6 Things to Know About Washington’s My Health My Data Law

8 minute read | May.09.2023

The state of Washington recently enacted My Health My Data (“MHMD”), a game-changing new consumer privacy law focused on health data. MHMD establishes an expansive notice and consent regime for consumer health data with far-reaching implications beyond the state of Washington.

Below, we’ve outlined six things you need to know about MHMD, including the key takeaways and next steps for your privacy compliance program:

Who Is Regulated?

MHMD applies to two types of entities (collectively, “Covered Entities”):
- “Regulated Entities”: any legal entity that (a) conducts business in Washington or produces, or provides products or services, that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purposes and means of collecting, processing, sharing or selling consumer health data.
- "Small Businesses”: Regulated Entities that (i) collect, process, sell or share consumer health data of less than 100,000 consumers during a calendar year or (ii) derive less than 50 percent of gross revenue from the collection, processing, selling or sharing of consumer health data and control, process, sell or share consumer health data of less than 25,000 consumers.
MHMD does not exempt nonprofits and there are no entity-level exclusions other than for government agencies. Importantly, MHMD’s broad definition of “collect” (i.e., buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving or otherwise processing) expands the scope of MHMD to a wider range of Covered Entities and potentially reaches far beyond traditional digital health care companies located in Washington.

What Data Is Covered?

MHMD was originally proposed to protect information regarding reproductive health services and gender-affirming care. The final law, however, applies to all “consumer health data,” which encompasses an enormous spectrum of information including “biometric data,” “precise location information,” “health care services,” “information about bodily functions and vital signs,” “data about consumer seeking health care services” and “physical or mental health status.” Notably, the definition of “consumer health data” also includes a catchall for “any information” that a Covered Entity processes to associate or identify a consumer with consumer health data that is derived or extrapolated from non-health information.

MHMD’s definition of “consumer health data” appears to be significantly broader than the definitions of health information in other federal or comprehensive state privacy laws and likely further expands the scope of legal entities that may be considered a Covered Entity. Even businesses that may not consider themselves health care companies may fall in the scope of MHMD due to the expansive nature of covered data (including retail stores with pharmacies or otherwise selling over-the-counter medication and rental car companies providing accessibility features).

Importantly, though, MHMD does not apply to data already subject to federal law such as protected health information subject to HIPAA and financial data under the GLBA. However, the exemptions are limited and are applied at a data—and not entity—level (except for government agencies). Lastly, the definition of a “consumer” applies to a natural person who acts only in an individual or household context, and explicitly excludes individuals acting in an employment context.

What Are the Obligations?

MHMD creates a new notice and consent regime where Covered Entities must:
- Maintain a Consumer Health Data Privacy Policy. MHMD requires companies to maintain a “consumer health privacy policy” which, without any further guidance, appears to be a separate and distinct policy from a company’s existing general website privacy notice (including given the requirement to prominently publish a link to the consumer health data privacy policy on the Covered Entity’s homepage). The health data privacy policy must include:
  - the categories of consumer health data collected and the purposes for which the data is collected, including how it will be used;
  - the categories of sources from which the consumer health data is collected;
  - the categories of consumer health data that is shared;
  - a list of the categories of third parties and specific affiliates with whom the Covered Entity shares consumer health data; and
  - how consumers can exercise the right granted under MHMD.
- Acquire Consent to Collect or Share Consumer Health Data. Companies must obtain consumers’ consent before collecting any consumer health data for a specified purpose or before sharing consumer health data (consent to share must be separate and distinct from the consent to collect consumer health data). However, companies may collect and share consumer health data without consent to the extent necessary to provide a requested product or service.
- Collect Valid Authorization to Sell Consumer Health Data. In order to sell or offer to sell consumer health data, a Covered Entity must obtain valid authorization from a consumer. Valid authorization includes, among other requirements, the specific consumer health data to be sold, contact information for the person(s) collecting, selling or purchasing the consumer health data, the consumer’s signature, and a one-year expiration date. Importantly, the definition of “sell” mirrors the California Consumer Privacy Act’s broad definition of the exchange of consumer health data for “monetary or other valuable consideration.” Given the onerous valid authorization requirements, plus the expansive definition of a data “sale,” it will be challenging for Covered Entities to engage in not only data sales (as typically defined), but also in activities such as conducting analytics or engaging in targeted advertising absent a service provider agreement with third parties.
- Grant Consumer Requests. Subject to several requirements, MHMD grants consumers the following privacy rights:
  - Right to Access: Consumers have the right to access the information a company collects or processes about them and a list of all third parties and affiliates with whom a Covered Entity has shared or sold consumer health data;
  - Right to Withdraw Consent: A consumer has the right to withdraw consent from a company’s collection and/or sharing of their consumer health data;
  - Right to Deletion: Consumers have the right to direct a Covered Entity, and its affiliates, processors, contractors and other third parties with whom they have shared consumer health data, to delete the consumer health data maintained about the consumer, with limited exceptions.
- Implement Security Measures. Covered Entities must restrict access to consumer health data to employees, processors or contractors necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service the consumer has requested. Further, Covered Entities must implement administrative, technical and physical data security practices to satisfy a reasonable standard of care within the industry to protect consumer health data based on the volume and nature of data at issue.
- Enact Contracts. A processor may only process consumer health data pursuant to a binding contract with a Covered Entity that includes required security and privacy provisions, including limiting the actions the processor may take with respect to the consumer health data.
- Prohibit the Use of Geofences. MHMD prohibits the use of geofences (such as digital location-based trackers that show ads according to a person’s proximity to a designated location) when used for identifying or tracking consumers seeking a broad array of “health care services,” collecting consumer health data or sending notifications or ads to a consumer related to their consumer health data or health care services. Unlike other obligations under MHMD, the geofencing prohibition does not have a consent exception.
How Is MHMD Enforced?

