I. Introduction
Data privacy has been a fairly complex topic within the United States of America. Unlike the EU or other major western economies, the US does not have a comprehensive federal data privacy regulation that provides adequate privacy protection to its citizens. While there has been some progress, with a potential draft presented in the House and President Biden emphasizing the need for better data privacy in his latest State of The Union Address, a GDPR-like regulation within the US remains elusive.
Amidst all this, the states have taken it upon themselves to protect their citizens' digital data privacy rights. Since California passed its landmark CCPA, several other states have followed suit. On April 27, 2023, Washington became the latest state to do so after Governor Jay Inslee signed the My Health My Data Act (MHMDA).
The Act has been described as a response to the US Supreme Court decision in Dobbs vs. Jackson Women's Health Organization while ensuring appropriate protection for all Washingtonians' right to health privacy.
The Act places several obligations upon regulated entities when collecting, using, and maintaining consumers' health data, with the collection of such data only possible in certain conditions. The MHMDA introduces a wide array of definitions of consumer, covered data, health care services, and exemptions from the law.
II. Who Needs to Comply with the Law
A. Material Scope
The MHMDA applies to all legal entities (regulated entities) which fulfill the following two conditions:
- Conduct business in Washington, or produce or provide products or services that are targeted to consumers in Washington; and
- alone or jointly with others, determine the purpose and means of collecting, processing, sharing, or selling of consumer health data.
Small businesses, as defined under the MHMDA, also fall under the scope of the Act along with the regulated entities (collectively, covered entities). However, the government agencies, tribal nations, or contracted service providers, when processing consumer health data on behalf of the government agency, do not constitute regulated entities for the purposes of the MHMDA.
To fully appreciate the applicability of the MHMDA, it is pertinent to understand the definitions of ‘consumer’ and ‘consumer health data’ as explained below:
Consumer
For the purposes of MHMDA, a consumer means:
- a natural person who is a Washington resident and acts only in an individual or household context; or
- a natural person whose consumer health data is collected in Washington.
An individual acting in an employment context does not fall under the scope of the MHMDA.
Consumer Health Data
Consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status that includes, but is not limited to, the following:
- Individual health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements of physical, mental, or health status;
- Diagnosis or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric data;
- Genetic data;
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
- Data that identifies a consumer seeking health care services; or
- Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data types described above that is derived or extrapolated from non-health information, e.g., proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning.
B. Exemptions
The following data does not make part of consumer health data and are excluded from the application of the MHMDA:
- De-identified data and publicly available information;
- Employment data;
- Personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest in compliance with applicable laws;
- Personal information that is governed by and collected, used, or disclosed pursuant to the following acts, regulations, parts, and titles:
- The Health Information Portability and Accountability Act (HIPAA);
- The Gramm-Leach-Bliley Act (15 32 U.S.C. 6801 et seq.) and implementing regulations;
- Part C of 33 Title XI of the Social Security Act (42 U.S.C. 1320d et seq.);
- The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
- The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; Part 36 of Title 34, C.F.R.);
- The Washington Health Benefit Exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 38 and chapter 43.71 RCW; or
- Privacy Rules adopted by the Office of the Insurance Commissioner pursuant to chapter 48.02 or 48.43 RCW.
III. Definitions of Key terms
a) Biometric Data
Biometric data means data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes, but is not limited to:
- Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or
- Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.
b) Consent
Consent means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means. Consent may not be obtained by:
- A consumer's acceptance of a general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information;
- A consumer hovering over, muting, pausing, or closing a given piece of content; or
- A consumer's agreement obtained through the use of deceptive designs
c) De-identified Data
De-identified data means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such consumer, if the regulated entity or the small business that possesses such data:
- takes reasonable measures to ensure that such data cannot be associated with a consumer;
- publicly commits to process such data only in a deidentified fashion and not attempt to re-identify such data; and
- contractually obligates any recipients of such data to satisfy the above two conditions.
d) Geofence
Geofence means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For purposes of this definition, "geofence" means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.
e) Small Business
Small business means a regulated entity that satisfies one or both of the following thresholds:
- Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
- Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
IV. Obligations of Covered Entities
A. Privacy Policy
The covered entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses:
- The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
- The categories of sources from which the consumer health data is collected;
- The categories of consumer health data that is shared;
- A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
- How a consumer can exercise the rights provided under the MHMDA.
A covered entity must prominently publish a link to its consumer health data privacy policy on its homepage. It must not collect, use or share additional categories of consumer health data not disclosed in its privacy policy, and collect, use or share consumer health data for additional purposes not disclosed in its privacy policy, without first disclosing the additional categories of consumer health data and the additional purposes to the consumer.
