Alive and Kicking: Washington State’s My Health My Data Act Goes into Effect Today

Today Washington State’s landmark My Health My Data Act (MHMD) goes into effect, marking a new chapter in state regulation of health data. In an age where more and more of our health-related data is being managed through apps, devices, and online services, MHMD imposes strict privacy obligations on companies and creates a private right of action to bolster enforcement. We believe this law will help to better secure people’s most sensitive information and will impact a wide range of data collection and data use practices in the context of health apps and other health-related services. These new protections are much needed because most health-related commercial data collection falls outside of the scope of Health Insurance Portability and Accountability Act (HIPAA).

Important Provisions of the My Health My Data Act

Washington’s My Health, My Data law requires companies to take meaningful steps to protect the privacy and security of health data. The law imposes privacy requirements that are as strict or stricter than other state laws in the U.S.  

1. The law requires companies to strengthen data security, comply with consumer privacy rights to access and delete data, and maintain and post a detailed consumer health data privacy policy on their website. This requirement is similar to what other comprehensive state privacy laws have done.
2. But the MHMD also includes new provisions that are more restrictive. Covered entities are obligated to obtain express opt-in consent before sharing or processing health data. Where many privacy laws rely on boilerplate “notice and consent” or more indirect opt-out mechanisms, the MHMD requires formal opt-in consent. This requirement injects friction to slow the pace of health data collection, processing, and transfers. And companies must obtain a separate, signed authorization before selling health data to third parties. The law goes further to limit downstream use of health data by obligating companies to execute specific contracts with third parties limiting use; these contracts set forth processing instructions and limitations.
3. Finally, MHMD prohibits strict limitations on certain uses of geolocation data. Specifically, the law limits use of geofencing within 2,000 feet of an entity providing in-person health care services if the geofence is used to identify or track consumers, collect health data, or to send notifications or advertisements to consumers related to their health data or seeking health services. Geofencing is technology that can establish a boundary around a physical location or locate a consumer within this virtual boundary. Importantly, this provision does not have a consent exception and it applies to all entities, not just covered entities.

There are two definitions that are key to understanding the scope of the law: covered entities and consumer health data. MHMD applies to any entity that conducts business in Washington or makes products targeted at consumers in Washington. The entity must also determine the purpose and means of collecting, using or selling the consumer health data. This second layer of the definition acts a knowledge requirement, in that the covered entity must not just conduct business or target consumers in Washington State, it also must know and have the ability to determine the means to collect, process or sell consumer health data. This provision reflects the commonly accepted data controller/processor framework being implemented in Europe under GDPR and in the U.S. under California, Colorado and Connecticut state comprehensive laws, among others.

The MHMD expands on the common controller / processor framework by covering a broadly defined category of “consumer health data.” The term consumer health data (CHD) is defined in the MHMD expansively to include a non-exhaustive list of examples. The core of the definition is that the consumer’s personal informationmust identify the consumer’s past, present or future physical or mental health status to be considered CHD. CHD also includes location information that would reveal a consumer’s intention to receive health services or supplies. The definition further includes inferences drawn from data – that is not itself consumer health data – that would identify or associate a consumer with CHD. For example, retail information about a consumer purchasing certain products that would infer pregnancy status could be considered CHD.

Beyond HIPAA: Providing Protections for Otherwise Unprotected Health Data

The My Health, My Data Act will have a major impact on the privacy of health-related data because it provides much stronger and broader protections than HIPAA. Without a comprehensive data privacy law, consumers are left without serious federal privacy protections as most commercial data collection falls outside of the scope of sector-specific laws like HIPAA, which governs the use of personal health information in the context of a patient-provider relationship. Where Congress has not passed a comprehensive privacy bill at the and HIPAA falls short, states have the opportunity to fill in the gaps. That is what Washington has done with MHMD.

Data about a person’s browsing habits, location, use of apps, and other online activities can reveal a great deal about their sensitive health information. By defining CHD to broadly include any information that identifies a consumer’s past, present or future health conditions, MHMD provides protections for consumer health data are not covered by HIPAA. This is especially important for the millions of data points that exist in the commercial surveillance ecosystem which may not be particularly revealing on their own, but when combined can reveal sensitive health information about a person.

Left unprotected by HIPAA, the unauthorized use or disclosure of sensitive health information about a person, like whether an individual sought abortion care, can pose serious consequences. For example, In the aftermath of U.S. Supreme Court’s overturning of the constitutional right to abortion in Dobbs v. Jackson Women’s Health Organization, the sale of location data poses a unique threat to the safety of abortion patients and providers and undermines reproductive privacy. However, the sale of location data that would indicate that a person sought abortion care would likely fall outside of HIPAA’s scope. My Health My Data Act’s findings articulate this common misconception: “Washingtonians expect that their health data is protected under laws like the health information portability and accountability act (HIPAA). However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.” The commercial collection and use of sensitive health information, which would otherwise not be protected by HIPAA, will now be subject to the restrictions provided in MHMD. These strong collection, processing, and retention limitations are an important mechanism to protect consumer privacy and prevent sensitive information, like information that could reveal whether a person obtained an abortion, from unauthorized disclosure.

What’s Next?

Eyes will likely remain on Washington state to evaluate the efficacy of MHMD’s strong enforcement provisions. A violation of MHMD is a per se violation of the Washington State Consumer Protection Act. MHMD will be enforced by Washington’s Attorney General as well as through a private right of action. MHMD is the first modern privacy law to have a strong private right of action that covers unlawful processing of data. While we have already seen the significant impact of private rights of action for data breach in California or under the Biometrics Information Privacy Act in Illinois, we anticipate that the private right of action in Washington’s MHMD will bolster enforcement against misuse of health-related data. Due to its expansive definitions for covered entities and CHD, MHMD puts companies all around the country who provide services to Washington State residents on notice to take privacy safeguards for CHD seriously. Moreover, Nevada and Connecticut have also passed health data privacy legislation, reflecting the momentum to provide consumers with privacy safeguards for sensitive health data. EPIC will continue to monitor MHMD and other emerging privacy laws across the country.