumer seeking health services.
  • Any information that a regulated entity or small business, or their processor, processes to link a consumer to consumer health data that is derived, extrapolated, or inferred from non-health information, including through algorithms or machine learning.
The definition excludes personal information that is de-identified, publicly available, or used to engage in certain public or peer-reviewed scientific, historical, or public interest statistical research activities. The publicly available exclusion does not apply to biometric data collected without a consumer's consent.
The MHMD Act covers:
  • Regulated entities, which include any legal entity that both:
    • conducts business in Washington or provides products or services targeted to Washington consumers; and
    • alone or with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
  • Small businesses, which are regulated entities that either:
    • collect, process, sell, or share the consumer health data of fewer than 100,000 consumers during a calendar year; or
    • derive less than 50% of their gross revenue from collecting, processing, selling, or sharing of consumer health data, and control, process, sell, or share fewer than 25,000 consumers' health data.
Regulated entities and small businesses:
  • Must maintain and prominently post on their homepage a consumer health data privacy policy that clearly and conspicuously discloses how consumers can exercise their rights and the categories of:
    • consumer health data they collect and the purposes for their collection and use;
    • sources from which they collect consumer health data;
    • consumer health data they share; and
    • third parties and specific affiliates with whom they share consumer health data.
  • May not collect, use, or share additional categories of consumer health data without first disclosing them and obtaining the consumer's affirmative consent.
  • Must disclose and receive affirmative consent before collecting, using, or sharing consumer health data for additional purposes.
  • Violate the MHMD Act if they contract with a processor to process consumer health data inconsistently with the regulated entity's or small business's stated policy.
  • Must restrict access to consumer health data to those necessary to:
    • further purposes for which they have consumer consent; or
    • provide a consumer-requested product or service.
  • Must implement and maintain reasonable administrative, physical, and technical data security measures to protect consumer health data appropriate to its nature and volume.
  • Must impose specified contract obligations on their processors. Processors that fail to meet their obligations or act outside their contract's scope are consider regulated entities or small businesses under the MHMD Act and subject to all of its requirements.
Regulated entities and small businesses may not collect or share any consumer health data except either:
  • With the consumer's consent for the collection for a specified purpose. Consent for collecting and sharing must be separate and distinct.
  • To the extent necessary to provide a consumer-requested product or service.
Consent must be obtained before collecting or sharing any consumer health data. Consent requests must clearly and conspicuously disclose:
  • The categories of consumer health data collected or shared.
  • The purposes for collecting or sharing the consumer health data.
  • The categories of entities with whom the consumer health data is shared.
  • How the consumer may withdraw their consent.
Consumer health data sales require a separate and distinct specified prior consumer authorization.
The MHMD Act grants consumers the right to:
  • Confirm whether a regulated entity or small business is collecting, sharing, or selling their consumer health data.
  • Access their consumer health data, including a list of all third parties and affiliates with whom the regulated entity or small business has shared or sold it and the third parties' or affiliates' email addresses or other contact information.
  • Withdraw their consent for consumer health data collection and sharing.
  • Request deletion of their consumer health data. Regulated entities and small businesses must notify their affiliates, processors, and other third parties with whom they have shared the consumer health data of the deletion request. Those other parties must similarly honor the request. Deletion requests for consumer health data stored on archived or backup systems may be delayed to support system backups but for no more than six months following request authentication.
Regulated entities and small businesses must comply with consumer requests without undue delay or within 45 days of request receipt, which may be extended once by 45 additional days if both:
  • Reasonably necessary, taking into account the complexity and number of the consumer's requests.
  • The regulated entity or small business informs the consumer of the extension and its reason within the initial 45-day period.
The MHMD Act, including its prohibition on geofencing, takes effect on July 22, 2023 (90 days after the legislative session's adjournment). Regulated entities must comply with the MHMD Act's other requirements beginning March 31, 2024, while small businesses have until June 30, 2024 to comply.
The MHMD Act excludes:
  • Government agencies, tribal nations, and contracted service providers that process consumer health data on a government agency's behalf.
  • Information protected under other specified laws, including the Gramm-Leach-Bliley Act, HIPAA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, Washington state medical records laws, federal substance use disorder protections, federally regulated clinical research, and certain state and federal public health, patient safety, insurance, and health care operations and reporting regimes.
The Washington attorney general has enforcement authority for the MHMD Act under the state's consumer protection law, which also provides a private right of action for harmed consumers. The MHMD Act requires Washington's Joint Legislative Audit and Review Committee, regulated under Washington's statutes, to review enforcement actions and submit a report of its findings and recommendations to the governor and appropriate legislative committees by September 30, 2030, in a provision that sunsets June 30, 2031.