The Washington "My Health My Data" Act (MHMD) was passed by the Washington State Legislature in 2023 and is aimed at revamping health data ownership and privacy. The law details specific requirements that regulated entities must comply with in their use and collection of personal health data. The Act is significant because it is the first of its kind to add an extra layer of protection on top of what is already required by the Health Insurance Portability and Accountability Act (HIPAA).
The Scope of the My Health My Data Act
MHMD applies to all regulated entities. Regulated entities are defined as:
- Any legal entity that conducts business in the state, or sells their goods to Washington consumers, and
- Directs the purpose and means of collection, processing, sharing and/or selling of their personal data
Essentially it covers all consumers whose data is collected in Washington. It also may apply to small businesses based on revenue thresholds as well as the total number of consumers whose data is collected in the course of their business. Government agencies, contracted service providers and tribal nations are not included in the Act.
Authorization by Consumers
Regulated entities commit violations if they sell or offer to sell consumer health data without first securing valid authorization from the affected consumer. Health data is defined by the Act as, "personal information that is linked or reasonably linkable to a consumer that identifies the consumer's past, present, or future physical or mental health status." The Act goes on to list examples of physical or mental health status:
- General health data
- Information about interventions
- Health-related data
- Gender-affirming care information and services
- Reproductive or sexual health information
- Biometric data
- Genetic data
- Precise location information
If a consumer authorizes the sale of their consumer health data, both the seller and the purchaser of the data are required to retain a copy of the authorization for 6 years. In addition, the Act empowers consumers to revoke authorization and have their consumer health data deleted from a network, including archived or backup systems.
Inferences Regarding Consumer Health Data
Information that does not identify a consumer's past, present, or future physical or mental health status does not fall within the Act's definition of consumer health data. For example, information relating to the purchase certain personal hygiene products ordinarily would not be considered consumer health data, unless the purchase data is used to make other inferences about the individual's health.
Limits on Geofencing
Geofencing is the use of GPS or RFID technology to create a virtual geographic boundary, enabling software to trigger a response when a mobile device enters or leaves a particular area. This is commonly utilized to push out targeted ads to consumers. Section 10 of the Act prohibits the use of a geofence around any entity that provides in-person healthcare services "where the geofence is used to:
- Identify or track consumers seeking healthcare services
- Collect consumer health data from consumers, or
- Send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services."
Broad Application to Companies Located Outside Washington but Doing Business Inside the State
All persons and businesses that conduct business in Washington (or provide services or products in Washington), and that collect, process, share, or sell consumer health data are governed by the Act. It identifies the following criteria:
- Conducts business in Washington and
- Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data
- An entity that only stores data in Washington is not a regulated entity
Enforcement
Section 11 of the Act provides that any violation is a per se violation of the Washington Consumer Protection Act (CPA), RCW 19.86, which may be enforced by the Attorney General as well as through a private action, including class actions. Litigants may recover attorney fees and treble damages up to $25,000.
Effective Dates
The MHMD includes effective dates on a section-by-section basis. The FAQs recently published by the Washington State Office of the Attorney General explains the dates as follows: "All persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with section 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear."
Key Takeaways Moving Forward
The My Health My Data Act seeks to empower individual patients in the use and access of their private health information. The drafters' hope was that by granting patients greater autonomy and control, the trust between patients, healthcare providers and custodians of data could be improved. The Act strives to create a more transparent, patient-centered healthcare data privacy system that prioritizes not only data security, but also fosters innovation and enables patients to make more informed decisions about their own personal health data. Following are the key takeaways of the MHMD:
Data Access: The Act is focused on individuals' rights to access their personal health data easily and securely. The law outline ways to increase the portability of health insurance between healthcare providers without compromising accessibility or data security to the consumer. In addition, the law hopes to make health information more easily accessible by patients.
Consent: A basic tenet of the Act is the principle of informed consent. It explicitly requires informed consent for the collection, sharing and use of personal health information. This gives consumers added control over who can access their data and how it may be used.
Transparency: Covered healthcare businesses must maintain transparency regarding their data privacy practices and take proper accountability measures should a breach or violation of the ACT occur. In addition, Section 4(1)(b) requires that "a regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage."
Encouragement of Medical Research and Innovation: While the Act's primary purpose is to safeguard patient data privacy, it also seeks to promote responsible data sharing for research and to provide holistic medical care to patients by enabling different medical professionals to easily share information without jeopardizing privacy.
Businesses should audit all sources of data collection to ensure that they are in compliance with the requirements of the MHMD Act. The attorneys at Wood Smith Henning & Berman are well-versed on the ins and outs of these new requirements and welcome your questions. Please do not hesitate to reach out to a member of our team if we can