The Washington My Health My Data Act (henceforth the “MHMDA”) passed the Washington State Legislature on April 17, 2023, and was signed into law on April 27, 2023. The Act includes effective dates on a section-by-section basis with regulated entities being bound to comply with its obligations and prohibitions beginning 31 March 2024. Small businesses are given until the end of June 2024.

The legislature described the Act as a “gap-filler,” intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Washington’s Uniform Health Care Information Act (UHCIA).

This is a consent-driven law essentially requiring one of two possible legal bases for processing health-related data: consent or necessity. A regulated entity must obtain separate consent or meet the same necessity standard to further share the concerned data, furthermore, selling the data requires a special written and signed authorization from the consumer.

Similar to controllers under the GDPR, the MHMDA applies to any legal entity that conducts business in the state, or targets products or services to Washington consumers, and determines the purpose and means of collecting, processing, sharing or selling consumer health data. Government agencies, tribal nations and contracted service providers that process consumer health data on behalf of government agencies are not included in the scope of this law.

The MHMDA does not cover data that falls within scope of the following laws:

  • Gramm-Leach-Bliley Act
  • Social Security Act, title XI
  • Fair Credit Reporting Act
  • Family Educational Rights and Privacy Act

Key Definitions

The Act defines Washington residents as “consumers” and extends the definition of “consumer” to include a natural person who may not be a resident of Washington but whose consumer health data is collected in the state. Consumers do not include individuals when not acting in their individual or household context, furthermore, the law expressly excludes those acting in an employment context. Because the law covers any consumer whose data is collected in Washington, it will likely cover non-Washington residents who interact with Washington businesses. Remarkably, if a person who meets either of these thresholds is able to be identified, including “by any unique identifier” they are in scope.

The definition of “consumer health data” is also broad and means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” This expansive scope is likely to include many data types falling outside prior definitions of health-related data. Although online behavior such as search queries and browsing histories are explicitly captured only within the definitions of „gender-affirming care information“ and „reproductive or sexual health information,“ the Act also stipulates that any „data that identifies a consumer seeking health care services“ falls within its scope. According to the Act “consumer health data” shall also include information that may be “derived or extrapolated from non-health information,” including through machine learning and algorithms. This provision puts cookies and other third-party trackers firmly in scope.

Consumers Rights

In GDPR fashion, the Act gives consumers a set of data rights which appears more expansive than typical sectoral laws. Under the MHMDA, consumers have a right to access their consumer health data and receive a list of all third parties and affiliates — including contact information — who receive their individual data from the regulated entity. Washington consumers also have a right to withdraw their consent from an entity collecting and sharing their health data. Consumers have also the right to request the deletion of their data, in fact, if a consumer requests to have their health data deleted, the regulated entity must also delete it from archives and backups, and notify all affiliates and third parties, who must honor the deletion request as well.

If a consumer exercises any of the above rights, regulated entities have a 45-day compliance window to respond to their requests. The Act recognizes, however, that responding to these requests may take longer than the initial 45 days and allows for regulated entities to take an additional 45 days to act on a consumer’s request depending on the „complexity and number of the consumer’s request“ received by the regulated entity. Additionally, the Act allows a delay of up to six months to complete deletion requests if a regulated entity needs to restore archives or backup systems.

If the Act applies, what are the requirements?

  1. Covered entities must maintain a “consumer health data privacy policy” on their homepage which must disclose the following:
  • Categories of data collected and the purpose for the collection;
  • How data will be used;
  • Categories of sources from which data is collected;
  • Categories of data shared;
  • A list of the third parties and affiliates with whom data is shared; and,
  • How a consumer can exercise their rights.
  1. Covered entities must obtain express affirmative consent from each consumer before collecting or sharing their data.
  2. To sell consumer data, the covered entity must obtain a valid authorization. A valid authorization is a document written in transparent and plain language that specifies the specific data being sold, the name and contact information of the collector, seller, and purchaser of the data, the purpose of the sale and several other mandatory disclosures. An authorization to sell must be signed and dated by the consumer.
  3. As explained above, consumers have a right to withdraw consent and a right to have their data deleted. Entities have 45 days to respond to a consumer’s request, however, entities are permitted one 45-day extension “when reasonably necessary.”
  4. Entities must implement and maintain administrative, technical, and physical security safeguards to protect the confidentiality, accessibility, and integrity of data.
  5. Businesses that function as service providers to regulated entities need service provider contracts and will want to strictly follow their obligations under those contracts as failure to do so could render the service provider as a “regulated entity” fully subject to the Act, regardless of domicile.

Dispositions regarding the use of geofences

Generally speaking, geofencing uses certain data (GPS or RFID) to create a “virtual boundary” around a geographical area. When a device enters or exits such defined boundary the geofence can trigger an action on the device, such as pushing an alert, notification, advertisement, or security measure.

The MDMHA makes it unlawful to implement a geofence around an entity providing in-person healthcare services where the geofence is used to:

  • identify or track consumers seeking healthcare services;
  • collect consumer health data from consumers; or,
  • send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.

What are the consequences of a violation?

The Act may potentially create a wave of litigation because unlike many state privacy laws, it permits private causes of action — including class action lawsuits — by way of the Washington Consumer Protection Act (CPA). Litigants may recover attorneys’ fees and damages up to $25,000. Likewise, as explained above, individuals other than Washington state residents may also have the right to bring actions for alleged violations of the law.

In addition to this, according to the sources reviewed to write this article, entities subject to the Act should anticipate that plaintiffs’ attorneys will be looking for test cases to bring under the new law.