MHMD states that any violation of its provisions constitutes an “unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act. Enforcement actions can be brought by the Washington Attorney General, and consumers have a private right of action.
When Does MHMD Go Into Effect?

Notably and unlike the other obligations enumerated in the law, MHMD’s prohibition on geofencing does not include an effective date which means, by default rule in Washington, the prohibition goes into effect 90 days from the end of the current legislative session—on July 22, 2023.

For all other of MHMD’s requirements, Regulated Entities must comply with MHMD by March 31, 2024, and Small Businesses have until June 30, 2024, to implement their compliance programs.
What Should Companies Do Now?

Companies should:
1. Determine whether you are within the scope of the law. The definitions of Covered Entities are broad and include a wide range of data processing activities taking place in or related to residents of the state of Washington.
2. Identify whether you collect any “consumer health data.” Once you determine that you may be within the scope of being a Covered Entity, consider whether your data collection activities fall within the scope of the huge umbrella of “consumer health data.” Even companies that are not traditionally health care-focused may be collecting covered data.
3. Stop using geofences. Due to the rapidly approaching effective date, Covered Entities must immediately assess and, as applicable, halt their use of geofencing. Creating a “virtual boundary” around any entity that provides in-person “health care services” is blatantly prohibited—regardless of consumer consent.
4. Build a compliance program. Covered Entities should address the next set of MHMD’s obligations. This includes:
  - building your health data privacy policy,
  - updating, as necessary, your third-party agreements including data processing agreements, and
  - building up your internal infrastructure to respond to the newly granted consumer privacy rights requests.
5. Be ready. With its private right of action and inclusion of biometric data, we expect MHMD to open up a new avenue of litigation risk for companies.

Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact an Orrick team member for additional guidance.

Authors

Thora Johnson Partner, Cyber Privacy and Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Kyle Kessler Senior Associate, Cyber Privacy and Data Innovation, Global Compliance & Regulatory

Los Angeles

See my bio

M:+1 310 251 5299
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Global Compliance & Regulatory
Technology Transactions
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kyle Kessler Senior Associate

Los Angeles

Kyle advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, social media and technology on a range of EU and U.S. federal and state privacy laws. Kyle’s strategic counseling advice includes, but is not limited to:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Consumer health privacy laws, including Washington’s My Health My Data
US data broker laws, including California's Delete Act
Children's Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Contest and Sweepstakes Laws
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Europe (EU) General Data Protection Regulation (GDPR)
EU e-Privacy Directive
UK's Age Appropriate Design Code (Children's Code)
False, Misleading, or Deceptive Acts or Practices
Federal Trade Commission Act (FTC)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Restore Online Shoppers' Confidence Act (ROSCA)
Retail Sales Laws
Advertising and Payment Card Self-Regulatory Frameworks
State Breach Notification and Security Laws
Telephone Consumer Protection Act (TCPA)

Kyle works with clients to develop internal privacy and security compliance programs, including assisting with privacy audits and data mapping, valuating privacy and security risks in corporate transactions, advising companies through the full pre-IPO and post IPO diligence cycle, drafting and negotiating data-related vendor and arrangement contracts, meeting with teams to assist with privacy by design, developing internal and external privacy policies for employees, customers, and contractors, drafting and training on the implementation of consumer rights requests, and developing comprehensive security programs and policies.

She partners with her clients to provide practical business counsel, with an in-house and outside counsel perspective. She regularly counsels startups and tech companies through the funding life cycle, or in connection with the launch of innovative technology, products, or platforms. Kyle's background in marketing, publication relations and communications enhances the consumer protection support she provides clients. She drafts disclosure and consent frameworks in compliance with privacy and consumer protection regulations. Kyle also helps develop, implement, administer regulatory compliance programs for all aspects of promotional and customer-facing activities, including:

Contests and sweepstakes
Direct mail, email, in-store and online, social media and text messaging advertisements and marketing campaigns
Gift cards
Influencer and social media agreements and endorsements
Price comparisons
Print advertisements and product placements
Reward and loyalty programs

Kyle is active in the LGBTQ+ community and helps lead Orrick's LGBTQ+ Attorney Affinity Group. She was also selected to participate in the Leadership Council on Legal Diversity's (LCLD) 2022 Pathfinders Program.

Before joining Orrick, Kyle was an in-house attorney at a company named to Forbes' 100 Largest Private Companies list.

Alyssa Wolfington Managing Associate, Cyber Privacy and Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber Privacy and Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.

Related Areas

Markets

Seattle