Washington My Health My Data Act

On April 27, 2023, Washington’s MHMDA was signed into law with the stated goal of providing privacy protections for health information not covered under the Health Insurance Portability and Accountability Act (HIPAA). The law treats effective dates on a section-by-section basis, with most small business compliance deadlines on June 30, 2024, and most other business deadlines March 31, 2024.

MHMDA aims to provide individuals with greater control over their personal health data, limiting the unauthorized sharing of such information. MHMDA applies broadly, even protecting individuals living outside Washington; and the definition of “consumer health data” (CHD) includes information that people may not typically consider to be health data.

Book a Free Consultation

What you need to know about MHMDA:

To Whom Does MHMDA Apply?

MHMDA applies to “regulated entities”, which are those that:

  • Conduct business in Washington, or produces or provides products or services targeted to consumers in Washington, and
  • Determines the purpose and means of collecting, processing, sharing, or selling of CHD.

Examples of companies that may be in scope for MHMDA but may not typically be considered healthcare businesses:

  • Cloud storage providers with facilities, servers, or customers in Washington and may provide storage to personal information that is linked or reasonably linkable to a consumer and identifies the consumer’s past, present, or future physical or mental health status;
  • App developers and device manufacturers of apps and/or devices that measure diet, heart rate, exercise, sleep, etc.;
  • App developers and device manufacturers of apps and/or devices that create, capture, or store voice, images, or other bodily markers for recognition or identity authentication.
Where Does MHMDA Not Apply?

Exempt Entities: Exempt entities include:

  • Government agencies;
  • Tribal nations;
  • Contracted service providers when processing CHD on behalf of the government agency.

Exempt Data: Some of the many data exemptions include:

  • PHI covered by HIPAA processed by a covered entity or business associate on their behalf;
  • Information originating from and intermingled to be indistinguishable with PHI (covered by HIPAA) and is maintained by a covered entity or business associate;
  • Data subject to the Gramm-Leach-Bliley Act;
  • Data subject to the Fair Credit Reporting Act;
  • Data subject to the Family Educational Rights and Privacy Act;
  • Data subject to a variety of Washington State laws dealing with health care and insurance;
  • And more!

Exempt Use Cases: MHMDA is not applicable to processing PI in an employment or commercial (B2B) context nor PI that is used in scientific, historical, or statistical research in the public interest. The law also specifies that it should not be construed to restrict a business’s collection, use, or retention of information to:

  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities;
  • Investigate, report, or prosecute those responsible for any such action that is illegal under Washington or federal law.
To What Does MHMDA Apply?

Consumer Health Data (CHD)

Consumer Health Data is defined as personal information that is linked or reasonably linkable to a consumer and identifies a consumer’s past, present, or future physical or mental health status. Physical or mental health status includes (but is not limited to):

  • Individual health conditions, treatment, diseases, or diagnosis;
  • Social, psychological, behavioral, and medical interventions;
  • Health-related surgeries or procedures;
  • Use or purchase of prescribed medication;
  • Bodily functions, vital signs, symptoms, or measurements of the information described in this list
  • Diagnoses or diagnostic testing, treatment, or medication;
  • Gender-affirming care information;
  • Reproductive or sexual health information;
  • Biometric data;
  • Genetic data;
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
  • Data that identifies a consumer seeking health care services; or
  • Any information that is processed to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

The definition exempts de-identified and information made publicly available by government records and that a covered entity believes has been made public by the consumer.

Of particular note is the broad definition of health care services, as it potentially encompasses a wide variety of activities one would not associate with health data. Health care services is defined as “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.” For example, it is reasonable to read the definition to encompass data identifying visits to a gym or athletic wear store as evidence of a service that enables a person to learn about or improve their physical or mental health.

The Washington attorney general has attempted to assuage fears of broad interpretations by providing some basic guidance, stating that information on toiletry products would not be considered CHD, while noting that drawing inferences from that information and identifying a consumer would then bring such purchase data into scope.

Geofencing

Geofencing is defined to include technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location.

For purposes of the Act, a “geofence” is a virtual boundary 2,000 feet or less from the perimeter of a physical location.

Key Components of the MHMDA

What constitutes the “sale” of CHD

Sale is defined as the exchange of CHD for monetary or other valuable consideration.

