Washington My Health, My Data Act

What you need to know about MHMDA:

To Whom Does MHMDA Apply?

MHMDA applies to “regulated entities”, which are those that:

  • Conduct business in Washington, or produces or provides products or services targeted to consumers in Washington, and
  • Determines the purpose and means of collecting, processing, sharing, or selling of CHD.

Examples of companies that may be in scope for MHMDA but may not typically be considered healthcare businesses:

  • Cloud storage providers with facilities, servers, or customers in Washington and may provide storage to personal information that is linked or reasonably linkable to a consumer and identifies the consumer’s past, present, or future physical or mental health status;
  • App developers and device manufacturers of apps and/or devices that measure diet, heart rate, exercise, sleep, etc.;
  • App developers and device manufacturers of apps and/or devices that create, capture, or store voice, images, or other bodily markers for recognition or identity authentication.
Where Does MHMDA Not Apply?

Exempt Entities: Exempt entities include:

  • Government agencies;
  • Tribal nations;
  • Contracted service providers when processing CHD on behalf of the government agency.

Exempt Data: Some of the many data exemptions include:

  • PHI covered by HIPAA processed by a covered entity or business associate on their behalf;
  • Information originating from and intermingled to be indistinguishable with PHI (covered by HIPAA) and is maintained by a covered entity or business associate;
  • Data subject to the Gramm-Leach-Bliley Act;
  • Data subject to the Fair Credit Reporting Act;
  • Data subject to the Family Educational Rights and Privacy Act;
  • Data subject to a variety of Washington State laws dealing with health care and insurance;
  • And more!

Exempt Use Cases: MHMDA is not applicable to processing PI in an employment or commercial (B2B) context nor PI that is used in scientific, historical, or statistical research in the public interest. The law also specifies that it should not be construed to restrict a business’s collection, use, or retention of information to:

  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities;
  • Investigate, report, or prosecute those responsible for any such action that is illegal under Washington or federal law.
To What Does MHMDA Apply?

Consumer Health Data (CHD)

Consumer Health Data is defined as personal information that is linked or reasonably linkable to a consumer and identifies a consumer’s past, present, or future physical or mental health status. Physical or mental health status includes (but is not limited to):

  • Individual health conditions, treatment, diseases, or diagnosis;
  • Social, psychological, behavioral, and medical interventions;
  • Health-related surgeries or procedures;
  • Use or purchase of prescribed medication;
  • Bodily functions, vital signs, symptoms, or measurements of the information described in this list
  • Diagnoses or diagnostic testing, treatment, or medication;
  • Gender-affirming care information;
  • Reproductive or sexual health information;
  • Biometric data;
  • Genetic data;
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
  • Data that identifies a consumer seeking health care services; or
  • Any information that is processed to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

The definition exempts de-identified and information made publicly available by government records and that a covered entity believes has been made public by the consumer.

Of particular note is the broad definition of health care services, as it potentially encompasses a wide variety of activities one would not associate with health data. Health care services is defined as “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.” For example, it is reasonable to read the definition to encompass data identifying visits to a gym or athletic wear store as evidence of a service that enables a person to learn about or improve their physical or mental health.

The Washington attorney general has attempted to assuage fears of broad interpretations by providing some basic guidance, stating that information on toiletry products would not be considered CHD, while noting that drawing inferences from that information and identifying a consumer would then bring such purchase data into scope.

Geofencing

Geofencing is defined to include technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location.

For purposes of the Act, a “geofence” is a virtual boundary 2,000 feet or less from the perimeter of a physical location.

Key Components of the MHMDA

What constitutes the “sale” of CHD

Sale is defined as the exchange of CHD for monetary or other valuable consideration.

Obligations and Prohibitions

Consent for Collection, Processing, and Sharing of CHD

Consent takes a primary role in MHMDA. As a reminder, many comprehensive data privacy laws do not require consent to process basic Personal Information, only to process Sensitive Personal Information. These laws tend to offer an opt-out structure, so long as processing of PI fits other requirements, it is allowed until the consumer opts-out. MHMDA meanwhile regulates CHD, which by its nature is a more sensitive form of data. For that reason, it makes sense that it generally requires opt-in (affirmative) consent for the collection, use, sharing, or other processing of CHD beyond what is necessary to provide a consumer-requested product or service. MHMDA requires that each use of CHD (such collection and sharing) be separate, ensuring the end user is aware and comfortable with each use of their CHD. Consent is also needed for any collection or processing beyond what is described in the notice, which makes sense since consent is needed in the first place for the collection or processing described in the notice. Note that the sale of CHD (different than sharing) is largely banned without a heightened form of consent, called a “valid authorization” (see below).

The exception from the consent requirement is with respect to processing that is necessary to provide a product or service requested by the consumer, and this is limited to the extent the processing is necessary to provide the product or service.

Data Minimization

The MHMDA deals with data minimization in its consent or necessary to provide a product or service requested by the consumer requirement. In essence: organizations are practicing data minimization because to collect or process CHD, they must meet the above standard!

Ban on Sale of CHD
The MHMDA completely prohibits the sale of CHD, unless a valid authorization is in place.

A valid authorization must be a separate and distinct, written, signed, and dated consent from the consumer. Consumers have the right to revoke authorization at any time and it expires after one year.

Authorizations must contain:

  • A description of the specific CHD being sold;
  • The name and contact information of the entity collecting and selling the data (the seller);
  • The name and contact information of the entity purchasing the data (the buyer);
  • An explanation of why the CHD is being sold, how it will be gathered, and how it will be used by the buyer (purpose);
  • A statement that the provision of goods or services may not be conditioned on the consumer signing the authorization;
  • A statement that the consumer has the right to revoke the authorization at any time and instructions on how to do so;
  • A statement that the CHD may be subject to redisclosure and no longer protected under the law;
  • The date when the authorization expires (no more than one year from signature); and
  • The signature of the consumer and the date signed.

The consumer must be given a copy of the signed authorization. Both the seller and the purchaser must keep a copy of all valid authorizations for six years.

Geofencing Ban

MHMDA bans the use of Geofences to:

  • Identify or track consumers seeking health care services;
  • Collect consumer health data from consumers; or
  • Send notifications, messages or advertisements to consumers relating to their consumer health data or health care services from around entities that provide in-person healthcare services in Washington.
How will MHMDA be Enforced?

MHMDA may be enforced by the Washington attorney general (AG) or through a private right of action.

Attorney General enforcement: Penalties may include injunctive relief c and/or civil penalties, with fines up to $7,500 per violation plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

Private Right of Action: Consumers alleging violations of MHMDA may seek injunctions and court costs, and the court may triple damages up to $25,000 for extreme violations.

What Needs to Be Included in the Privacy Notice?

MHMDA requires that the notice be distinct from the notice for other data privacy laws and have its own link. Be sure to prominently publish the link on the website homepage and include the following in the notice:

  • Categories of CHD collected;
  • Purpose for collection of CHD, including how it will be used;
  • Categories of sources of collection;
  • Categories of CHD shared;
  • List of categories of third parties and specific affiliates with whom CHD is shared; and
  • How consumers can exercise their rights.

Data Privacy is Just Good Business