Washington’s My Health My Data Act (MHMD Act) regulates businesses and service providers that process or collect consumer health data from state residents. The act’s broad definition of “health data” carries compliance implications for a wide range of entities, including many that fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA).
Examples of businesses that may be required to comply with the MHMD Act include those that manufacture fitness tracking equipment, manage fitness centers, or indirectly collect consumer health data.
The Washington State Government and Governor Jay Inslee enacted the MHMD Act on April 27, 2023. The act will become effective for small businesses on June 30, 2024, and March 31, 2024, for all other regulated entities.
Scope of the My Health My Data Act
The MHMD Act applies to any entity that conducts business in Washington, targets resident consumers throughout Washington state, or makes decisions concerning the processing of health data of state residents.
Unlike other state privacy laws, such as the California Consumer Privacy Act (CCPA), the MHMD Act does not require entities to conduct business with a minimum number of consumers or meet any revenue threshold to be held accountable for compliance. Therefore, the MHMD Act also applies to nonprofit organizations and small businesses.
When Washington drafted the MHMD Act, it intended to protect swaths of consumer health data that HIPAA did not cover. However, given the broad definitions the act holds, a wide variety of organizations may find themselves accountable for the statutes and regulations the law issues.
Definition of Consumers
The MHMD Act grants and protects the health data rights of “consumers,” defined by the law as any natural person who resides in Washington State or whose data is collected throughout the state. This definition is limited to consumers acting in an individual or household context.
The MHMD Act explicitly excludes protections for the data of individuals operating in a commercial or employment context.
Consumer Rights
The MHMD Act protects the data privacy of consumers by granting several rights. Under the MHMD Act, Washington consumers have the right to:
- Know if an entity is collecting or selling consumer health data
- Access their personal data after collection
- Delete or correct inaccuracies in their personal data
- Opt out of the collection of their personal health data
Consumer Health Data
The MHMD Act defines consumer health data as any type of personal information that may be linked to a consumer and reveals their past, present, or future physical or mental health status.
Unlike other health privacy laws, which focus on personal data collected by healthcare providers during health services or congruent with the exchange of monetary funds, the MHMD Act applies broadly. The act’s scope regulates a wide array of personal health information.
The law lists various examples of personal data that an entity could use to make inferences on an individual’s health status, including:
- Physical health conditions, diagnosis, or treatment
- Prescribed medicine use
- Surgeries or procedures
- Bodily functions, vital signs, or other measurements of health data
- Biometric data
- Genetic data
- Precise location information (house address)
- Identifiers that reveal reproductive or sexual health information
- Gender-affirming care information
- Information that reveals an individual is seeking medical treatment, diagnosis, or additional health care services
- Any non-health information or secondary data that is processed to reveal consumer health data or link health-related data to a legal entity or identifiable individual
Applicability
In many ways, the scope of the MHMD Act is unique. The act’s broad definitions (health data and consumers) and sweeping data regulations (data of Washington residents and data collected inside the state) will require compliance from a list of unique businesses.
Examples of businesses that the MHMD Act may potentially regulate include:
- Retailers that sell over-the-counter medications, first-aid equipment, birth control, or feminine products (even if these sales result in a fraction of their overall business)
- Mobile apps that facilitate third-party shopping and task completion from retailers mentioned above
- Fitness studios that track fitness progression or fitness-related injuries
- Manufacturers that produce fitness tracking accessories (fitness watches, rings, health monitors, sleep monitors, etc.)
- Other businesses that collect health data and allow the processing of data for ad tracking or targeted advertising
Exemptions
Washington’s MHMD Act exempts government agencies, tribal nations, and government contractors who process consumer health data.
The act also restricts certain types of data from its protections. The MHMD Act excludes “protected health information” subject to HIPAA, employee data, de-identified data, data governed by the Gramm-Leach-Bliley Act (GLBA), and publicly available data.
Note: Businesses that process exempt data are still subject to the requirements of the MHMD Act for any non-exempt data. Businesses that process a large amount of consumer health data should be careful when considering if it is eligible for an exemption.
Regulations of the MHMD Act
Entities subject to the MHMD Act must follow several data protection policies that allow consumers to choose how and when their personal health data is collected. The regulations set forth by the MHMD Act are similar to those enacted by several U.S. states within their comprehensive data privacy legislation.
