Understanding the Washington My Health My Data Act: a comprehensive guide

The Washington My Health My Data Act (MHMDA) aims to enhance consumer privacy protections specifically related to health data. Unlike most other US state-level data privacy laws, which cover a wider range of information that is considered personal information or personal data, the Washington MHMDA focuses solely on protecting consumer health data.

Interestingly, though legislation has been drafted several times, the state of Washington does not yet have a comprehensive state-level data privacy law like its neighbor Oregon does.

The regulation defines a consumer as either a natural person who is a Washington resident or someone whose consumer health data is collected in the state of Washington. It does not include individuals acting in an employment context.

While US federal laws such as the Health Information Portability and Accountability Act (HIPAA) already protect the health data of Washington residents, HIPAA only applies to health data collected by specific healthcare entities, such as most healthcare providers. The Washington My Health My Data Act extends these protections to health data collected by entities not bound by HIPAA, including certain apps, websites, and small businesses.

The regulation has four main aims:

• to require additional disclosures and consumer consent regarding the collection, sharing, and use of health data
• to empower consumers with the right to have their health data deleted
• to prohibit the selling of consumer health data without valid authorization signed by the consumer
• to make using a geofence around a facility that provides healthcare services unlawful

The Washington MHMDA protects the health data of those defined as consumers under the regulation. It provides a broad definition of consumer health data, which means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”

It further specifies that physical or mental health status includes, but is not limited to, 13 types of data:

• individual health conditions, treatment, diseases, or diagnosis
• social, psychological, behavioral, and medical interventions
• health-related surgeries or procedures
• use or purchase of prescribed medication
• bodily functions, vital signs, symptoms, or measurements of the data types included under the definition
• diagnoses or diagnostic testing, treatment, or medication
• gender-affirming care information
• reproductive or sexual health information
• biometric data
• genetic data
• precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies
• data that identifies a consumer seeking healthcare services
• any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with this data described that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

Data governed by several federal and state laws is exempt from the regulation, including:

• the Gramm-Leach-Bliley Act (GLBA)
• the Family Educational Rights and Privacy Act (FERPA)
• the Social Security Act
• the Fair Credit Reporting Act
• the Health Insurance Portability and Accountability Act (HIPAA)

The regulation also exempts compliant data used in public or peer-reviewed scientific, historical, or statistical research in the public interest. This data must be approved, monitored, and governed by one of the following, which is satisfied that the regulated entity or small business has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification:

• an institutional review board
• human subjects research ethics review board
• similar independent oversight entity

The Washington MHMDA applies to three categories of entities.

These are legal entities that:

• conduct business in Washington state, or produce or provide products or services targeted to consumers in the state
• alone or jointly with others determine the purpose and means of collecting, processing, sharing, or selling consumer health data

This category includes businesses physically located in Washington and those outside the state that target their products or services to Washington consumers. Notably, entities that merely store data in Washington without engaging in other data processing activities are not considered regulated entities under this Act.

Government agencies, tribal nations, or contracted service providers that process consumer health data on behalf of the government agency are exempt from the definition of a regulated entity.

A small business under the Washington MHMDA is a regulated entity that satisfies one or both of the following conditions:

• collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year
• derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers

While they must comply with the same requirements as larger entities, the distinction is pertinent as regulated entities that are small businesses have an extended deadline to meet many of the compliance requirements.

Regulated entities and small businesses under the Washington MHMDA are similar in function to “data controllers” as defined in other US and global data protection regulations, such as the General Data Protection Regulation (GDPR). They determine the purposes and means of processing consumer health data.

Individuals or organizations that process consumer health data on behalf of a regulated entity or small business are designated as processors under the regulation. This includes out-of-state processors working for Washington-based entities.

The Washington MHMDA includes effective dates on a section by section basis and based on the type of entity that must comply with its requirements.

• July 23, 2023: all persons must comply with the regulation’s prohibitions on geofencing under Section 10
• March 31, 2024: regulated entities that are not small businesses must comply with Sections 4 to 9, which contain:
  • requirements on a consumer health data privacy policy
  • restrictions on consumer health data processing
  • consumers’ rights and requests to exercise them
  • implementation of specific data security measures
  • contracts with data processors
  • restrictions on the sale of consumer health data
• June 30, 2024: small businesses must comply with Sections 4 to 9 under the regulation

The Washington MHMDA defines some key terms pertaining to data processing activities.

Under the regulation, geofencing is technology that uses any of the following to establish a virtual boundary that is 2,000 feet (609.6 meters) or less from the perimeter of a specific physical location, or to locate a consumer within a virtual boundary:

• global positioning coordinates
• cell tower connectivity
• cellular data
• radio frequency identification
• WiFi data
• any other form of spatial or location detection

The Washington MHMDA provides a broad definition of processing to include “any operation or set of operations performed on consumer health data.”

