Diving into the Washington My Health My Data Act
This is Part Eleven in a series of legal updates on the Washington My Health My Data (“WMHMDA”), where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.
In previous updates, we’ve covered who is subject by law, the broad definitions of “consumer” and “consumer health data,” discussed specific requirements of the law such as geofencing, consent and authorization for collecting and sharing data, the consumer health and data privacy policy, individual rights, the extensive private right of action and Attorney General enforcement options, and next steps for operationalizing compliance. While we find ourselves in August already (and with fall around the corner), we want to help you make the most of these last summer days and provide a visual comparison of WMHMDA and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Feel free to grab your beach chair, umbrella, and picnic basket for this easy read.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements
- Part Six: Consumer Health Data Privacy Policy
- Part Seven: Biometric Data
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers) (this is what you are reading now)
- Part Twelve: Washington AG Guidance
HIPAA v. WMHMDA Comparison Table
We include below a quick-bite reference table comparing the main privacy concepts of both HIPAA and WMHMDA. Beneath the table, we walk through each section in greater detail for those of you who want some additional beach reading.
General Scope and Exemptions
To start things off, HIPAA and WMHMDA appear very similar as far as scope and exemptions. Both address entities that are subject to the law without including threshold requirements based on revenue or number of consumers whose data is being processed (though WMHMDA does include a “small business” concept providing these “small businesses” with delayed compliance dates).
However, WMHMDA is broader than HIPAA as it appears to apply to a broader set of entities than the standard HIPAA “covered entities.” HIPAA applies to health plans, healthcare clearinghouses, and any healthcare providers that engage in certain electronic transactions. On the other hand, WMHMDA applies to “regulated entities,” i.e. any legal entity that (1) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington, and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing or selling of consumer health data. We have already discussed how broad “consumer,” “consumer health data," and “collecting” are defined. A general nexus to Washington will capture entities under WMHMDA.
HIPAA and WMHMDA both include limited exemptions mostly at the data-level, e.g., HIPAA’s state preemption analysis and WMHMDA’s exemption of data governed by and collected, used, or disclosed pursuant to HIPAA. Also, neither apply to employee data or business-to-business data.
Individual Rights
Individual rights provided by WMHMDA and HIPAA have fewer similarities than one might think. While certain rights are present in both schemes (access, restriction on use of data, right to know), WMHMDA – and not HIPAA – includes a right to delete data.
Obligations for Compliance
- Privacy Notice Requirements
Both WMHMDA and HIPAA require privacy notices to consumers that cover disclosures related to data collection, use, and disclosure practices, as well as a description of individual rights (the “consumer health and data privacy policy” and “Notice of Privacy Practices,” respectively). Both must be linked on an entity’s homepage.
- Written Contracts with Processors/Third-Party Vendors
Both HIPAA and WMHMDA address down-stream parties (“business associates” and “processors” respectively). HIPAA has prescriptive requirements for business associate agreements, but WMHMDA arguably requires more thought when putting together data authorization terms for “processors” outlining the scope and limitations on processing.
- Data Minimization
Both WMHMDA and HIPAA include “data minimization” requirements (“minimum necessary” as discussed under HIPAA), where entities are required to limit use and disclosure of data. Under HIPAA, data minimization requires limiting processing to what is required to further the purpose for the use or disclosure. Under WMHMDA, data minimization entails limiting access to what is necessary to further the purpose for which the consumer provided consent or where necessary to provide a product or service that the consumer requested.
Enforcement
While both HIPAA and WMHMDA include civil penalties, only WMHMDA provides for a broad private right of action. It is worth noting that while individuals are unable to bring an action under HIPAA, an individual may file a complaint to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), HIPAA’s enforcement authority. The Washington Attorney General has authority to enforce WMHMDA, and the Health Information Technology for Clinical Economic Health (HITECH) Act granted state Attorneys General authority to bring civil actions on behalf of state residents for violations of HIPAA.
Notes from Quarles
The WMHMDA preamble notes that a goal of the legislation was to cover health data that may not be covered by HIPAA. Thus, it is not surprising that there are many similarities between the two laws. However, there are enough differences in scope and applicability that certain health and life sciences entities may find themselves subject to both WMHMDA and HIPAA for various data sets. This may present an operationally difficult technical and administrative compliance process given competing priorities.
Regardless of whether HIPAA applies to certain data, if WMHMDA compliance is required for any consumer health data held by your organization, you should begin assessing the steps needed to operationalize compliance with WMHMDA well in advance of the spring 2024 effective date.
In Part Twelve, we will take advantage of the last summer days and nights and turn to the recent Attorney General Guidance for any buoys they are willing to throw our way.
For guidance and advice on implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Sarah Erdmann: (414) 277-5512 / sarah.erdmann@quarles.com