The MHMD Act requires applicable businesses to follow the following regulations:
- Maintain an accurate and informative consumer privacy policy
- Request and receive consumer consent before collecting or sharing consumer health data
- Request and receive valid authorization before selling consumer health data
- Implement access controls to restrict data access to necessary parties
- Prohibit geofencing at all times
- Draft and enforce a data processing contract for each processor that controls, manages, or edits collected data
- Promptly respond to data access, correction, or deletion requests
Privacy Policy
All regulated entities must create a privacy policy communicating data collection and sharing practices to consumers. This policy must explicitly express what types of health data are collected, how this data is collected, its intended use, and the process by which consumers can opt out of the collecting, sharing, or processing of their personal health data.
Note: This privacy policy must be prominently displayed on the homepage of an entity’s website to fulfill compliance standards.
Consumer Consent
Entities regulated by the MHMD Act must receive consumer consent before collecting or sharing consumer health data. In addition, data controllers cannot share data with any additional third party before obtaining opt-in consent. Therefore, consumer consent is not transferable from one circumstance to another.
Geofencing
The MHMD Act defines geofencing as creating virtual geographic boundaries to promote targeted advertising, send notifications, or collect consumer data from individuals entering or exiting a virtual range. The act explicitly prohibits regulated entities, including those using artificial intelligence, from participating in geofencing in any manner.
Access Controls
Entities who collect personal health data must restrict access to only employees, processors, or contractors necessary to complete their obligations under the law or safeguard consumer data. The MHMD also tasks regulated entities with establishing, implementing, and maintaining data security practices that satisfy a reasonable standard of care to protect all consumer data.
Data Processing Contract
Data controllers enlisting the help of a third-party processor are required to draft, sign, and enforce a binding contract before either party participates in data processing activities. This contract must outline each party’s responsibilities under the law and set forth how and when a processor should process particular types of consumer data.
Enforcing the MHMD Act
The Washington Attorney General and district attorney’s office have the authority to enforce negligence of the MHMD as a violation of the Washington Consumer Protection Act (WCPA). Entities violating the MHMD may receive civil penalties of up to $7,500 per consumer affected.
The MHMD provides a 45-day cure period for entities to comply with consumer requests. Entities may extend this cure period an additional 45 days if necessary, given the complexity of the request and after properly notifying the consumer of such an extension. Any entity that violates this notice policy could be subject to additional enforcement action.
Private Right of Action
Unlike other privacy laws in the United States, the MHMDA also carves our private right of action for affected consumers. Under the law, affected individuals may seek “actual damages” of up to $25,000 at the court's discretion. The violating entity will also be subject to all court costs and attorney fees.
Effective Dates
Almost all provisions of the MHMDA will become effective on March 31, 2024. However, small businesses will have three more months to comply with the act. The MHMD Act will become effective for small businesses on June 30, 2024.
Note: The MHMDA’s geofencing provision does not list an effective date. According to Washington state law, any condition that does not explicitly list an effective date will become effective after 90 days from the legislative session in which the bill was passed (July 22, 2023).
Impact of the MHMD Act
The MHMD Act represents a significant shift in data privacy awareness in the United States. The Act’s broad scope, sweeping definitions, and short compliance window will immediately impact businesses across various industries. Organizations should begin to evaluate their obligations under the MHMD Act and draft a plan to achieve compliance by the Act’s effective date.
In the future, more U.S. states will likely work towards passing more stringent privacy laws that limit the collection, sharing, or processing of consumer data. Given the U.S. Supreme Court’s decision to overturn Roe vs. Wade, many state agencies will also pursue protections to ensure data confidentiality and protect the individual health rights of its residents.
How Can UpGuard Help?
UpGuard’s Vendor Risk technology empowers organizations to take control of their third-party risk by automating compliance risk assessments, receiving real-time updates to their security posture, and managing compliance (MHMDA, VCDPA, CCPA, GDPR, etc.) across their entire supply chain.
UpGuard’s BreachSight enables organizations to assess their data-handling processes under MHMD Act requirements. The product also allows businesses to proactively monitor their attack surface, gain confidence in their cybersecurity program, and protect their organization’s reputation.
