The State of Washington appears close to enacting a new law that regulates the privacy of consumer health information. If passed, the new law – the My Health My Data Act (MHMDA) –would take effect March 31, 2024 and apply to non-governmental entities that collect, process, share, or sell health information that can be linked to an individual if that individual is a Washington resident or the information is collected in the State. Health information is defined to cover broad categories, such as symptoms, conditions, treatments, bodily functions, and testing and more specific matters, such as behavioral interventions, gender-affirming and reproductive care, biometric and genetic data, and the precise location or other data that identifies an individual as seeking health care services. The law would apply to any organization that does business in Washington or targets Washington consumers and alone, or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
The New Rules. Entities that are subject to the law MHMDA must disclose:
• What types of consumer health data they collect, why they collect it, and how it will be used,
• The sources of the consumer health data they collect,
• The types of consumer health data that they share,
• The specific affiliates and types of third parties with whom they share consumer health data,
• The ways in which consumers can exercise their rights with respect to their own health data, including the right to: (i) confirm the consumer health data that is being collected and shared; (ii) withdraw their consent for the use of the data, and (iii) have their data deleted by the entity and others with whom the entity has shared data.
A regulated entity may not generally collect, use, or share a consumer’s health data in a manner that has not been disclosed without obtaining an individual’s informed consent.
No later than June 30, 2024, regulated entities must take certain actions to protect the consumer health data they maintain. They must restrict access to consumer health data to those who need it to fulfill an appropriate purpose, and they must also and implement appropriate safeguards to protect the confidentiality, integrity, and accessibility of consumer health data.
Certain requirements extend to vendors engaged by a regulated entity to process data. A processor must have a binding contract that it has with a regulated entity that sets forth processing instructions and limits. The processor must act in accordance with that contract and otherwise assist the regulated entity in meeting its privacy obligations under the MHMDA.
The MHMDA applies more broadly to prohibit any person from selling a consumer’s health data without obtaining the consumer’s written authorization and to ban “geofences,” which use spatial or location detection technology to establish a virtual boundary around a physical location or locate a consumer within a virtual boundary.
The law carves out exemptions for certain entities and types of information. Perhaps most significantly, information that is protected by certain other privacy laws, including HIPAA, is exempt from the requirements.
Implications. The MHMDA was initially proposed to ensure the privacy of reproductive health information in the wake of the Dobbs decision. But the law has some practical real-world effects that go beyond the initial purpose.
To begin, the proposed law is fairly broad. Any company that maintains an app that gathers individuals’ health data, other than as a business associate of a health care provider or health plan, will generally be subject to the new rules if they do business in Washington or target Washington consumers. The “doing business” trigger is a staple of state privacy laws, like the California Consumer Privacy Act (CCPA), and state courts have typically interpreted the provision fairly broadly. Moreover, unlike the CCPA and other state privacy laws, the MHDMA does not require that covered entities satisfy other requirements, such as a monetary threshold, for the law to apply.
Although not as detailed as HIPAA in various respects, the rules extend beyond HIPAA in other ways. For example, the Washington law gives individuals the right to delete data, which the HIPAA rules do not ( and, for obvious reasons, would not) require of health care providers and health plans.
As drafted, the MHMDA would also complicate the use of website tracking technologies by covered entities to the extent those technologies capture health data. This has been a recent focus of the FTC, which has issued a pair of consent decrees against health tech companies that utilize tracking technologies to share health related information with advertising partners. If deemed a “sale” – as such sharing would under California law – the use of third party tracking technologies like Meta Pixel would require consumer consent. Even if not a sale, the use of tracking technologies by covered entities to collect consumer health data would require written disclosures.
Entities have approximately one year to comply with most of the new requirements. The rules will be enforced through the Washington Attorney General. Importantly, the proposed law would deem a violation of the law to be an unfair and deceptive trade practice under Washington law, which would enable consumers to pursue a private right of action.