Washington State Legislature Passes Health Data Privacy Law

April 18, 2023

The Washington State Legislature finalized passage Monday of the My Health My Data Act (MHMDA), the first state-level health data bill of its kind in the U.S. The bill now heads to Governor Jay Inslee’s desk for his signature to become law.

The MHMDA includes several strong provisions to protect consumer health data. In addition to requiring companies to obtain an individual’s express consent to collect, share or sell their health information, the bill also establishes consumer data rights to access and delete that information and to withdraw consent. MHMDA also requires detailed health data privacy policies and prohibits geofencing around certain health care locations. The Act can be enforced by both the Washington Attorney General’s Office and by individuals through a private right of action.

Notably, the scope of “consumer health data” covered by the MHMDA is fairly broad, defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition goes on to list examples like prescription medications, diagnoses and health conditions, biometric data, and location information that would indicate a consumer’s attempt to receive health services, among other examples.

The passage of the MHMDA echoes recent momentum at the federal level concerning the protection of personal health data, including FTC enforcement actions and proposed legislation addressing health data security and privacy issues beyond the scope of HIPAA.  

If MHMDA becomes law, the law would gradually take effect between this summer and June 2024.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.