Obligations and Prohibitions

Consent for Collection, Processing, and Sharing of CHD

Consent takes a primary role in MHMDA. As a reminder, many comprehensive data privacy laws do not require consent to process basic Personal Information, only to process Sensitive Personal Information. These laws tend to offer an opt-out structure, so long as processing of PI fits other requirements, it is allowed until the consumer opts-out. MHMDA meanwhile regulates CHD, which by its nature is a more sensitive form of data. For that reason, it makes sense that it generally requires opt-in (affirmative) consent for the collection, use, sharing, or other processing of CHD beyond what is necessary to provide a consumer-requested product or service. MHMDA requires that each use of CHD (such collection and sharing) be separate, ensuring the end user is aware and comfortable with each use of their CHD. Consent is also needed for any collection or processing beyond what is described in the notice, which makes sense since consent is needed in the first place for the collection or processing described in the notice. Note that the sale of CHD (different than sharing) is largely banned without a heightened form of consent, called a “valid authorization” (see below).

The exception from the consent requirement is with respect to processing that is necessary to provide a product or service requested by the consumer, and this is limited to the extent the processing is necessary to provide the product or service.

Data Minimization

The MHMDA deals with data minimization in its consent or necessary to provide a product or service requested by the consumer requirement. In essence: organizations are practicing data minimization because to collect or process CHD, they must meet the above standard!

Ban on Sale of CHD
The MHMDA completely prohibits the sale of CHD, unless a valid authorization is in place.

A valid authorization must be a separate and distinct, written, signed, and dated consent from the consumer. Consumers have the right to revoke authorization at any time and it expires after one year.

Authorizations must contain:

  • A description of the specific CHD being sold;
  • The name and contact information of the entity collecting and selling the data (the seller);
  • The name and contact information of the entity purchasing the data (the buyer);
  • An explanation of why the CHD is being sold, how it will be gathered, and how it will be used by the buyer (purpose);
  • A statement that the provision of goods or services may not be conditioned on the consumer signing the authorization;
  • A statement that the consumer has the right to revoke the authorization at any time and instructions on how to do so;
  • A statement that the CHD may be subject to redisclosure and no longer protected under the law;
  • The date when the authorization expires (no more than one year from signature); and
  • The signature of the consumer and the date signed.

The consumer must be given a copy of the signed authorization. Both the seller and the purchaser must keep a copy of all valid authorizations for six years.

Geofencing Ban

MHMDA bans the use of Geofences to:

  • Identify or track consumers seeking health care services;
  • Collect consumer health data from consumers; or
  • Send notifications, messages or advertisements to consumers relating to their consumer health data or health care services from around entities that provide in-person healthcare services in Washington.
How will MHMDA be Enforced?

MHMDA may be enforced by the Washington attorney general (AG) or through a private right of action.

Attorney General enforcement: Penalties may include injunctive relief c and/or civil penalties, with fines up to $7,500 per violation plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

Private Right of Action: Consumers alleging violations of MHMDA may seek injunctions and court costs, and the court may triple damages up to $25,000 for extreme violations.

What Needs to Be Included in the Privacy Notice?

MHMDA requires that the notice be distinct from the notice for other data privacy laws and have its own link. Be sure to prominently publish the link on the website homepage and include the following in the notice:

  • Categories of CHD collected;
  • Purpose for collection of CHD, including how it will be used;
  • Categories of sources of collection;
  • Categories of CHD shared;
  • List of categories of third parties and specific affiliates with whom CHD is shared; and
  • How consumers can exercise their rights.

Privacy Rights

 

If MHMDA applies to your business, you must provide the following privacy rights to consumers:

  • Right to know whether a business is collecting, sharing, or selling CHD
  • Right to access CHD about them, along with a list of all third parties and affiliates with whom the CHD is shared or sold;
  • Right to withdraw consent for collection and sharing of CHD; and
  • Right to delete CHD about them, including information shared or processed by affiliates, processors, contractors, or other third parties, as well as archived or backup systems.
    • The right to delete under MHMDA does not include any exceptions; consumers have the absolute right to have data deleted, and the request must be honored and passed along to affiliates, processors, contractors, and other third parties with which the CHD has been shared.

MHMDA requires that businesses respond to rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Covered businesses may deny a rights request if they are unable to verify the identity of a requestor. MHMDA requires businesses to establish an appeal process for rights requests that are denied. The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 45 days of receipt of any appeal and, if denying an appeal, provide the consumer with an online mechanism (if available) to file a complaint with the AG.

 

Vendor Contracts

 

MHMDA requires that covered entities put in place binding contracts with vendors that provide instructions for processing and limit the actions the vendor may take with respect to the CHD it processes on behalf of the covered entity.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation