Diving into the Washington My Health My Data Act
This is Part Three in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”) where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating tidal waves in the privacy space – and not just for the health and life sciences industry.
We provided a high-level overview of the landmark legislation and its origins immediately after its passage, and we waded into the waters with analysis of the regulated entities subject to WMHMDA and the broad scope of “consumers” captured by WMHMDA in the first two parts of our series. In this part, we will try to avoid getting caught in the undertow while reviewing the broad reach of the types of data covered under the WMHMDA.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data (this is what you are reading now)
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements
- Part Six: Consumer Health Data Privacy Policy
- Part Seven: Biometric Data
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers)
- Part Twelve: Washington AG Guidance
Data Covered by WMHMDA
WMHMDA introduces compliance requirements related to the collection, use, and disclosure of “consumer health data.” While the Act is titled “My Health My Data Act,” it is important to be cautious of the undertow – specifically, the broad reach of data covered under WMHDMA that most do not traditionally consider “health” data.
First, we start with the definition of “consumer health data,” i.e.:
Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
Businesses subject to HIPAA are probably thinking, this is not all that different from the definition of “protected health information” (PHI). Grab your floaties because this general definition is a lot more open-ended than PHI.
The definition then elaborates with a non-exhaustive list on what data is included in “physical or mental health status” and includes some expected items (e.g., individual health conditions, treatment, disease, or diagnosis) though broadly described as well as some very specific examples (e.g., gender-affirming care, reproductive or sexual health information, etc.). Overall the definition is incredibly broad and worth seeing in its entirety.
(b) For the purposes of this definition, physical or mental health status includes, but is not limited to:
- Individual health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection (8)(b);
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric data;
- Genetic data;
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- Data that identifies a consumer seeking health care services; or
- Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
Underlined terms are further defined, and we’ll dig into biometrics later in this series. However, it is notable that some of the most open-ended elements of this definition are not further defined. For example, what constitutes a “social intervention”? Is a social media exchange a “social intervention”? Does a social media post from your gluten free friend about a new vegan pizza restaurant amount to information about “bodily functions”?
Then there is the element of “data that identifies a consumer seeking health care services” – where health care services is further defined (unsurprisingly) extraordinarily broadly as:
Any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.
Similar to the definition of “consumer health data,” the definition of “health care services” includes a non-exhaustive list of services. Reading this definition on its face, it seems like WMHMDA covers any service related to a person’s health no matter how tangential. Without further guidance, it is plausible that grocery and online shopping habits (your ibuprofen, vitamins, workout clothes, stereotypical pregnancy purchases, etc.), gym membership, diet-related podcasts, general (non-authenticated) searches on health topics, water reminder apps, 5K registration, etc. could be deemed “consumer health data” along with data generated from any other online or personal service or activity that could arguably assess, measure, improve, learn, or make inferences about a person’s health.
As mentioned in Part 2 of this series, the definition of who constitutes a “consumer” is incredibly broad, which means the sheer amount of data subject to WMHMDA is unprecedented. WMHMDA is not a health privacy law; it is much broader. These authors personally hope for guidance rather than testing the breadth of this definition in court.
Data Exclusions
Before these rough waves drive you from the beach, maybe we can bring some calm to the waters with data exclusions. So what data is excluded?
B2B and Employee Data. As we discussed in Part 2 of this series, employee and B2B data are excluded from WMHMDA. This should ease some burden in figuring out how to comply with arduous WMHMDA compliance obligations.
HIPAA. WMHMDA also excludes data that is subject to other data privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA). The Act does not include entity-level exclusions (i.e., HIPAA covered entities and business associates do not have a blanket exclusion from WMHMDA). However, the Act does exclude data that is not covered under HIPAA but originates from and is maintained by a covered entity or business associate which it intermingles with HIPAA-covered data. While this flexibility is welcome, it does set up operational difficulties for entities that need to maintain a HIPAA compliance program for HIPAA-related data (i.e., PHI and data intermingled with PHI) and a different and more onerous compliance program for all other consumer health data.
Biometric Data. As far as use of biometric data (again, we’ll dig into biometrics later in our series,) the WMHMDA has an exclusion that applies to the use of biometric data for security purposes (e.g., in response to security incidents, identity theft, fraud, harassment, etc.).
Deidentified Data. “Consumer health data” is limited to personal information; as such, deidentified data is excluded from the scope of WMHMDA. The Act defines deidentified data as:
Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such consumer, if the regulated entity or the small business that possesses such data (a) takes reasonable measures to ensure that such data cannot be associated with a consumer; (b) publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data; and (c) contractually obligates any recipients of such data to satisfy the criteria set forth in this [definition].
Deidentification under WMHMDA does not explicitly incorporate the HIPAA deidentification definition. In fact, deidentified data under the Act requires more – public commitments regarding processing and contractual obligations on recipients of deidentified data.
Additional Exclusions. WMHMDA excludes the following data:
- Data subject to certain federal privacy laws, including the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and Family Educational Rights and Privacy Act (FERPA)
- Data subject to specific federal and Washington state regulations related to health and insurance
- Data used for peer-reviewed research in the public interest that is governed by an institutional review board or similar oversight entity to determine whether appropriate safeguards are implemented
- Publicly available information, i.e., data that “(a) is lawfully made available through federal, state, or municipal government records or widely distributed media, and (b) a regulated entity or a small business has a reasonable basis to believe a consumer has lawfully made available to the general public” (yes, it is difficult to understand how to read that “and”).
As discussed in our overview, WMHMDA’s drafters’ intent was to “close the gap between consumer knowledge and industry practice by providing stronger privacy protections” – specifically, closing the gap of health data collected by non-HIPAA covered entities. But WMHMD goes far beyond HIPAA’s obligations. What is clear from the broad drafting of the Act is that entities must look critically at their data collection practices to determine whether data is subject to WMHMDA. Given the open-ended drafting of “consumer health data” and the broad set of “regulated entities” and “consumers,” businesses may find themselves needing to implement a third privacy program to go along with comprehensive state law and HIPAA.
A practical place to start would be reviewing your data map (or conducting a data mapping exercise) to identify and categorize the scope of “consumer health data” processed by your organization. Once you are able to identify the data, you are better suited to identify potential exceptions (including overlapping exceptions) and isolate compliance obligations.
In Part 4 we will dive into the WMHMDA geofencing requirements, which have a fast-approaching enforcement date. Additional issues raised by WMHMDA are forthcoming. Until next time… turn on your grill, grab your floaties, and get ready to dive in.
For guidance and advice on implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Sarah Erdmann: (414) 277-5512 / sarah.erdmann@quarles.com