On March 31, 2024, the Washington My Health My Data Act (MHMDA), a comprehensive consumer health privacy law, will come into force. Small businesses – defined as those processing consumer health data of fewer than 100,000 consumers in a calendar year or collecting data of fewer than 25,000 consumers and deriving less than 50% of revenue from this data – will have until June 30, 2024, to comply. Unlike most state privacy laws, MHMDA provides a broad private right of action, including presumptions benefitting plaintiffs, and is thus likely to trigger a wave of privacy litigation. While it purports to regulate only “consumer health data”, MHMDA defines that term very broadly to include information not typically considered to be health related.
The MHMDA establishes a privacy framework for entities operating in Washington that handle consumer health data, a term that is defined broadly to capture not only information that is commonly understood as health information but also categories such as “bodily functions”, “biometric information,” “data that identifies a consumer seeking health care services” (itself a term broadly defined to include “any service …. to assess, measure, improve, or learn about a person’s mental or physical health”) and “precise location information” as well as such health data if it is derived, inferred or extrapolated from non-health information. This framework imposes stringent notice and consent requirements as well as restrictions on certain forms of advertising that exceed the requirements of other state privacy laws. Specifically, regulated entities will need to:
- Post a standalone consumer health data privacy policy that complies with the requirements of the law.
- Obtain informed, opt-in consent for “collecting” and, separately, for “sharing” consumer health data.
- Obtain detailed signed authorization for any “selling” of consumer health data.
- Avoid advertising based on geofencing around healthcare facilities.
- Develop processes to manage consumer requests to access, delete, or withdraw consent.
- Ensure that agreements with vendors that access consumer health data have appropriate data privacy terms.
Significantly, unlike other state privacy laws, the MHMDA does not contain applicability thresholds based on revenue or number of consumers. Consequently, many organizations that were exempt under other frameworks may not be exempt from the MHMDA. The MHMDA exempts protected health information (PHI) governed by the Health Insurance Portability and Accountability Act (HIPAA) and other information regulated under other sectoral privacy laws, and does not protect individuals acting in an employment context.
This client alert outlines key obligations under the MHMDA. For more detailed background on the Act, see our prior articles here and here.
Background
The MHMDA was passed in April 2023 to address two primary concerns. First, the MHMDA sought to address gaps in the protection of privacy for health data not regulated by HIPAA. Second, as its primary sponsor Rep. Vandana Slatter stated, the MHMDA is part of a comprehensive package of legislation specifically designed to respond to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which abolished a federal constitutional right to abortion. One of the categories of consumer health data protected under the law is reproductive or sexual health information; and the law also protects information about gender-affirming care.
The MHMDA’s twin aims are apparent in its broad scope of application to activities and categories of data that may reveal a women’s access to reproductive health care services. For example, in an effort to protect women seeking reproductive health care services in Washington, the MHMDA applies to data “collected” (broadly defined to include any type of processing) in Washington, regardless of the consumer’s state or residency, as explained further below. The MHMDA also applies to a broad range of data categories – including location – that may reveal someone’s access to healthcare services, even where such data is not specifically tied to health characteristics or processed by HIPAA covered entities.
In furthering these aims, the MHMDA draws inspiration from other state consumer privacy laws, such as the California Consumer Privacy Act (CCPA), but includes several key requirements that exceed those that appear in other frameworks.
Who Must Comply?
The MHMDA applies to regulated entities, a term that includes any legal entity that “conducts business” in Washington or produces or provides products or services that are targeted to consumers in Washington, and that determines the purposes and means of collecting, processing, sharing or selling consumer health data. Arguably, any website that allows access from Washington could be covered. Moreover, some of the world’s largest cloud providers are based in Washington, where they operate massive data centers.
What is Consumer Health Data?
The MHMDA defines “consumer health data” broadly to capture any “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health status.”
The MHDMA also provides a non-exhaustive list of examples of consumer health data, including:
- Health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements of information;
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric data and genetic data;
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- Data that identifies a consumer seeking health care services; and
- Health information that is derived or inferred from non-health data.
While many of these categories qualify as health data under the FTC’s previous guidance and enforcement activity, several categories expand well beyond traditional definitions. For example:
- “Biometric data” under the MHMDA includes imagery and voice recordings “from which an identifier template can be extracted” – not merely biometric templates that are used to uniquely identify an individual, as under other state privacy laws.
- Data about “bodily functions” could potentially capture information that does not reveal anything about an individual’s health, such as eating or sweating. In fact, while the Washington Attorney General (AG) explained in guidance that the purchase of toiletries alone would not “ordinarily” fall within this definition, tracking a consumer’s digestion or perspiration would be regulated by the MHMDA.
