A New Paradigm for Consumer Health Data Privacy in Washington State
The Washington ‘My Health, My Data’ Act (MHMD or the Act) establishes a fundamentally new legal framework within U.S. law to regulate the collection, use, and transfer of consumer health data. Signed into law by Governor Inslee on April 27, MHMD was introduced by request of the Washington Attorney General in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (2022) (Dobbs).
While drafting quirks have caused uncertainty around the effectiveness dates of some of MHMD’s provisions, in general the Washington Legislature seems to intend for MHMD’s substantive data privacy requirements to come into effect on March 31, 2024 (or June 30, 2024 for small businesses). Other provisions, including the Act’s sections on geofencing and enforcement, will take effect in 90 days time.
This post highlights six aspects of MHMD that could have paradigm-shifting consequences for data privacy regulation. For a more in-depth analysis of the Act, check out the Future of Privacy Forum’s MHMD Policy Brief.
1. ‘My Health, My Data’ applies to organizations that collect, process, or transfer covered data in any way that touches Washington State:
MHMD will impact a broad range of entities, both within and outside of Washington State. The Act imposes obligations on regulated entities that do business in Washington or that “target” products or services at Washington consumers. Such targeting likely includes actions as simple as making a business website available to access from within Washington or advertising in Washington. In addition, MHMD applies to businesses and nonprofit organizations of any size that collect, hold, or transfer consumer data that has “any operation” performed on it in the state at any point. Significantly, MHMD defines “consumer” as any natural person whose health data is processed in “any manner” within the state. Therefore, if customer health data is at any point accessed in, travels through, or is stored in Washington State, MHMD is likely to apply. Unlike many other U.S. privacy laws, the Act does not exempt entities covered by other legal regimes, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Family Educational Rights and Privacy Act of 1974 (FERPA), but instead only the data regulated thereby.
2. ‘My Health, My Data’ defines “health data” far more broadly than any other U.S. privacy framework:
MHMD regulates collection and transfers of “consumer health data,” defined as any form of “personal information” that “identifies the consumer’s past, present, or future physical or mental health status.” The Act provides a non-exhaustive list of 13 categories of information that constitute de facto “health status” under the Act, including biometric data, “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies,” and health information that is inferred from non-health data. This definition of health data is far broader than the definitions established by other contemporary legal frameworks, and will encompass information that is not typically treated as health data. Any entity with a nexus to individually-identifying health information should assess potential operational impacts of MHMD.
While more expansive than other legislative frameworks, one significant aspect of MHMD’s definition of “consumer health data” aligns with the Federal Trade Commission’s (the Agency) approach to health information in its recent enforcement actions against GoodRx and BetterHelp. In its complaint against BetterHelp, the Agency alleged that the company wrongfully disclosed consumer information, including email addresses, IP addresses and unique advertising IDs, that revealed that consumers had accessed a website seeking mental health care services. Similarly, MHMD’s definition of “personal information” includes “data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier.” These definitions demonstrate an emerging regulatory attention to ways in which common online activities and user data can be processed to reveal sensitive health information.
3. ‘My Health, My Data’ establishes recurring, notice and consent obligations for the collection, transfer, sale, and secondary use of health data:
MHMD requires businesses to make disclosures and obtain separate consumer consent for any collection and transfer of health data beyond what is necessary to provide a consumer-requested product or service. For the “sale” of health data, the Act requires regulated entities to obtain “valid authorization,” a more exacting form of consent that expires after one year. MHMD defines “sale” broadly to include exchanges for valuable consideration, and will likely implicate current digital advertising practices for covered entities.
While MHMD’s opt-in framework will provide individuals with increased ability to control how their health data is collected and transferred, users will likely face a significant increase in the volume of notices and pop-ups when accessing many common products and services. Furthermore, since MHMD relies on a “notice and consent” framework rather than creating new baseline rules around how entities may collect, use and transfer covered health data, the efficacy of the Act’s framework will depend on whether users are able to successfully navigate this new menu of consent options while obtaining desired products and services.
4. ‘My Health, My Data’ creates consumer rights of access and deletion that go beyond those established by other state privacy laws:
MHMD creates several consumer rights that have become standard in global privacy laws, including the right to know how an organization uses personal data, the right to access that data, and the right to have covered health data deleted. However, MHMD does not contain common exemptions for these rights such as for protecting trade secrets or for complying with legal obligations.
Furthermore, the Act’s rights of access and of deletion are significantly different from comparable state laws, and will require modifications to organizations’ compliance programs. For example, MHMD’s right to access not only gives users the right to obtain a copy of their data, but also to procure a list of the names and email addresses of third-parties with whom their data was shared or sold. The Act’s deletion right gives individuals the right to delete their health data from all records managed by a regulated entity, including from archived or backup systems and from within the records of processors, contractors, and other third parties, with no exception for data that is retained in order to comply with deletion requests on an ongoing basis.
5. ‘My Health, My Data’ places novel restrictions on the geofencing of wide-ranging set of facilities that provide in-person “health care services:”
MHMD forbids both covered entities and individual actors from geofencing physical “health care facilities” in order to identify individuals, collect health data, or send health data or health-service related messages to consumers. This restriction may impact several common practices, including security operations and the use of push notifications for advertising consumer goods. Furthermore, MHMD’s far-reaching definition of “health care services” means these restrictions could include geofencing conducted in order to collect data from or advertise to individuals visiting gyms, complexes that include healthcare offices, and general consumer goods stores.
6. ‘My Health, My Data’ provides for enforcement through a private right of action:
MHMD gives the Washington Attorney General authority to enforce the Act and also creates a private right of action by establishing that a violation of the Act is an unfair or deceptive trade practice under the Washington Consumer Protection Act (WCPA). While MHMD’s inclusion of a private right of action sets it apart from many other state privacy laws, entities should note that MHMD does not provide for statutory damages. Instead, MHMD grants plaintiffs the right to sue to recover for any injury to their “business or property” caused by a violation of the Act, and gives courts the discretion to award treble damages up to $25,000. While the Washington Attorney General’s office can likely issue interpretive guidance, the opportunity for private litigation suggests that Judges are likely to resolve drafting ambiguities.
MHMD will set new standards for the protection of non-HIPAA covered personal health data. The Act’s broad scope and exacting requirements could create compliance hurdles for a wide range of covered entities, and its private right of action provides a private enforcement mechanism not usually available under U.S. privacy laws. Organizations of all sizes, even those who operate outside of Washington State, should investigate whether they are, or could become, covered by the Act and understand MHMD’s requirements. Likewise, individuals should determine when their data is covered by MHMD and what rights they are afforded under the Act. Finally, policymakers working on these issues should consider not only the scope of new health privacy legislation, but also how new regulations will interact with existing frameworks, including the sensitive data protections established under the various state comprehensive privacy laws.