6 Things to Know About Washington’s My Health My Data Law

8 minute read | May.09.2023

The state of Washington recently enacted My Health My Data (“MHMD”), a game-changing new consumer privacy law focused on health data. MHMD establishes an expansive notice and consent regime for consumer health data with far-reaching implications beyond the state of Washington.

Below, we’ve outlined six things you need to know about MHMD, including the key takeaways and next steps for your privacy compliance program:

  1. Who Is Regulated?

    MHMD applies to two types of entities (collectively, “Covered Entities”):

    • “Regulated Entities”: any legal entity that (a) conducts business in Washington or produces, or provides products or services, that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purposes and means of collecting, processing, sharing or selling consumer health data.
    • "Small Businesses”: Regulated Entities that (i) collect, process, sell or share consumer health data of less than 100,000 consumers during a calendar year or (ii) derive less than 50 percent of gross revenue from the collection, processing, selling or sharing of consumer health data and control, process, sell or share consumer health data of less than 25,000 consumers.

    MHMD does not exempt nonprofits and there are no entity-level exclusions other than for government agencies. Importantly, MHMD’s broad definition of “collect” (i.e., buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving or otherwise processing) expands the scope of MHMD to a wider range of Covered Entities and potentially reaches far beyond traditional digital health care companies located in Washington.

  2. What Data Is Covered?

    MHMD was originally proposed to protect information regarding reproductive health services and gender-affirming care. The final law, however, applies to all “consumer health data,” which encompasses an enormous spectrum of information including “biometric data,” “precise location information,” “health care services,” “information about bodily functions and vital signs,” “data about consumer seeking health care services” and “physical or mental health status.” Notably, the definition of “consumer health data” also includes a catchall for “any information” that a Covered Entity processes to associate or identify a consumer with consumer health data that is derived or extrapolated from non-health information.

    MHMD’s definition of “consumer health data” appears to be significantly broader than the definitions of health information in other federal or comprehensive state privacy laws and likely further expands the scope of legal entities that may be considered a Covered Entity. Even businesses that may not consider themselves health care companies may fall in the scope of MHMD due to the expansive nature of covered data (including retail stores with pharmacies or otherwise selling over-the-counter medication and rental car companies providing accessibility features).

  3. Importantly, though, MHMD does not apply to data already subject to federal law such as protected health information subject to HIPAA and financial data under the GLBA. However, the exemptions are limited and are applied at a data—and not entity—level (except for government agencies). Lastly, the definition of a “consumer” applies to a natural person who acts only in an individual or household context, and explicitly excludes individuals acting in an employment context.

  4. What Are the Obligations?

    MHMD creates a new notice and consent regime where Covered Entities must:

    • Maintain a Consumer Health Data Privacy Policy. MHMD requires companies to maintain a “consumer health privacy policy” which, without any further guidance, appears to be a separate and distinct policy from a company’s existing general website privacy notice (including given the requirement to prominently publish a link to the consumer health data privacy policy on the Covered Entity’s homepage). The health data privacy policy must include:

      • the categories of consumer health data collected and the purposes for which the data is collected, including how it will be used;
      • the categories of sources from which the consumer health data is collected;
      • the categories of consumer health data that is shared;
      • a list of the categories of third parties and specific affiliates with whom the Covered Entity shares consumer health data; and
      • how consumers can exercise the right granted under MHMD.
    • Acquire Consent to Collect or Share Consumer Health Data. Companies must obtain consumers’ consent before collecting any consumer health data for a specified purpose or before sharing consumer health data (consent to share must be separate and distinct from the consent to collect consumer health data). However, companies may collect and share consumer health data without consent to the extent necessary to provide a requested product or service.
    • Collect Valid Authorization to Sell Consumer Health Data. In order to sell or offer to sell consumer health data, a Covered Entity must obtain valid authorization from a consumer. Valid authorization includes, among other requirements, the specific consumer health data to be sold, contact information for the person(s) collecting, selling or purchasing the consumer health data, the consumer’s signature, and a one-year expiration date. Importantly, the definition of “sell” mirrors the California Consumer Privacy Act’s broad definition of the exchange of consumer health data for “monetary or other valuable consideration.” Given the onerous valid authorization requirements, plus the expansive definition of a data “sale,” it will be challenging for Covered Entities to engage in not only data sales (as typically defined), but also in activities such as conducting analytics or engaging in targeted advertising absent a service provider agreement with third parties.
    • Grant Consumer Requests. Subject to several requirements, MHMD grants consumers the following privacy rights:

      • Right to Access: Consumers have the right to access the information a company collects or processes about them and a list of all third parties and affiliates with whom a Covered Entity has shared or sold consumer health data;
      • Right to Withdraw Consent: A consumer has the right to withdraw consent from a company’s collection and/or sharing of their consumer health data;
      • Right to Deletion: Consumers have the right to direct a Covered Entity, and its affiliates, processors, contractors and other third parties with whom they have shared consumer health data, to delete the consumer health data maintained about the consumer, with limited exceptions.
    • Implement Security Measures. Covered Entities must restrict access to consumer health data to employees, processors or contractors necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service the consumer has requested. Further, Covered Entities must implement administrative, technical and physical data security practices to satisfy a reasonable standard of care within the industry to protect consumer health data based on the volume and nature of data at issue.
    • Enact Contracts. A processor may only process consumer health data pursuant to a binding contract with a Covered Entity that includes required security and privacy provisions, including limiting the actions the processor may take with respect to the consumer health data.
    • Prohibit the Use of Geofences. MHMD prohibits the use of geofences (such as digital location-based trackers that show ads according to a person’s proximity to a designated location) when used for identifying or tracking consumers seeking a broad array of “health care services,” collecting consumer health data or sending notifications or ads to a consumer related to their consumer health data or health care services. Unlike other obligations under MHMD, the geofencing prohibition does not have a consent exception.

  5. How Is MHMD Enforced?

    MHMD states that any violation of its provisions constitutes an “unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act. Enforcement actions can be brought by the Washington Attorney General, and consumers have a private right of action.

  6. When Does MHMD Go Into Effect?

    Notably and unlike the other obligations enumerated in the law, MHMD’s prohibition on geofencing does not include an effective date which means, by default rule in Washington, the prohibition goes into effect 90 days from the end of the current legislative session—on July 22, 2023.

    For all other of MHMD’s requirements, Regulated Entities must comply with MHMD by March 31, 2024, and Small Businesses have until June 30, 2024, to implement their compliance programs.

  7. What Should Companies Do Now?

    Companies should:

    1. Determine whether you are within the scope of the law. The definitions of Covered Entities are broad and include a wide range of data processing activities taking place in or related to residents of the state of Washington.

    2. Identify whether you collect any “consumer health data.” Once you determine that you may be within the scope of being a Covered Entity, consider whether your data collection activities fall within the scope of the huge umbrella of “consumer health data.” Even companies that are not traditionally health care-focused may be collecting covered data.

    3. Stop using geofences. Due to the rapidly approaching effective date, Covered Entities must immediately assess and, as applicable, halt their use of geofencing. Creating a “virtual boundary” around any entity that provides in-person “health care services” is blatantly prohibited—regardless of consumer consent.

    4. Build a compliance program. Covered Entities should address the next set of MHMD’s obligations. This includes:

      • building your health data privacy policy,
      • updating, as necessary, your third-party agreements including data processing agreements, and
      • building up your internal infrastructure to respond to the newly granted consumer privacy rights requests.

    5. Be ready. With its private right of action and inclusion of biometric data, we expect MHMD to open up a new avenue of litigation risk for companies.

Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact an Orrick team member for additional guidance.