Why everyone needs to know about Washington’s new My Health My Data Act

There has been a recent trend among the states, post the Dobbs decision, to give enhanced protection to sensitive data, especially health-related information, resulting in new state laws to augment protections provided by HIPAA. Washington State’s My Health My Data Act is the most comprehensive of the new laws, covering health-related data collected via apps, websites, or otherwise, where that data is not subject to HIPAA.

What is the scope of  Washington’s MHMDA?

Generally, all persons and businesses that conduct business or provide services or products in Washington and that collect, process, share, or sell consumer health data are in scope of the Act. As a result, MHMDA has national reach, providing rights to both Washington consumers and other individuals whose data is collected or processed in Washington. The law takes effect on March 31, 2024. “Small businesses” are not exempt, unlike other privacy laws, but they have an additional six months to comply. 

What is “Consumer Health Data” under Washington’s MHMDA? 

“Consumer health data” is defined broadly as “any personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” 

This covers both personal data that directly identifies physical or mental health status and seemingly innocuous data when companies use it to make inferences about health status. “Consumer health data” is a lot more than one might think it is. For example, it can include data collected in a vast range of contexts:

  • Apps on smartphones or smart watches
  • Geolocation
  • IoT and smart devices (such as appliances or your car)
  • Clothing purchases
  • Over-the-counter drugs or even potential toiletries if a business uses that data to generate inferences about an individual’s health
  • HR data

Effectively, any personal data that would identify a consumer’s past, present, or future physical or mental health status is covered if it is used to derive or infer a health condition.

What Individual Rights and Business Obligations Does
MHMDA Create? 

Notice via Consumer Health Data Policies
MHMDA requires businesses to provide Consumer Health Data Policies that disclose specific information about their consumer health data practices. 

Strict Consent Requirements to Collect and Share
MHMDA requires opt-in consumer consent to collect and to share consumer health data. Such consent must consist of “a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement.” 

Additionally, MHMDA requires distinct authorization to sell consumer health data,  

making it unlawful for anyone to sell consumer health data without first obtaining “valid authorization” from the consumer. There are onerous specific requirements for obtaining authorization, a broad definition of “Sale,” and significant document retention requirements. 

Consumer Rights
Consumers are granted rights to know, access, withdraw consent and delete. Unlike most other states, there are almost no exceptions to the right to delete.

Immediate Geofencing Prohibition
Importantly, the law immediately bans using geofencing of in-person healthcare providers to track or identify consumers, collect data, or send notifications, messages, or advertising. There is no “small business” delay on the implementation of this provision.

Washington Has A Private Right of Action

Significantly, the My Health My Data Act provides that any violation of the Act is a per se violation of Washington’s Consumer Protection Act (CPA), enforced by the Attorney General and has a private right of action.  This means the likelihood of class actions is high and elevates compliance risk for businesses within scope. 

If a business is using consumer health data to make inferences about consumers for commercial purposes, including targeted advertising, or using, for example, the Cloud services of Washington-based Azure (Microsoft) or AWS (Amazon), the MHMDA could lead to costly consumer class action lawsuits. For example, Illinois’ Biometrics law (BIPA) has a private right of action and has cost companies across the U.S. more than a billion dollars. Companies – even those with fine-tuned, mature privacy programs and those regulated by HIPAA – cannot ignore the new Washington My Health My Data Act. For additional insight, see the FAQ recently issued by the WA AG on MHMDA.

Five key MHMDA takeaways:

  1. It covers a broad range of personal data. Companies would be advised to treat MHMDA as a general privacy law.
  2. The scope is nationwide and impacts companies that collect, use, disclose or sell consumer health data of Washington consumers and companies who conduct business operations in Washington – and there is no “small business” jurisdictional exception.
  3. Covered entities with mature HIPAA programs may still be in scope.
  4. The private right of action is likely to result in individual private lawsuits as well as class actions.
  5. Anti-geofencing provisions are already in force.

Other State Privacy Laws Cover Health Data 

Finally, other state privacy laws cannot be ignored. 

Connecticut recently amended its privacy law to provide explicit protections to “consumer health data,” and Nevada passed a new law to do the same. While Connecticut and Nevada now provide protections similar to Washington’s MHMDA, they don’t have private rights of action.

Colorado, Virginia, Texas, Florida, Oregon, Indiana, Montana, Tennessee, and Delaware all define sensitive personal information to include health data and require opt-in consent for the processing of sensitive information. California requires companies to provide consumers with the right to opt out of the processing of most types of sensitive personal data.