8 minute read | May.09.2023
The state of Washington recently enacted My Health My Data (“MHMD”), a game-changing new consumer privacy law focused on health data. MHMD establishes an expansive notice and consent regime for consumer health data with far-reaching implications beyond the state of Washington.
Below, we’ve outlined six things you need to know about MHMD, including the key takeaways and next steps for your privacy compliance program:
Who Is Regulated?
MHMD applies to two types of entities (collectively, “Covered Entities”):
MHMD does not exempt nonprofits and there are no entity-level exclusions other than for government agencies. Importantly, MHMD’s broad definition of “collect” (i.e., buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving or otherwise processing) expands the scope of MHMD to a wider range of Covered Entities and potentially reaches far beyond traditional digital health care companies located in Washington.
What Data Is Covered?
MHMD was originally proposed to protect information regarding reproductive health services and gender-affirming care. The final law, however, applies to all “consumer health data,” which encompasses an enormous spectrum of information including “biometric data,” “precise location information,” “health care services,” “information about bodily functions and vital signs,” “data about consumer seeking health care services” and “physical or mental health status.” Notably, the definition of “consumer health data” also includes a catchall for “any information” that a Covered Entity processes to associate or identify a consumer with consumer health data that is derived or extrapolated from non-health information.
MHMD’s definition of “consumer health data” appears to be significantly broader than the definitions of health information in other federal or comprehensive state privacy laws and likely further expands the scope of legal entities that may be considered a Covered Entity. Even businesses that may not consider themselves health care companies may fall in the scope of MHMD due to the expansive nature of covered data (including retail stores with pharmacies or otherwise selling over-the-counter medication and rental car companies providing accessibility features).
What Are the Obligations?
MHMD creates a new notice and consent regime where Covered Entities must:
How Is MHMD Enforced?
MHMD states that any violation of its provisions constitutes an “unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act. Enforcement actions can be brought by the Washington Attorney General, and consumers have a private right of action.
When Does MHMD Go Into Effect?
Notably and unlike the other obligations enumerated in the law, MHMD’s prohibition on geofencing does not include an effective date which means, by default rule in Washington, the prohibition goes into effect 90 days from the end of the current legislative session—on July 22, 2023.
For all other of MHMD’s requirements, Regulated Entities must comply with MHMD by March 31, 2024, and Small Businesses have until June 30, 2024, to implement their compliance programs.
What Should Companies Do Now?
Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact an Orrick team member for additional guidance.