The regulation defines sale or sell as “the exchange of consumer health data for monetary or other valuable consideration.” It specifically excludes from this definition the sale of consumer health data that is:

• transferred to a third party as part of a merger, acquisition, bankruptcy, or other transaction, where the third party assumes control of the regulated entity’s assets and complies with the regulation’s requirements
• exchanged with a processor, provided it aligns with the original purpose for which the data was collected and disclosed to the consumer

Under the Washington MHMDA, share or sharing means “to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate.”

The term does not include:

• sharing data with a processor to provide goods or services, as long as it aligns with the original purpose for which the data was collected and disclosed to the consumer
• sharing data with a third party with whom the consumer has a direct relationship, provided it is for a product or service requested by the consumer, the regulated entity retains control of the data, and the third party uses the data only as directed by the regulated entity and consistent with the consumer’s consented purpose
• the disclosure or transfer of personal data as part of a merger, acquisition, bankruptcy, or other transaction, where the third party assumes control of the regulated entity’s assets and complies with the regulation’s requirements.

Consent is defined under the regulation as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means.”

Regulated entities and small businesses may not obtain consent by:

• a consumer accepting a general or broad terms of use agreement or a similar document that includes descriptions of personal data processing along with other unrelated information
• a consumer hovering over, muting, pausing, or closing a given piece of content
• using deceptive designs, aka dark patterns

Section 5 of the Washington MHMDA prohibits regulated entities and small businesses from collecting consumer health data, except in any one of the following cases:

• they obtained consent from a consumer to collect their health data for a specified purpose
• the data is necessary to provide a product or service that the consumer has requested from the regulated entity or small business

If consumer health data has been collected in compliance with the regulation, it cannot be shared without the separate consent of the consumer, which is distinct from the consent obtained for collection, or unless sharing is necessary to provide a product or service that the consumer has requested.

Regulated entities and small businesses must obtain explicit, opt-in consent prior to the collection or sharing of the health data, and the request for consent must clearly and conspicuously disclose all of the following information:

• the categories of consumer health data collected or shared
• the purpose of collection or sharing, including specific ways in which it will be used
• the categories of entities with whom the data is shared
• how the consumer can withdraw consent

Section 9 of the regulation makes it unlawful for any person to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. This authorization must also be separate from the consents obtained to collect and/or share consumer health data.

A valid authorization under the regulation must be written in plain language that is easy to understand, and must contain the following information:

• the specific consumer health data concerning the consumer that the person intends to sell
• the name and contact information of the person collecting and selling the consumer health data
• the name and contact information of the person purchasing the consumer health data
• a description of the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser when sold
• a statement that requiring the consumer to sign the valid authorization is not a condition to providing goods or services
• a statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization
• a statement that the consumer health data sold under the valid authorization may be disclosed again by the purchaser and may lose its protection under this section.
• an expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization
• the signature of the consumer and the date of signing

An authorization is invalid if:

• the expiration date has passed
• it doesn’t contain all the required information
• the consumer revokes it
• it has been combined with other documents
• it is required for the consumer to receive goods and services

The consumer must receive a copy of the signed valid authorization. Both the seller and purchaser must keep copies of all valid authorizations for sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later.

Under Section 6 of the Washington My Health My Data Act, consumers are granted specific rights with respect to their health data. These rights include:

• Right to access: consumers can confirm whether a regulated entity or small business is collecting, sharing, or selling their health data. They can also access this data and receive a list of all third parties and affiliates who have received it, along with contact information for these third parties.
• Right to withdraw consent: consumers can withdraw their previously given consent for the collection and sharing of their health data.
• Right to deletion: consumers can request the deletion of their health data from the records of a regulated entity or a small business, including data stored in archives and backups and data shared with affiliates, processors, contractors, and other third parties.

Entities that fall under the scope of the Washington MHMDA have several notable obligations towards consumers and their health data in order to be compliant.

Consumers can exercise their rights under Section 6 of the regulation at any time by making a consumer rights request to the regulated entity or small business. Consumer rights requests are often referred to as data subject requests (DSR) or data subject access requests (DSAR).

Regulated entities and small businesses are required to establish a secure and reliable method for consumers to exercise their rights, which must be described in the consumer health data privacy policy. Consumers can be asked to log into an existing account to verify their identity, but they must not be required to create a new account to submit a request or otherwise exercise their rights. If the regulated entity or small business cannot reasonably verify the consumer’s identity, it may request additional verification or decline the request.