To contract with a processor to process consumer health data in a manner that is inconsistent with the covered entity’s consumer health data privacy policy is a violation of the MHMDA.
B. Legal Basis for Collection/Sharing of Consumer Health Data
Collection of Consumer Health Data
A covered entity may only collect any consumer health data in the following manner:
- With the consent from the consumer for the collection of data for a specified purpose; or
- To the extent necessary to provide a product or service that the consumer to whom the collected data relates has requested from the covered entity.
Sharing of Consumer Health Data
A covered entity can only share any consumer health data in the following manner:
- With the consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or
- To the extent necessary to provide a product or service that the consumer to whom the collected data relates has requested from the covered entity.
- Consent Requirements
The consent from the consumers must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose the following:
- The categories of consumer health data collected or shared;
- the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used;
- the categories of entities with whom the consumer health data is shared; and
- how the consumer can withdraw consent from the future collection or sharing of the consumer's health data.
C. Non-discrimination
The covered entities must not unlawfully discriminate against the consumers for exercising any rights under the MHMDA.
D. Security Measures
The covered entities must undertake the following to protect the consumer health data from unauthorized access:
- Restrict access to consumer health data by the employees, processors, and contractors to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent or, where necessary, to provide a product or service that the consumer to whom such consumer health data relates has requested; and
- Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standards of care within the covered entity's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.
E. Sale of Consumer Health Data
A covered entity must not sell or offer to sell consumer health data without obtaining valid authorization from the consumer. The sale of such data must be consistent with the authorization signed by the consumer, which must be separate and distinct from the consent obtained to collect or share such consumer’s health data.
The valid authorization to sell consumer health data, written in plain language, must contain the following:
- The specific consumer health data concerning the consumer that the covered entity intends to sell;
- The name and contact information of the covered entity collecting and selling the consumer health data;
- The name and contact information of the covered entity purchasing the consumer health data from the seller;
- A description of the purpose for the sale, including how the consumer health data will be gathered and how the purchaser will use it;
- A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
- A statement that the consumer has a right to revoke the valid authorization at any time and a description of how to submit a revocation of the valid authorization;
- A statement that the consumer health data sold under the valid authorization may be subject to redisclosure by the purchaser;
- An expiration date for the valid authorization that expires a year from when the consumer signs the valid authorization;
- The signature of the consumer and date.
An authorization from a consumer shall be considered void if it contains any of the following defects:
- The expiration date has passed;
- The authorization does not contain all the information required;
- The consumer has revoked the authorization;
- The authorization has been combined with other documents to create a compound authorization;
- The provision of goods or services is conditioned on the consumer signing the authorization.
The consumer must be provided a copy of their signed, valid authorization, while the seller and purchaser must retain a copy of all valid authorizations for the sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later.
F. Geofencing
The MHMDA bars the covered entities from implementing a geofence around an entity that provides in-person health care services where such geofence is used to:
- Identify or track consumers seeking health care services;
- collect consumer health data from consumers; or
- send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
V. Obligations of Processors
A. Processing under Contract
A processor may process consumer health data only pursuant to a binding contract between the processor and the covered entity that sets forth the processing instructions and limits the actions the processor may take with respect to such data.
If a processor fails to adhere to the covered entity’s instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the covered entity, the processor is considered a covered entity with regard to such data and is subject to all the requirements of the MHMDA with regard to such data.
B. Assistance to the Covered Entity
A processor must assist the covered entity by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the covered entity's obligations under the provisions of MHMDA.
VI. Consumer Rights
The consumers have the following rights under the MHMDA over their health data:
a) Right to Access
A consumer has the right to know and confirm if a covered entity is collecting, sharing, or selling their consumer health data. The consumer also has the right to access such data and know if such data has been shared or sold to third parties. The consumer may also request an active email address or other appropriate online mechanism to contact these third parties.
b) Right to Withdraw Consent
A consumer has the right to withdraw consent from the covered entity's collection and sharing of consumer health data concerning the consumer.
c) Right to Deletion
A consumer can request a covered entity to delete any health data they may have collected on the consumer.
Upon receiving the request for deletion from the consumer, a covered entity must undertake the following:
- Delete the consumer health data from its records, including from all parts of their network, including archived or backup systems;
- Notify all affiliates, processors, contractors, and other third parties with whom they have shared consumer health data of the deletion request.
Any affiliates, processors, contractors, and other third parties receiving such a deletion request must honor the consumer's request and delete the data from their records subject to the abovementioned requirements. However, they may delay fulfilling such a request if the consumer health data related to the deletion request is stored on an archived or backup system. However, such a delay must not exceed six months from the authentication of the deletion request.
