Businesses that collect or process health data from individuals are subject to new and burdensome restrictions under Washington state’s My Health My Data Law (MHMD or “the Law”).
Among many other obligations, the Law requires opt-in consent in advance for collection of consumer health data, with only narrow exceptions. It applies to companies of all sizes, giving small businesses only a three-month delay in the enforcement date. It prohibits any person from using a “geofence” around an entity that provides in-person health care services, which services also are defined broadly.
Who Is Subject to MHMD and When?
Any person (including any legal entity) is required to comply with the prohibition of geofencing beginning June 23, 2023. Businesses that use location data to track a consumer or send messages need to attend to this obligation immediately.
If your company conducts business in Washington or makes services or products available to those in Washington, it likely is a regulated entity. A regulated entity, other than a small business, is required to comply with the other sections of the Law by March 31, 2024.
A small business is a regulated entity with specified limited data collection and revenue and is required to comply with the other sections by June 30, 2024.
Data processors may process consumer health data for a regulated entity only pursuant to a binding contract, and these processors are deemed to be regulated entities themselves subject to MHMD if they process consumer health data contrary to the requirements of that binding contract.
Protected Consumers
MHMD protects any consumer, defined as a Washington resident or person whose consumer health data is collected in Washington, except when that person is acting in an employment context.
What Is Consumer Health Data?
Consumer health data is defined expansively to include personal information that is linked or reasonably linkable to a consumer and identifies the consumer’s past, present or future physical or mental health status.
The Law has a list of examples, such as the use or purchase of prescribed medications, social, psychological, behavioral and medical interventions, and bodily functions. Also specifically called out are reproductive or sexual health information and gender-affirming care information (including any efforts to search for related information). Biometric data, location information indicative of seeking or acquiring health services or supplies, and consumer health data extrapolated from non-health data are on the list.
What Does MHMD Require?
Regulated entities must follow specific requirements about how and when they may collect and share consumer health data. Affirmative, opt-in consumer consent in advance is required for the collection of any consumer health data and separate consent is required for the sharing of any consumer health data, except as necessary to provide a product or service requested by that consumer.
A clear and conspicuous consumer health data privacy policy is required to be posted. Access to collected consumer health data by employees, processors, and contractors is limited to that necessary to accomplish the permitted purpose, and regulated entities are required to adopt security safeguards.
MHMD prohibits the selling of consumer data without valid authorization that meets certain requirements and is signed by the consumer, separate and apart from the opt-in consents for the data collection or sharing.
Any person is prohibited from placing a spatial boundary, or geofence, around any entity providing in-person health care services if that boundary is used to identify, track, send messages to, or collect consumer health data from, consumers seeking health care services.
What Rights the Law Gives to Consumers?
Consumers have many rights under the Law, such as rights of access to their consumer health data, to withdraw consent, and to have their data deleted, including from archived or backup systems. MHMD provides in detail how consumers may exercise their rights.
Enforcement and Fines
Any violation of MHMD is a per se violation of the Washington Consumer Protection Act, enforceable by the Attorney General as well as by a private lawsuit (or class action) by injured individuals. Actual damages, including treble damages with a cap, and costs and attorney’s fees may be awarded, and there are possible civil penalties as well.
Exceptions to MHMD
Government agencies, their contractors, and tribal nations are not regulated entities. The Law has numerous exceptions that are consistent with other privacy laws, such as excepting deidentified data, publicly available data, certain research data, quality assurance data, data needed to prevent harm, and data covered by other laws like HIPAA and GLBA.
FBT attorneys can help you analyze the applicability of MYMD to your business and assist you in your compliance obligations without losing sight of your business objectives. For more information, contact any attorney with Frost Brown Todd’s Data, Digital Assets and Technology practice group.