Washington's Health Privacy Law: New Obligations For Entities In The State
On April 27th, 2023, Washington Governor Jay Inslee signed into law the “My Health, My Data” Act (“MHMD”), a piece of legislation that will have a profound impact on the treatment of consumer health data in the state of Washington. The goal of MHMD is to expand the protections granted to consumer health data beyond the scope covered by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Here is what you need to know about the new law:
When Does the Law Take Effect?
For “regulated entities”, most of the law’s data privacy provisions take effect on March 31, 2024, while the law takes effect on June 30, 2024, for “small businesses.”
Regulated Entities are any legal entity that:
(i) conducts business in or produces, or provides, products and services in Washington, and
(ii) takes part in determining the purpose and means of collecting, processing, sharing, or selling consumer health data.
Small Businesses are any regulated entities that satisfy one or both of the following criteria:
(i) Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
(ii) derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
Critically, the definition of “regulated entities” is unique and distinct when compared to the definition of “Covered Entities” under HIPAA. Consequently, entities doing business in Washington will need to perform a separate analysis to determine whether they fall under the scope of MHMD.
What Information Does the Law Cover?
“Consumer health data” is protected under the law, and includes any information that identifies a consumer’s past, present, or future “physical and mental health status”. MHMD includes a non-exhaustive list of 13 types of information included within this definition. Notably, this definition is broader than the definition of Protected Health Information (“PHI”) under HIPAA, which will result in a broader application.
MHMD provides additional protections to information that is processed to associate or identify a consumer with consumer health data, even if the information used is non-health data.
What are the Obligations of Regulated Entities?
Regulated entities must take the following steps to comply with MHMD:
1. Maintain a consumer health data privacy policy that clearly and conspicuously discloses:
(i) what information is being collected,
(ii) where the information is being collected from,
(iii) what information is shared,
(iv) who the information is shared with, and
(v) how a consumer may exercise their rights with respect to the information.
2. Obtain prior consent from the consumer for the collection or sharing of information for a specified purpose, or only collect and share what information is necessary to provide the requested product or service.
3. Restrict access to consumer health data to only those employees, processors, and contractors for which access is necessary to provide the requested product or service, or to further the purposes for which the consumer provided consent.
4. Obtain valid authorization from the consumer before selling or offering to sell consumer health data. This authorization must be separate and distinct from the consent to collect and share the data.
What are the Rights of Consumers?
Consumers are granted the right to confirm whether a regulated entity is processing their data, to access their health data, and to request that their health data be deleted across all records managed by a regulated entity. Additionally, consumers are granted the right to access a list of the names and contact information of third parties and affiliates that have either had the information shared with or sold to them.
Enforcement
The rights and restrictions within MHMD can be enforced by either the office of the Attorney General of Washington or through a private right of action.
Does your organization hold “consumer health data”? Reach out to McGrath North’s Privacy and Cybersecurity team today to develop a comprehensive compliance plan for your organization.
Related Attorneys
