IDC Names Securiti a Worldwide Leader in Data PrivacyView
Data privacy has been a fairly complex topic within the United States of America. Unlike the EU or other major western economies, the US does not have a comprehensive federal data privacy regulation that provides adequate privacy protection to its citizens. While there has been some progress, with a potential draft presented in the House and President Biden emphasizing the need for better data privacy in his latest State of The Union Address, a GDPR-like regulation within the US remains elusive.
Amidst all this, the states have taken it upon themselves to protect their citizens' digital data privacy rights. Since California passed its landmark CCPA, several other states have followed suit. On April 27, 2023, Washington became the latest state to do so after Governor Jay Inslee signed the My Health My Data Act (MHMDA).
The Act has been described as a response to the US Supreme Court decision in Dobbs vs. Jackson Women's Health Organization while ensuring appropriate protection for all Washingtonians' right to health privacy.
The Act places several obligations upon regulated entities when collecting, using, and maintaining consumers' health data, with the collection of such data only possible in certain conditions. The MHMDA introduces a wide array of definitions of consumer, covered data, health care services, and exemptions from the law.
The MHMDA applies to all legal entities (regulated entities) which fulfill the following two conditions:
Small businesses, as defined under the MHMDA, also fall under the scope of the Act along with the regulated entities (collectively, covered entities). However, the government agencies, tribal nations, or contracted service providers, when processing consumer health data on behalf of the government agency, do not constitute regulated entities for the purposes of the MHMDA.
To fully appreciate the applicability of the MHMDA, it is pertinent to understand the definitions of ‘consumer’ and ‘consumer health data’ as explained below:
For the purposes of MHMDA, a consumer means:
An individual acting in an employment context does not fall under the scope of the MHMDA.
Consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status that includes, but is not limited to, the following:
The following data does not make part of consumer health data and are excluded from the application of the MHMDA:
Biometric data means data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes, but is not limited to:
Consent means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means. Consent may not be obtained by:
De-identified data means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such consumer, if the regulated entity or the small business that possesses such data:
Geofence means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For purposes of this definition, "geofence" means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.
Small business means a regulated entity that satisfies one or both of the following thresholds:
A covered entity may only collect any consumer health data in the following manner:
A covered entity can only share any consumer health data in the following manner:
The consent from the consumers must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose the following:
The covered entities must not unlawfully discriminate against the consumers for exercising any rights under the MHMDA.
The covered entities must undertake the following to protect the consumer health data from unauthorized access:
A covered entity must not sell or offer to sell consumer health data without obtaining valid authorization from the consumer. The sale of such data must be consistent with the authorization signed by the consumer, which must be separate and distinct from the consent obtained to collect or share such consumer’s health data.
The valid authorization to sell consumer health data, written in plain language, must contain the following:
An authorization from a consumer shall be considered void if it contains any of the following defects:
The consumer must be provided a copy of their signed, valid authorization, while the seller and purchaser must retain a copy of all valid authorizations for the sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later.
The MHMDA bars the covered entities from implementing a geofence around an entity that provides in-person health care services where such geofence is used to:
A processor may process consumer health data only pursuant to a binding contract between the processor and the covered entity that sets forth the processing instructions and limits the actions the processor may take with respect to such data.
If a processor fails to adhere to the covered entity’s instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the covered entity, the processor is considered a covered entity with regard to such data and is subject to all the requirements of the MHMDA with regard to such data.
A processor must assist the covered entity by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the covered entity's obligations under the provisions of MHMDA.
The consumers have the following rights under the MHMDA over their health data:
A consumer has the right to know and confirm if a covered entity is collecting, sharing, or selling their consumer health data. The consumer also has the right to access such data and know if such data has been shared or sold to third parties. The consumer may also request an active email address or other appropriate online mechanism to contact these third parties.
A consumer has the right to withdraw consent from the covered entity's collection and sharing of consumer health data concerning the consumer.
A consumer can request a covered entity to delete any health data they may have collected on the consumer.
Upon receiving the request for deletion from the consumer, a covered entity must undertake the following:
Any affiliates, processors, contractors, and other third parties receiving such a deletion request must honor the consumer's request and delete the data from their records subject to the abovementioned requirements. However, they may delay fulfilling such a request if the consumer health data related to the deletion request is stored on an archived or backup system. However, such a delay must not exceed six months from the authentication of the deletion request.
A covered entity should not require a consumer to create a new account in order to exercise consumer rights but may require a consumer to use an existing account.
If a covered entity cannot authenticate any consumer request using commercially reasonable efforts, it is not required to comply with such a DSR request and may ask the consumer to provide additional information reasonably necessary to authenticate the request.
Any information the covered entity provides in response to a DSR request must be provided free of charge up to twice annually per consumer. However, if a DSR request is manifestly unfounded, excessive, or repetitive, the covered entity may charge the consumer a reasonable fee to cover the administrative costs of complying with the request.
The covered entity may also decline to honor such a request; however, in either case, the covered entity bears the burden of demonstrating that the request is manifestly unfounded, excessive, or repetitive nature of the request.
A covered entity must respond to a DSR request without undue delay, but in all cases, within 45 days of receipt of the request.
The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the covered entity informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.
A covered entity must establish a process making it easy for consumers to appeal any decisions by the covered entity related to their DSR requests. The regulated entity must inform the consumers of any actions taken or not taken in response to a repeal within 45 working days, in addition to a written explanation behind the decision.
In case the appeal of the consumer fails, the covered entity must provide the consumer with an online mechanism, if available, or other methods through which the consumer may contact the attorney general to submit a complaint.
The obligations imposed under the MHMDA do not restrict a covered entity’s ability to:
However, the burden of demonstrating that any processing qualifies for any of the exemptions listed above lies with the covered entity.
Any violation of the provisions of the MHMDA constitutes an unfair or deceptive act in trade or commerce and an unfair method of competition within the meaning of the Consumer Protection Act, Chapter 19.86 RCW.
The Washington’s Office of Attorney General is primarily responsible for enforcing the provisions of the MHMDA, which also provides for a private right of action to the consumers to seek damages for violations.
Additionally, the MHMDA establishes a joint committee that will be responsible for reviewing any enforcement actions brought by the Attorney General and consumers. A report on such a review must include the following:
The Office of the Attorney General is responsible for providing any additional information requested by the joint committee considered necessary to conduct their review. The findings and recommendations of the joint committee need to be submitted to the Governor of Washington and any appropriate committees of the state legislature.
However, the aforementioned requirements related to joint committees will expire on June 30, 2031.
The provisions of the MHMDA shall be enforceable from 31 March 2024 in case of regulated entities; however, small businesses will have till 30 June 2024 to comply with the requirements of the MHMDA.
Importantly, the requirements regarding geofencing shall be enforceable within Washington's default time frame of 90 days, as it does not specify any enforcement date.
Here are some steps a covered entity may take to ensure they're on track for effective compliance with the MHMDA:
Securiti is a market leader in providing enterprise data privacy, security, governance, and compliance solutions. Its products range from universal consent management and data classification to DSR automation and assessment automation that can help organizations fulfill their data-related obligations effectively under all major data regulations.
Request a demo today and learn more about how Securiti can help you comply with the My Health, My Data Act today.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.