Employee Benefits Compliance, State-Specific Information

Washington Benchmark Privacy Protections for WA My Health My Data Act – The 10 Most Important Questions for Businesses for this Consumer Health Data Law as the Law Approaches its Full Effective Date of March 31, 2024

[Contributors: Fisher Phillips, the Leavitt Group preferred partner for employment law, authors: Jeremy F. Wood and Annie Ziesing. Some content by Leavitt Group.]

Washington State lawmakers recently passed the one of the most consequential privacy legislation in the country since the California Consumer Privacy Act (CCPA) was adopted in 2018, which will soon require businesses to take significant action in order to stay in compliance. The Washington Senate voted to approve the My Health My Data Act (MHMDA) on April 5, 2023, after the House passed a similar bill in March. Governor Inslee signed it into effect in April 2023, expanding the privacy rights for medical information – and expanding employer obligations – well beyond the federal HIPAA law. Here are the answers to the 10 biggest questions Washington businesses are likely to have – including what you need to do to comply.

Summary of Key Provisions

MHMDA imposes obligations and restrictions on regulated entities’ handling of consumer health data, including the following:

  • Health Data Privacy Policy: Regulated entities must link to a MHMDA compliant privacy policy on their webpage that discloses their practices for health data collection and include the MHMDA consumer’s rights.
  • Data Collection: Regulated entities cannot collect, use or share a WA consumer’s health data or other data for purposes not disclosed in the organization’s health data privacy policy without first obtaining affirmative consent for the particular purpose of collection.
  • Data Sharing: Regulated entities cannot share WA consumer health data without consent, or it is necessary to provide a product or service that the consumer specifically requested.
  • Data Selling: Revokable authorization required prior to selling WA consumer health data.
  • Geofencing: Geofencing virtual geographic boundary targeting marketing to an individual entering or exiting that boundary is prohibited when in a WA health care services area.

1. What Entities Does the Act Cover?

HIPAA covers just a narrow host of entities including health providers and others in the healthcare sector. Washington’s Act goes further than HIPAA and applies broadly to “regulated entities.” This is defined as any legal entity that:

  • conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington;
  • collects, shares, or sells Consumer Health Data (“CHD”); and
  • determines the purpose and means of the processing of CHD.

Like HIPAA, the Act also covers data processors. A processor can only process CHD pursuant to a contract with a regulated entity. If the processor violates or acts beyond the scope of its contract, it can be held liable to the same extent as a regulated entity for any violation of the Act.

2. What Data Does the Act Protect?

The Act protects CHD, defined as any information that links or reasonably links a consumer to their past, present, or future physical or mental health. This includes information about health conditions, treatment, diagnoses, surgeries, procedures, mental/behavioral health interventions, medication purchase or use, health measurements, gender-affirming care, reproductive and sexual health, biometrics, genetic data, and location data showing a consumer’s attempt to acquire or receive health services.

This last example (location data) could conceivably include any data showing a consumer’s visit to a grocery store, pharmacy, or e-commerce website selling pharmaceuticals or contraceptives. It also includes any of this information that is extrapolated from non-health information.

Protected CHD does not include de-identified information or information that is either protected by HIPAA or other federal or state law, or which such laws expressly permit a regulated entity to collect. CHD used in properly conducted scientific, historical, or statistical research is also excluded.

3. Who Does the Act Protect?

The Act protects CHD of “consumers,” defined as natural persons who reside in Washington or whose health data is collected in Washington. As Washington is a major hub for Cloud data storage, this definition could encompass many entities whose only connection to the state is the presence of their data on Washington-based Cloud platforms.

The Act’s definition of consumers expressly excludes consumers acting in their capacity as employees. It is unclear at this time how a court will decide when a consumer has provided CHD purely as a consumer and when they have done so as an employee. It is also undetermined how this exclusion will affect an employer’s liability when the employer acquires an employee’s CHD from a regulated entity.

4. How Will the Act Be Enforced?

Any consumer injured by a violation of the Act can bring a private action for damages and equitable relief under the Washington Consumer Protection Act. The Washington Attorney General also may file an action to enforce the Act.

5. What Must Covered Entities Include in Their Policies?

A regulated entity must maintain and publish a Consumer Health Data Privacy Policy on its internet homepage that discloses:

  • The categories of consumer health date the entity collects;
  • The purpose of collection;
  • The use of collected data;
  • The sources of collection;
  • The categories of data that may be shared;
  • The entities with whom data may be shared; and
  • A consumer’s rights under the Act.

If a regulated entity violates its own policy in collecting, using, or sharing CHD, it must first inform consumers and obtain their affirmative opt-in consent.

6. When Can a Regulated Entity Collect Consumer Health Data?

Regulated entities will need to obtain a consumer’s affirmative opt-in consent before collecting CHD, preferably in writing. Consumers may revoke this consent at any time.

The Act, however, provides several exceptions. Consent is not required when a regulated entity must collect CHD to provide a requested service or product, to detect or respond to security incidents, or to identify illegal activity.

Upon request from a consumer, regulated entities must confirm whether they are collecting CHD and allow the consumer to access their own CHD within 45 days. Regulated entities must provide this requested information twice annually for free but may charge a reasonable administrative fee should requests become excessive.

7. When Can a Regulated Entity Share or Sell Consumer Health Data?

A regulated entity can only share CHD internally with employees or processors on a need-to-know basis, consistent with the stated purpose for which the CHD was collected.

Regulated entities will only be able to share CHD externally with the consumer’s specific consent. Again, however, the Act includes exceptions where necessary to provide a requested product or service, or for the security and safety.

Whereas a regulated entity can share CHD based on opt-in consent in various reasonable forms, they will require written consent before selling that CHD. That written consent must identify the CHD at issue, the name and online contact information for both buyer and seller, the purpose of the sale, the buyer’s intended use of the data, a statement that provision of goods and services is not conditional on the consumer granting consent, and a statement that the CHD may be redisclosed by the buyer to third parties without the protection of the Act.

Such written consent is valid for one year, and the consumer may revoke it at any time. Regulated entities must retain copies of these written consent for six years from the date of signature, or when the consent was last effective, whichever is later.

As with information about collection, consumers may request confirmation whether a regulated entity is selling or sharing their CHD, and the regulated entity must respond within 45 days.

8. When Must a Regulated Entity Delete Consumer Health Data?

The Act includes a “right to forgotten” broader than any counterpart on the planet. Consumers have the right to ask regulated entities to delete their CHD without limitation. Even the European Union’s General Data Protection Regulation (GDPR) allows a company holding data to decline a request for deletion when the company has a legal duty to preserve the records, or such preservation furthers various public interests.

The Act’s broad deletion requirements may put regulated entities in a bind when a consumer requests deletion of CHD that the entities are legally obligated to maintain.

Facing a deletion request, regulated entities will have 30 days to comply, unless they can show that deletion would require restoring backup systems that may take longer. In complying with deletion requests, regulated entities will have to direct third parties who received the relevant data as well – so these requirements should be laid out in contracts with those third parties.

9. When Will the Act Come into Effect?

The effective date is staggering based on sections and size of business. Most provisions come into force in March 2024, with small businesses seeing an effective date of June 30, 2024.

10. How Can Regulated Entities Prepare?

Consider the following action steps.

  • Review and revise your internet privacy policies;
  • Review or develop your opt-in procedures;
  • Implement annual consent reminders for data sales;
  • Implement procedures to delete CHD upon request;
  • Review your recordkeeping obligations to make policy determinations of when CHD data must be deleted on request; and
  • Review where your CHD is stored as well as who processes it and how.