- By referring to “inferred” data, the MHMDA may apply to data that is inherently non-sensitive when organizations use it in a manner that reveals aspects of a consumer’s health.
Who is a Consumer?
A “consumer” under the MHMDA is an individual acting in a personal or household capacity – not individuals acting in an employment context. Thus, unlike the CCPA as well as some biometric privacy laws such as BIPA, the MHMDA does not protect employee privacy. One of the most striking aspects of the MHMDA, however, is its extension of the definition of a “consumer” to certain non-residents of Washington. The MHMDA defines a “consumer” not only as a Washington resident, but also as any individual whose consumer health data is “collected” in Washington.
Importantly, related to this, the term “collect” means more than just collecting in the traditional sense. It also includes accessing, retaining, receiving, acquiring, inferring, deriving or otherwise processing in the state of Washington. This provision may extend the MHMDA protections to consumer health data of non-residents when such data is processed within the state of Washington. This, in turn, resonates particularly in light of the operations in Washington of some of the world’s largest data processors.
What Data is Exempt?
The MHMDA provides exceptions for several categories of data and activities, including:
- PHI Protected Under HIPAA and medical records: the Act exempts protected health information (PHI) governed by HIPAA as well as medical records governed by Washington health care information laws. The Act also exempts information that is intermingled with and treated indistinguishably from PHI or medical records, as well as information that has been deidentified in accordance with HIPAA.
- Publicly-available data: the Act exempts public information where either (a) it is lawfully made available through government records or widely distributed media, or (b) there is a reasonable basis to believe the consumer made the information available to the general public.
- Deidentified data: the Act exempts data that cannot reasonably be linked to, or used to infer information about, a consumer where the organization takes reasonable measures to prevent reidentification and commits publicly – and in any relevant contracts – not to permit reidentification.
- Data subject to certain federal and state privacy laws: the Act exempts information governed by the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), the Social Security Act, and Washington state insurance rules.
- Research: the MHMDA provides several exceptions for research, including for public or peer-reviewed research in the public interest that has been approved by an IRB or ethics board, as well as clinical trials and other human subjects research conducted in accordance with Good Clinical Practice guidelines.
The Act also exempts government entities and vendors that provide services to such entities. However, nonprofits are not exempt.
What Do Regulated Entities Need to Do?
The MHMDA imposes numerous restrictions and requirements on regulated entities. The most significant restrictions and requirements are summarized below.
Notice
The MHMDA requires regulated entities to provide consumers with a standalone consumer health data privacy policy. According to AG guidance, the consumer health data privacy policy must be accessible via a separate and distinct link on the entity’s homepage, which is defined broadly to potentially cover every webpage, and the policy must not include superfluous information that is not required by the MHMDA. In other words, regulated entities will now be required to post a separate consumer health data privacy policy in addition to their general privacy policy.
The content of the consumer health data privacy policy is similar to the information organizations must furnish under other state privacy laws, including:
- the categories of consumer health data collected;
- the categories of sources from which consumer health data is collected;
- the purposes for which consumer health data is collected and used;
- the categories of consumer health data that is shared;
- a list of the categories of third parties with which consumer health data is shared; and
- a description of how a consumer can exercise the rights of access, deletion, and withdrawal of consent.
Unlike other state privacy laws, however, the MHMDA also requires regulated entities to name specific affiliates that will have access to consumer health data. This will require companies with parents, subsidiaries, and affiliates to map and publish their internal data flows in a manner not previously required by US privacy laws.
Consent and “Authorization”
The MHMDA imposes three different consent and authorization requirements for regulated entities.
- Consent to collect consumer health data. The MHMDA requires regulated entities to ask consumers for opt-in consent before collecting consumer health data, unless the collection is necessary to provide a product or service that the consumer has requested from that entity. Because “collect” is defined broadly to capture “other processing,” regulated entities will need to ensure that any subsequent use or storage, and possibly even deletion, of consumer health data is either necessary for the service or conforms with the consumer’s consent.
- Consent to share consumer health data. The MHMDA requires regulated entities to obtain a “separate and distinct” consent to “share” consumer health data. Notably, “sharing” is defined differently from other state privacy laws, such as the CCPA. Sharing under the MHMDA means any disclosure or making available of consumer health data, regardless of whether there is monetary or other valuable consideration, to a third party or affiliate that is not a processor for the regulated entity and does not have a direct relationship with the consumer. The MHMDA also provides for exceptions to the consent requirement where the sharing is necessary to provide a product or service that the consumer has requested from that entity, or where it occurs in the context of corporate transactions. Because disclosing to affiliates within a corporate group may be “sharing,” companies should evaluate whether any affiliates that provide corporate services are in fact acting as processors for the regulated entity, in which case intra-company agreements may be necessary.