Submission of DSR Requests
The covered entities must establish a secure and reliable method for submission of DSR requests and describe it in their privacy policy. The method must take into account:
- the ways in which consumers normally interact with the covered entity;
- the need for secure and reliable communication of such requests; and
- the ability of the covered entity to authenticate the consumer's identity making the request.
A covered entity should not require a consumer to create a new account in order to exercise consumer rights but may require a consumer to use an existing account.
Authentication of DSR Request
If a covered entity cannot authenticate any consumer request using commercially reasonable efforts, it is not required to comply with such a DSR request and may ask the consumer to provide additional information reasonably necessary to authenticate the request.
Charges for DSR Fulfillment
Any information the covered entity provides in response to a DSR request must be provided free of charge up to twice annually per consumer. However, if a DSR request is manifestly unfounded, excessive, or repetitive, the covered entity may charge the consumer a reasonable fee to cover the administrative costs of complying with the request.
The covered entity may also decline to honor such a request; however, in either case, the covered entity bears the burden of demonstrating that the request is manifestly unfounded, excessive, or repetitive nature of the request.
Response Period for DSR Requests
A covered entity must respond to a DSR request without undue delay, but in all cases, within 45 days of receipt of the request.
The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the covered entity informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.
Appeal against the DSR Decisions
A covered entity must establish a process making it easy for consumers to appeal any decisions by the covered entity related to their DSR requests. The regulated entity must inform the consumers of any actions taken or not taken in response to a repeal within 45 working days, in addition to a written explanation behind the decision.
In case the appeal of the consumer fails, the covered entity must provide the consumer with an online mechanism, if available, or other methods through which the consumer may contact the attorney general to submit a complaint.
VII. Limitations
The obligations imposed under the MHMDA do not restrict a covered entity’s ability to:
- collect, use, or disclose consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
- preserve the integrity or security of systems; or
- investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
However, the burden of demonstrating that any processing qualifies for any of the exemptions listed above lies with the covered entity.
VIII. Regulatory Authority
Any violation of the provisions of the MHMDA constitutes an unfair or deceptive act in trade or commerce and an unfair method of competition within the meaning of the Consumer Protection Act, Chapter 19.86 RCW.
The Washington’s Office of Attorney General is primarily responsible for enforcing the provisions of the MHMDA, which also provides for a private right of action to the consumers to seek damages for violations.
Additionally, the MHMDA establishes a joint committee that will be responsible for reviewing any enforcement actions brought by the Attorney General and consumers. A report on such a review must include the following:
- The number of enforcement actions reported by the attorney general, a consumer, and a regulated entity in a settlement, including the average settlement amount;
- The number of complaints reported, including categories of complaints and the number of complaints for each category, reported by the attorney general, a consumer, or a regulated entity;
- The number of enforcement actions brought by the attorney general and consumers, including the categories of violations and the number of violations per category;
- The number of civil actions where a judge determined the position of the non-prevailing party was frivolous, if any;
- The types of resources, including associated costs, expended by the Attorney General, a consumer, a regulated entity, or a small business for enforcement actions;
- Recommendations for potential changes to enforcement provisions of the MHMDA.
The Office of the Attorney General is responsible for providing any additional information requested by the joint committee considered necessary to conduct their review. The findings and recommendations of the joint committee need to be submitted to the Governor of Washington and any appropriate committees of the state legislature.
However, the aforementioned requirements related to joint committees will expire on June 30, 2031.
IX. Enforcement Dates
The provisions of the MHMDA shall be enforceable from 31 March 2024 in case of regulated entities; however, small businesses will have till 30 June 2024 to comply with the requirements of the MHMDA.
Importantly, the requirements regarding geofencing shall be enforceable within Washington's default time frame of 90 days, as it does not specify any enforcement date.
X. How An Organization Can Operationalize the MHMDA
Here are some steps a covered entity may take to ensure they're on track for effective compliance with the MHMDA:
- Have a privacy policy that is easily understandable and communicates the organization's obligations and consumers' rights effectively;
- Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
- Have a compliant consent mechanism in place to capture express consent;
- Communicate to all consumers what data is being collected on them;
- Maintain proper channels of communication, allowing the consumers to exercise their data subject rights both freely and easily;
- Have an appropriate system in place to record, review, and maintain all valid authorizations from consumers.
XI. How Can Securiti Help
Securiti is a market leader in providing enterprise data privacy, security, governance, and compliance solutions. Its products range from universal consent management and data classification to DSR automation and assessment automation that can help organizations fulfill their data-related obligations effectively under all major data regulations.
Furthermore, Securiti’s PrivacyCenter.cloud offers organizations a centralized platform to ensure compliance with all their consent, privacy policy, and data subject rights-related obligations from a consolidated dashboard.
Request a demo today and learn more about how Securiti can help you comply with the My Health, My Data Act today.