Friendly Reminder - Finalize and Post Your Consumer Health Data Privacy Notice Before March 31
Friendly reminder – the Washington My Health My Data Act (“WMHMDA”) compliance deadline for regulated entities to post their consumer health data privacy policy is March 31, 2024 (June 30, 2024 for small businesses). A consumer health data privacy policy (“Consumer Policy”) is a critical component of demonstrating WMHMDA compliance efforts, particularly because WMHMDA allows for an expansive private right of action.
We provide a more detailed discussion of what is required in a WMHMDA Consumer Policy in Part Six of our WMHMDA summer series but include high-level considerations below:
- Standalone Notice
Pursuant to guidance from the Washington Office of the Attorney General, the Consumer Policy must be separate from your organization’s website privacy policy (and separate from the notice of privacy practices for those entities subject to HIPAA). WMHMDA does not allow for a WMHMDA, “consumer health data” – specific section of an existing website privacy policy. It must be a standalone policy.
The Consumer Policy may not contain additional information not required under the Washington My Health My Data Act. Many of the required disclosures will seem duplicative of disclosures in your existing website privacy policy. However, we can help you draft your privacy notices to complement each other and reduce consumer confusion.
- Website Link
The Consumer Policy must be prominently linked on your website homepage. As website homepages get more crowded, your organization should make efforts to differentiate between the standard website privacy policy, a Consumer Policy, and a notice of privacy practices (if applicable). Special attention should be paid to limiting consumer confusion by reviewing all privacy notices in tandem.
- Specific Content
The Consumer Policy must include the specifics statements, but do not draft your Consumer Policy with the same methods as your comprehensive state law disclosures on your website privacy notice. The definitions under WMHMDA are distinct from enacted state comprehensive privacy laws.
A Consumer Policy should be low hanging fruit for your WMHMDA compliance. Failure to have an appropriate Consumer Policy on your website is easily apparent to regulators and plaintiffs’ attorneys looking for an opportunity to file suit arguing failure to have the Consumer Policy amounts to an unfair or deceptive act under the Washington Consumer Protection Act. It is not yet clear how the Washington Office of the Attorney General will monitor litigation or collaborate with the Federal Trade Commission.
For guidance and advice on drafting a Consumer Health Data Privacy Policy or implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Health Information Technology, Privacy & Security Team, your Quarles attorney or:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Sarah Erdmann: (414) 277-5512 / sarah.erdmann@quarles.com