U.S. state privacy continues to be at the forefront of legislative and policymaking activity. Although states continue to pass comprehensive privacy laws in 2023, Washington’s My Health My Data Act (“MHMDA”) deserves closer attention due to its breadth as well as its novel—and potentially onerous—provisions. This post highlights key aspects of the MHMDA with a focus on net-new provisions that organizations should consider as they build out their privacy compliance programs. Entities covered by MHMDA must comply with the law’s obligations and prohibitions by March 31, 2024, and small businesses must comply by June 30, 2024.
Background
Six states enacted comprehensive privacy laws in the first half of 2023: Indiana, Iowa, Oregon, Montana, Tennessee, and Texas. These laws largely drew from existing state privacy laws in California, Colorado, Connecticut (with recent additional amendments), Utah, and Virginia.
In the wake of MHMDA, other states have introduced similar bills and, on June 16, 2023, Nevada’s Governor Lombardo signed into law Nevada Senate Bill 370 (SB 370), which is similar but narrower to MHMDA.
Unlike existing comprehensive privacy laws, MHMDA is focused on protecting health data, specifically data that is not regulated by the federal Health Information Portability and Accountability Act. The law has far-reaching implications for organizations inside and outside of Washington as it is broadly applicable, both in terms of the entities it regulates as well as the types of data it covers. It includes a private right of action, strong opt-in consent requirements, and broad applicability to organizations of all types and sizes.
The MHMDA’s Broad Applicability and Scope
Who is regulated? Broadly speaking, the law applies to data controllers that do business or provide goods and services to Washingtonians and collect or process consumer health data. The MHMDA protects Washington residents and any consumer whose health data is processed in Washington state. Service providers that process consumer health data on behalf of entities must abide by contracts that include processing instructions and acceptable actions the service provider may take with consumer health data. Failure to abide by these contractual provisions could cause the service provider to be treated as an entity covered by MHMDA. Unlike other state privacy laws, the MHMDA does not include minimum thresholds of revenue or data subjects, so organizations of all sizes as well as nonprofits are required to comply with the operative provisions of the law.
What is regulated? The MHMDA regulates “consumer health data,” which the law broadly defines as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” To underscore the breadth of this definition, the MHMDA provides a non-exhaustive list of categories of “consumer health data” which specifically includes data relating to attempts to seek or search for reproductive or gender-affirming health services online, such as search queries or browsing history, as well as geolocation data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies. It also expressly covers biometric data and data reasonably derived or inferred from non-health-related proxies, derivatives, or algorithms.
What is excluded? The MHMDA does not apply to deidentified data that cannot be linked back to a consumer nor publicly available information. The MHMDA excludes employee data, business-to-business data, and personal information used to engage in public- or peer-reviewed research, so long as the research is conducted in the public interest and meets defined safeguards. The MHMDA includes data exemptions for HIPAA, quality assurance testing, and health records governed by or created pursuant to other state and federal laws. Unlike many state privacy laws, the MHMDA does not contain entity-level exemptions such as exemptions for financial institutions subject to the Gramm-Leach-Bliley act.
What Are the Key Substantive Obligations?
Transparency: Entities must post on their homepage a link to and maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data the entity collects, the sources of that data, the uses of that data, how it is shared, and how consumers can exercise their rights.
Affirmative Consents: The MHMDA requires one of two possible legal bases for collecting, processing, or sharing consumer health-related data: consent or necessity. Entities that wish to “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data” must obtain affirmative consent for the specific purpose of collection or require the data to be used to provide a product or service the consumer requested. Entities that wish to share consumer health data must obtain separate consent for the specific purpose of sharing or meet the same necessity standard to share the data. Requests for consumer consent must clearly and conspicuously state the purpose and categories of data to be collected, used, or shared as well as how consumers can withdraw consent.
Entities must obtain special signed authorization from a consumer to sell or offer their consumer health data, separate from the previous consent needed to collect or share the data. Consumers’ consent is only valid for one year. Entities are not permitted to condition the provision of goods and services on a consumer providing their signed authorization.
Consumer Rights: Under the MHMDA, consumers have a right to access their consumer health data from entities, and they have a right to receive a list of contact information for all of the third parties and affiliates with whom their data was shared. Consumers also have a right to withdraw their consent from an entity collecting and sharing their health data and a right to request that their data be deleted. If a consumer requests to have their health data deleted, the entity must also delete it from archives and backups and notify all affiliated and third parties, who must similarly honor the deletion request.
Security: The MHMDA includes access control requirements mirroring the reasonable security standard provisions in most comprehensive state privacy laws.
Geofencing Banned: The MHMDA includes a non-waivable provision banning “geofencing” that goes into effect on July 26, 2023—eight months before the rest of the law becomes enforceable. The law expressly bans any person from geofencing for the purposes of identifying or tracking consumers seeking health services, collecting health data from consumers, or sending notifications, messages, or ads to consumers related to their health data.
What Are the Risks?
Unlike most state privacy laws, the MHMDA creates a private right of action for consumers for any violation of the law’s provisions, provided impacted consumers can prove specific elements including that the consumer was injured. Specifically, consumers must prove five elements to prevail in a private suit: (i) the entity committed an unfair or deceptive act or practice, (ii) the act or practice occurred in trade or commerce, (iii) there was an impact on the public interest, (iv) the consumer was injured, and (v) the act or practice caused the injury. If consumers meet this standard, they may obtain an injunction against the organization and are eligible for damages capped at $25,000.
The MHMDA will also be enforced by Washington’s Office of the Attorney General, with monetary penalties of up to $7,500 per violation.
Key Steps to Consider
Organizations doing business or providing goods and services in Washington will have a relatively short time frame to consider the law’s impact and make necessary changes to comply with the law. The MHMDA’s wide reach, significant obligations, lack of entity-level exemptions, and revenue or consumer thresholds, and private right of action substantially increase litigation and enforcement risk for entities covered by the law. Accordingly, organizations should consider key steps, including:
- Assess Applicability: Organizations should carefully analyze their connection with the healthcare industry and their processing of health-related data to determine whether they are within the scope of the MHMDA and might be considered a “regulated entity” under the law. Organizations will want to consider the broad scope of the MHMDA and the broad definition of “consumer health data” under the law as data not traditionally subject to other privacy laws may now be in scope of the Washington law.
- Data Mapping: As with all state privacy laws, entities covered by MHMDA should consider undertaking a data mapping exercise to better understand data flows of in scope health data into and outside of the entity and where such data resides. This will enable entities to make more accurate privacy notices, understand where consents may be required, draft accurate consent disclosures, and reduce friction associated with complying with data subject access requests.
- Consent Interfaces: Entities covered by MHMDA should consider how to implement clear, user-friendly consumer interfaces to obtain necessary consents under the law. Entities should consider auditing any existing consent practices they have in place and augmenting these practices to meet the requirements of the law. This might include having lawyers well versed in MHMDA being involved in product launches and including assessing the need for such consents in product development.
- Limit Internal Data Access: Organizations should assess which employees, contractors, service providers, and other vendors have access to their in scope data. For instance, it may be prudent for organizations to determine which personnel and parties need access to this data and to limit access to this group as needed.
- Develop a Documented Process to Address Rights Requests: Organizations should consider how to plan ahead and prepare for consumer requests to access data, withdraw consent, and delete data. Organizations should consider training an internal team that is capable of responding to these requests and should set a standardized process for response.
***
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.
The authors would like to thank Debevoise Summer Associate Carl Lasker for his work on this Debevoise Data Blog post.