The regulated entity or small business must respond to a consumer request within 45 days, with an extension option of another 45 days if necessary (e.g. the entity is experiencing a high volume of requests or there are difficulties in accessing all the required information). If an extension is required, the consumer must be notified before the expiry of the initial 45-day period.

The regulated entity or small business must establish a process for consumers to appeal a refusal to act on a consumer request. This process must be similar to the process for submitting a request. The regulated entity or small business has 45 days to respond to an appeal, and it must provide a written explanation of its decision to the consumer. If the appeal is denied, the regulated entity or small business must provide the consumer with a way to contact the Attorney General, either online or through another method, to submit a complaint.

Section 4 requires regulated entities and small businesses to create a standalone consumer health privacy policy, which must not contain any information not required under the Washington MHMDA. This privacy policy must be accessible via a prominent link on the entity’s homepage.

The consumer health data privacy policy must clearly outline:

• categories of consumer health data collected
• purposes for which the data is collected and how it will be used
• categories of sources from which the data is collected
• categories of consumer health data that are shared
• third parties and affiliates with whom the data is shared
• how consumers can exercise their rights under the regulation

The consumer health data privacy policy must disclose any additional categories of consumer health data and the purposes for which the data is collected. A regulated entity or small business cannot collect, use, or share this data without first updating this privacy policy and obtaining explicit, opt-in consent from the consumer.

It is a violation for a regulated entity or small business to contract with a processor to handle consumer health data in ways that contradict this privacy policy.

Under Section 7 of the Washington MHMDA, regulated entities and small businesses must take specific steps to protect consumer health data.

First, they must restrict access to consumer health data. This means access should only be granted to employees, processors, and contractors who need it to carry out the purposes consented to by the consumer, or to deliver a product or service requested by the consumer.

They are also required to put in place comprehensive administrative, technical, and physical data security practices. The standards for these practices should at minimum meet the reasonable standard of care within the industry to protect the confidentiality, integrity, and accessibility of consumer health data, taking into account the volume and nature of the consumer health data handled.

Section 8 of the Washington MHMDA requires regulated entities and small businesses to enter into a binding contract with processors before they can process consumer health data on their behalf. This contract is known as a “data processing agreement” in laws such as the GDPR and Virginia Consumer Data Protection Act (VCDPA), and must clearly outline the processing instructions and restrict the actions the processor can take with the consumer health data.

The regulation explicitly requires that processors can only process consumer health data in a way that aligns with the detailed instructions provided in their contract with the business.

Processors must also assist the regulated entity or small business by implementing appropriate technical and organizational measures to help fulfill their obligations under the Washington MHMDA.

A significant aspect of this regulation is the accountability mechanism it introduces. If a processor fails to follow the instructions or if it processes data outside the contract’s scope, it will be considered a regulated entity or small business for the purposes of that data. Consequently, it will be subject to all the obligations and requirements of the regulation concerning that data.

The Washington MHMDA imposes specific restrictions on the use of geofencing technology in proximity to healthcare services. It prohibits any person from implementing geofences within a 2,000-foot perimeter of locations providing in-person healthcare services if the geofence is used for:

• identifying or tracking consumers seeking healthcare services
• collecting consumer health data
• sending notifications, messages, or advertisements related to consumer health data or healthcare services

This broad application means that the restriction on geofencing technology is not limited to specific types of businesses, but includes any individual or entity using such technology in the specified manner around healthcare services.

Healthcare services under the regulation mean any service provided to a person to assess, measure, improve, or learn about their mental or physical health. It includes, among other, things:

• individual health conditions, status, diseases, or diagnoses
• social, psychological, behavioral, and medical interventions
• health-related surgeries or procedures
• use or purchase of medication
• bodily functions, vital signs, symptoms, or measurements of the information included under the definition
• diagnoses or diagnostic testing, treatment, or medication
• reproductive healthcare services
• gender-affirming care services

The Washington Attorney General is empowered to enforce the Washington MHMDA. Violations of the regulation are considered violations of the Washington Consumer Protection Act (CPA), which entitles the Attorney General to pursue actions against noncompliant entities. The Attorney General’s office has the authority to seek civil penalties of up to USD 7,500 per violation.

Unlike many other state privacy laws, the Washington MHMDA grants a private right of action for consumers to seek damages. This means that consumers can directly sue regulated entities and small businesses for actual damages suffered as a result of violations, as well as court fees and attorney’s fees. The court can award treble damages, capped at USD 25,000.

The regulation establishes a joint committee to review enforcement actions brought by the Attorney General and consumers. The joint committee must submit a report of its findings and recommendations to the Governor and the appropriate committees of the legislature by September 30, 2030.

The provisions related to the review of enforcement actions expire on June 30, 2031.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.