- “Valid authorization” signed by the consumer to sell consumer health data. “Selling” consumer health data is highly restricted. Selling is defined as disclosing/making available for monetary or other valuable consideration. For sales of consumer health data, regulated entities must obtain a signed authorization meeting several formal requirements. These requirements are likely to act as a bar to any sales of consumer health data in most instances. And given that, post-CCPA, the concept of “selling” personal data is understood to include any use of data for the purpose of targeted advertising, MHMDA is likely to have profound effects for online advertising using any information covered under the new law.
Geofencing
The MHMDA prohibits geofencing around any facility that provides in-person “health care services” where the geofence is used to (1) identify or track consumers seeking health care services, (2) collect consumer health data, or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
Healthcare services are broadly defined as any services “to assess, measure, improve, or learn about a person’s mental or physical health.” This is an absolute prohibition and there is no exception for activity done with consumer consent.
Consumer Requests
The MHMDA grants consumers the following rights:
- Right to access the information the regulated entity collects or processes about a consumer, and a list of all third parties and affiliates with whom a regulated entity has shared or sold the consumer’s health data;
- Right to withdraw consent from a regulated entity’s collection and/or sharing of consumer health data, and to revoke the consumer’s written authorization for data sales. Given the wide range of data processing activities that potentially require consent or authorization, as noted above, and the lack of alternatives to consent or authorization, withdrawal of consent/authorization is likely to significantly affect a regulated entity’s ability to continue to process consumer health data that is subject to such request.
- Right to delete consumer health data, which includes a right to direct any affiliates, processors, contractors and other third parties with whom a regulated entity has shared consumer health data, to delete consumer health data.
- Right to appeal a regulated entity’s refusal to act on a request.
While these rights mirror those in other state privacy laws, one key distinction is that the MHMDA’s right to deletion contains only very limited exceptions. Specifically, the law contemplates only general exceptions for preventing, detecting, responding to security incidents, identity theft, fraud, harassment, or malicious, deceptive or illegal activities; protecting the integrity or security of systems; or investigating, reporting, or prosecuting those responsible.
Regulated entities may need to consider changes to the architecture of relevant IT systems to accommodate these robust deletion requirements for consumer health data.
Processor Agreements
“Processors” are exempt from key requirements under the MHMDA. Like under other frameworks, a processor is defined as an entity that processes consumer health data on behalf of the regulated entity.
Regulated entities must execute agreements with processors that set forth the processing instructions and restrict the processor from processing consumer health data for other non-approved purposes.
Processors also must implement appropriate technical and organizational measures to assist the regulated entity with meeting the MHMDA’s requirements, and they must delete consumer health data upon notification of a deletion request from a regulated entity.
Enforcement and Penalties
The Washington AG’s Office will oversee enforcement of the MHMDA, with the possibility of injunctions, restitution, civil penalties, and legal fees for non-compliance.
Significantly, the Act provides a robust private right of action for consumers to sue companies for violations of the Act. This private right of action will likely spawn significant litigation, but plaintiffs will need to assert damages as a result of any alleged violation, as the MHMDA does not provide for specified statutory damages.
Other Consumer Health Data Laws
Consumer health data has attracted regulation in other states beyond Washington. Consumer health privacy laws have been proposed in a number of states, and the following states have adopted measures that are similar in some respects to the MHMDA:
- Nevada. On March 31, 2024, Nevada’s Consumer Health Data Privacy Law will go into effect. Nevada’s law largely mirrors the requirements of the MHDMA, except that the Nevada law does not provide for a private right of action and has a narrower definition of consumer health data. There is also no delay in enforcement for small businesses under the Nevada law.
- Connecticut. Last year, Connecticut amended its Consumer Data Privacy Act to include “consumer health data” within its definition of sensitive data. The amended Act also introduced new prohibitions on geofence advertising and consent requirements for selling consumer health data that broadly align with the MHMDA.
Conclusion
The effective date of the MHMDA marks the beginning of a new era of regulation of – and likely litigation around – consumer health data in the US. Not only does the MHMDA impose new substantive requirements exceeding those of the other state privacy laws that have proliferated in the US, but the MHMDA’s private right of action also introduces the specter of significant litigation surrounding organizations’ collection, use and disclosure of any information that may reveal inferences about consumer health. Organizations in and out of Washington that process consumers health data, including not just health service providers but also providers of fitness, wellness and nutrition products – as well as organizations involved in online advertising and other data-intensive industries that historically were exempt from HIPAA’s narrow scope, will find themselves subject to more onerous requirements as of March 31, 2024.
[View source.]