Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
Update: On April 27, MHMD was signed into law by Gov. Jay Inslee.
Effects to consumer health data collection and processing will be felt in Washington and beyond with new consumer rights and consent requirements as well as a private right of action.
On April 17, the Washington legislature passed the My Health My Data Act (“MHMD”). As it heads to the Governor’s desk, we are taking a dive into the key concepts of this watershed legislation, including its broad application to businesses, wide-ranging scope, significant consent requirements, and private right of action. MHMD is the first state legislation to offer a comprehensive privacy approach specific to consumer health data. It brings in European and California-like privacy themes as well as some new obligations not yet seen in the US privacy landscape.
The MHMD Act comes after a string of recent privacy developments, including Iowa becoming the sixth state to pass a comprehensive data privacy law just last month and increased health data-related enforcement from the Federal Trade Commission.
What is the MHMD Act?
Introduced early in January, MHMD creates protections for personal information related to an individual’s health conditions or attempts to obtain health care services. MHMD acknowledges that consumer health data is among the most personal and sensitive categories of data and that the Health Insurance Portability and Accountability Act (“HIPAA”) leaves a gap for health data collected by non-HIPAA covered entities, including certain apps and websites. MHMD also clarifies that the intent is to “close the gap between consumer knowledge and industry practice by providing stronger privacy protections.”
Broad Scope of Entities Subject to MHMD
Unlike state comprehensive privacy laws (e.g., CCPA), there is no threshold for applicability based on revenue or number of consumers whose data is processed. Instead, the MHMD Act applies to “regulated entities” broadly defined as any legal entity that:
- conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
- alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data
“Regulated entities” are not limited to Washington-based businesses. However, the definition specifically excludes government agencies, tribal nations, and contracted service providers when processing consumer health data on behalf of the government agency. With the exception of these entities, MHMD does not provide full entity exemptions, including no exemption for non-profit entities.
Exemptions exist for specific types of data, such as protected health information under HIPAA, certain personal information for purposes federal human subjects protections, certain limited hospital data, data governed by the Gramm-Leach-Bliley Act, and data de-identified in compliance with HIPAA. The exemptions also include data originating from and intermingled to be indistinguishable with information maintained by a HIPAA covered entity or business associate.
What should HIPAA covered entities do? If the MHMD Act is signed, health and life sciences entities will need to carefully assess applicability and the scope of exemptions.
What Data is Covered by MHMD?
The MHMD Act applies to “consumer health data” which is a broader definition than one might expect. The definition includes “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status” which is similar to HIPAA. However, the definition also includes a non-exhaustive list of what is considered consumer health data, including: gender-affirming care information, reproductive or sexual health information, biometric data, genetic data, use or purchase of prescribed medication, and precise location data (all of which are further defined). Consumer health data also includes any information that a regulated entity (or its processor) processes to associate or identify a consumer with consumer health data that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
The definition of “consumer” is also very broadly defined as not only Washington residents but also “a natural person whose consumer health data is collected in Washington.” Note that “collection” is also broadly defined to include buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing consumer health data in any manner.
Given the broad definition of “collection,” coupled with the number of businesses that process and retain personal information with large technology companies in Washington, the potential scope of MHMD reaches far beyond Washington. Hopefully we will see further guidance on MHMD that will set guardrails on the scope of applicability.
What Obligations Does MHMD Create?
Pertinent MHMD obligations include:
Consumer Rights. The MHMD Act creates privacy rights specific for consumer health data, similar to those seen in other state comprehensive privacy laws, such as the right to access, delete, and withdraw consent from the collection, sharing, or sale of such consumer health data. However, MHMD also introduces novel rights and more extreme requirements on common consumer privacy rights.
The MHMD’s right to delete is an absolute right to delete, where upon receiving a request, a regulated entity must delete the consumer’s health data within 30 days of authenticating the request. A consumer can request deletion at any time, and the right requires deletion of data from all parts of the regulated entity’s network, including archived or backup systems, and flow down communication to affiliates, processors, contractors, and other third parties to whom the regulated entity shared consumer health data. Health and life sciences entities have a variety of legally required retention standards, which seem to conflict with this absolute deletion right as well as operational limitations. This will be a major concern with stakeholders as we watch MHMD implementation.
Restrictions on Collection and Sharing Consumer Health Data. MHMD includes specific restrictions on collecting and sharing consumer health data. Under MHMD, regulated entities may not collect or share consumer health data except (1) with consumer consent for the specified purpose or (2) to the extent necessary to provide a product or service required by the consumer. Consents to collect or share must be obtained separately and prior to such collection or sharing. In addition, MHMD outlines specific consent content requirements.
Consumer Health Data Privacy Policy. MHMD requires companies to have a consumer health data privacy policy that clearly and conspicuously discloses required information (in addition to currently existing requirements for website privacy policies and HIPAA notices of privacy practices).
Restriction on Sale of Consumer Health Data. Regulated entities are prohibited from selling or offering to sell consumer health data without an authorization. An authorization must be written in plain language and outline a number of requirements, including the specific consumer health data being sold, name and contact information of the seller and purchaser, and the purpose of the sale (including how the sold data will be gathered and used by the purchaser).
Prohibition on Geofencing. MHMD makes it unlawful to implement a geofence around any facility providing in-person health care services where the geofence is used to (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. Geofence is defined as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, wifi data, and/or any other form of location detection to establish a virtual boundary around a specific physical location” within 2,000 feet from the perimeter of the physical location.
Enforcement and Private Right of Action
Washington has tried several times to pass comprehensive privacy legislation and the issue of enforcement and a private right of action has historically killed every such effort. MHMD is enforceable through both the Washington Attorney General’s office (as a violation of the Washington Consumer Protection Act governing unfair or deceptive trade practices and unfair competition) and a private right of action (via Washington’s Consumer Protection Act), which makes MHMD the first privacy legislation with a private right of action since the 2008 adoption of Illinois’ Biometric Information Privacy Act (BIPA).
What’s Next?
If signed by the Washington Governor, or after an allotted number of days pass, MHMD will be effective on March 31, 2024 (with an additional 90-day delay for small businesses). The geofencing prohibition will go into effect just 90 days after passage.
Given the broad definitions of “consumer health data” and “consumer” as well as the broad scope of entities that could fall under MHMD and the potential for privacy causes of action, MHMD is poised to change the landscape of collecting and processing consumer health data. It is too early to tell if this will create a new best practice, but MHMD will certainly reach a broad swath of companies and may become the next BIPA-like opportunity for extensive privacy-related litigation and enforcement.
Stakeholders should track the MHMD’s progress on the Governor’s desk and, if signed, stakeholders should begin to prepare to meet MHMD obligations to:
- Maintain a consumer health data privacy policy
- Restrict collection and sharing of consumer health data to limited purposes without consumer consent
- Provide and respond to consumer rights regarding consumer health data
- Implement access controls and information security safeguards
- Put in place data processing agreements
- Not engage in sale of consumer health data without authorization
- Not implement geofencing in specific circumstances
For guidance and advice on implementing changes to your data privacy programs in light of Washington or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or:
Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
Kiana Baharloo: (312) 715-2738 / kiana.baharloo@quarles.com