The Washington state My Health My Data Act (MHMDA) casts a wide net of business and data it intends to regulate. Passed on April 17, the law places restrictions on the collection, sharing, and selling of “consumer health data.” Moreover, it provides one of the broadest private rights of action in the U.S. because such private right of action is available to consumers who are Washington residents or have their health data collected in Washington.
This law will not just affect health care-focused businesses. Any business with ties to the Evergreen State needs to be aware of potential implications on its data practices. The law comes into effect for most businesses on March 31, 2024, setting up for a compliance rush.
Broad Scope of Entities Affected
The MHMDA defines a “regulated entity” as an entity that does business or targets consumers in Washington and, alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. The statute excludes government agencies and contractors processing health data on behalf of a government agency.
The statute creates a subset of regulated entities for small businesses that fall below certain limits, but this subset of regulated entities only has the benefit of pushing the compliance date out until June 30, 2024.
Given the MHMDA is intended to supplement the protections afforded under HIPAA, the law exempts HIPAA-covered data and entities. Exemptions for entities that handle data governed by the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA) are only at the data level rather than at the entity level. Therefore, entities must be acutely aware of the source of their data and when data is and is not governed by GLBA, FCRA, and FERPA.
Broad Scope of Health Data Covered
The MHMDA defines “consumer health data” as personal information that is not just linked, but also “reasonably linkable,” to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The law does carve out deidentified data from the definitions of consumer health data.
Physical or mental health status is very broadly defined to include traditional health care data as well as non-traditional categories of data. The non-traditional categories include biometric data, location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies, data that identifies a consumer seeking health care services, and even information that is derived or extrapolated from non-health information that a regulated business processes to associate or identify a consumer with the data described in the statute.
In regards to biometric information, businesses should proceed with extreme caution if such information could reveal a known or unknown “health status.” For example, facial scans could reveal Down syndrome, ocular scans could reveal glaucoma, and speech patterns could reveal Parkinson’s disease. The law does not require the information to be used for that kind of purpose but rather whether the information could reveal such health information.
Consumer Rights, Including Private Right of Action
Consumers protected by this law have the right to request information regarding whether the regulated entity collected, shared, and sold their data; a right to withdraw consent for sharing of their data; and a right to request that their data be deleted. Regulated entities must institute an appeals process for refusal to comply with a consumer’s request. If an appeal is denied, the consumer can submit a complaint to the Washington attorney general.
An alleged violation of the MHMDA provides consumers with a private right of action under the Washington Consumer Protection Act, which carries a penalty of $7,500 per violation with the possibility of a $5,000 enhanced penalty should the unlawful act impact individuals based on demographic characteristics such as the presence of any sensory, mental, or physical disability.
All entities with business connections to Washington state should evaluate their data practices to ensure compliance far in advance of the quick approaching 2024 effective date given the thorny requirements and the projected cost of defensive litigation and class actions. Ongoing review of privacy practices and guidance of experienced privacy counsel will be valuable to ensure compliance, particularly as the scope of the MHMDA may evolve with case law emerging from the private right of action.
For more information, please contact us or your regular Parker Poe contact. You can also subscribe to our latest alerts and insights here.