Washington - My Health My Data Act

What is the Washington My Health My Data Act (MHMD)?

The Washington My Health My Data Act (MHMD), initially known as HB 1155, is a new privacy law introduced by the state of Washington that focuses on the protection of personal health information of consumers in the state. This law was created following the reversal of the Roe v. Wade decision and aims to change the way businesses in Washington manage health data. 

Additionally, it aims to enhance and complete the purpose of HIPAA by closing “the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data,'' since “information related to an individual's health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected. Washingtonians expect that their health data is protected under laws like the Health Information Portability and Accountability Act (HIPAA). However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.”

It requires businesses to be transparent about how they collect, use, and share health data, gives consumers more control over their health data by requiring businesses to get their consent before collecting or sharing it and providing them with the right to access and delete their health data, and also prohibits the use of technology to track individuals for purposes of targeted advertising based on their geolocation around healthcare facilities.

It was signed on April 27th, 2023, and became effective as of July 23rd, 2023, but mandates different enforcement dates for small businesses as opposed to all other regulated entities. 

How does the Washington My Health My Data Act (MHMD) define Personal Information and what are other key definitions?

The Washington My Health My Data Act defines ‘personal information’ as “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer,” which “includes, but is not limited to, data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier,” but excludes publicly available information and deidentified data.  

The MHMDA does not specifically define a category of ‘sensitive personal information,’ instead, it recognizes that “information related to an individual's health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected” and as such offers a definitions for ‘consumer health data’ as follows: 

"(a) Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.

(b) For the purposes of this definition, physical or mental health status includes, but is not limited to:

(i) Individual health conditions, treatment, diseases, or diagnosis;

(ii) social, psychological, behavioral, and medical interventions;

(iii) Health-related surgeries or procedures; (iv) Use or purchase of prescribed medication;

(V) Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection (8) (b);

(vi) Diagnoses or diagnostic testing, treatment, or medication;

(vii) Gender-affirming care information;

(viii) Reproductive or sexual health information;

(ix) Biometric data;

(x) Genetic data;

(xi) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;

(xii) Data that identifies a consumer seeking health care services; or

(xiii) Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

(c) "Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines that the regulated entity or the small business has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

Along the same lines, the My Health My Data Act offers a definition for ‘biometric data’ as “data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes, but is not limited to (a) imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or (b) keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.”

Consent under the MHMDA is “a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means,” which cannot be obtained through any of the following:

• “A consumer's acceptance of general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information;
• A consumer hovering over, muting, pausing, or closing a given piece of content; or
• A consumer's agreement obtained through the use of deceptive designs.”

A ’consumer’ is “a natural person who is a Washington resident; or a natural person whose consumer health data is collected in Washington, [...] who acts only in an individual or household context, however identified, including by any unique identifier,” and this does not include “an individual acting in an employment context.”

Lastly, Washington’s health law defines the ‘sale of personal data’ as “the exchange of consumer health data for monetary or other valuable consideration,” which excludes the following types of sale of personal data: 

• “To a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity's or the small business's assets that complies with the requirements and obligations in this chapter; or
• By a regulated entity or a small business to a processor when such exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.”

Who does the Washington My Health My Data Act (MHMD) apply to?

The Washington My Health My Data Act (MHMD) applies to regulated entities and small businesses, which it defines as follows: 

A ‘regulated entity’ is “any legal entity that: 

• conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and 
• alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” 

A ‘small business’ means “regulated entity that satisfies one or both of the following thresholds:

• Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
• Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.”

How can Clym help?