<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Washington - My Health My Data Act

The consumer health data protection law of Washington

Book a Demo

Find out your compliance score today!

clym web compliance scanner visual-FEATURE IMAGE

 

What is the Washington My Health My Data Act (MHMD)?

The Washington My Health My Data Act (MHMD), initially known as HB 1155, is a new privacy law introduced by the state of Washington that focuses on the protection of personal health information of consumers in the state. This law was created following the reversal of the Roe v. Wade decision and aims to change the way businesses in Washington manage health data. 

Additionally, it aims to enhance and complete the purpose of HIPAA by closing “the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data,'' since “information related to an individual's health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected. Although  Washington residents expect that their health data is protected under laws like the Health Information Portability and Accountability Act (HIPAA), this law only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.”

It requires businesses to be transparent about how they collect, use, and share health data, gives consumers more control over their health data by requiring businesses to get their consent before collecting or sharing it and providing them with the right to access and delete their health data, and also prohibits the use of technology to track individuals for purposes of targeted advertising based on their geolocation around healthcare facilities.

It was signed on April 27th, 2023, and became effective as of July 23rd, 2023, but mandates different enforcement dates for small businesses as opposed to all other regulated entities. 



How does the Washington My Health My Data Act (MHMD) define Personal Information and what are other key definitions?

The Washington My Health My Data Act defines ‘personal information’ as “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer,” which “includes, but is not limited to, data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier,” but excludes publicly available information and deidentified data.  

The MHMDA does not specifically define a category of ‘sensitive personal information,’ instead, it recognizes that “information related to an individual's health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected” and as such offers a definitions for ‘consumer health data’ as follows: 

 

"(a) Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.

(b) For the purposes of this definition, physical or mental health status includes, but is not limited to:

(i) Individual health conditions, treatment, diseases, or diagnosis;

(ii) social, psychological, behavioral, and medical interventions;

(iii) Health-related surgeries or procedures; (iv) Use or purchase of prescribed medication;

(V) Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection (8) (b);

(vi) Diagnoses or diagnostic testing, treatment, or medication;

(vii) Gender-affirming care information;

(viii) Reproductive or sexual health information;

(ix) Biometric data;

(x) Genetic data;

(xi) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;

(xii) Data that identifies a consumer seeking health care services; or

(xiii) Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

(c) "Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines that the regulated entity or the small business has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

Along the same lines, the My Health My Data Act offers a definition for ‘biometric data’ as “data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes, but is not limited to (a) imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or (b) keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.”

Consent under the MHMDA is “a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means,” which cannot be obtained through any of the following:

  • “A consumer's acceptance of general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information;
  • A consumer hovering over, muting, pausing, or closing a given piece of content; or
  • A consumer's agreement obtained through the use of deceptive designs.”

A ’consumer’ is “a natural person who is a Washington resident; or a natural person whose consumer health data is collected in Washington, [...] who acts only in an individual or household context, however identified, including by any unique identifier,” and this does not include “an individual acting in an employment context.”

Lastly, Washington’s health law defines the ‘sale of personal data’ as “the exchange of consumer health data for monetary or other valuable consideration,” which excludes the following types of sale of personal data: 

  • “To a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity's or the small business's assets that complies with the requirements and obligations in this chapter; or
  • By a regulated entity or a small business to a processor when such exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.”



Who does the Washington My Health My Data Act (MHMD) apply to?

The Washington My Health My Data Act (MHMD) applies to regulated entities and small businesses, which it defines as follows: 

A ‘regulated entity’ is “any legal entity that: 

  • conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and 
  • alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” 

A ‘small business’ means “regulated entity that satisfies one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.”

Who does the Washington My Health My Data Act (MHMD) exempt?

Washington’s My Health My Data Act exempts the following entities and types of information: 

  • Entities or associates covered by HIPAA.
  • Health care facilities or providers under state law.
  • Programs or service organizations under federal drug abuse laws.
  • Protected health information under HIPAA.
  • Health care information when used according to state health laws.
  • Patient information when used according to federal drug abuse laws.
  • Identifiable private information used in research and clinical practice guidelines.
  • Information for quality improvement, peer review, or quality assurance committees.
  • Documents for the Health Care Quality Improvement Act.
  • Patient safety work products under federal health laws.
  • Deidentified information from health care sources.
  • Information used for public health activities or part of a limited data set.
  • Identifiable data used according to state health data laws.
  • Personal information governed by and collected, used, or disclosed under:
    • Gramm-Leach-Bliley Act (financial information).
    • Title XI of the Social Security Act (health information).
    • Fair Credit Reporting Act (credit information).
    • Family Educational Rights and Privacy Act (educational records).
    • Washington Health Benefit Exchange regulations (health benefits).
    • Privacy rules from the Office of the Insurance Commissioner.

The law also states that it “does not restrict a regulated entity's or processor's ability for collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.”

 

What are the requirements for businesses under the Washington My Health My Data Act (MHMD)?

The MHMDA sets out a series of obligations for covered entities and small businesses as follows: 

  • Starting March 31, 2024, you should have a clear consumer health data privacy policy. This policy should state what health data you collect, why you collect it, where it comes from, and who you share it with. Make sure this policy is easy to find on your homepage. 
  • You cannot collect, use, or share health data for reasons not mentioned in your policy without getting explicit consent from the consumer. If you work with a processor, they must follow your data policy. Any new categories of data or purposes require new consent.
  • You can only collect health data with the consumer’s consent or if it’s needed to provide a service they requested. Sharing data also needs separate consent.
  • You must limit data access to only those employees or contractors who need it and protect this data with strong security measures.
  • You have to provide consumers with their data subject access rights and reply to requests "without undue delay, but in all cases within 45 days of receipt of the request."
  • Any activity of a processor on your behalf has to be based on an agreement between you and them and processors must follow your instructions when handling health data and help you meet your obligations. If they don't, they become responsible for the data themselves.
  • Selling consumer health data is prohibited without clear, written consent and  authorization from the consumer, which must be a separate agreement and should be collected separately from consent. This authorization must detail what data is being sold, the buyer, and the purpose. The consumer must get a copy and have the right to revoke this authorization.
  • You must keep records of these authorizations for six years. 
  • Also, it’s illegal to use geofencing to collect or track health data around healthcare providers or to send targeted messages based on this data. 
  • Small businesses have until June 30, 2024, to comply with these rules.

To help covered entities and small businesses meet the applicable deadline, we’ve created the table below: 

Requirement in the text of the law

Date of enforcement for most of the regulated entities

Date of enforcement for small businesses

§4(1)(a) Obligation to maintain a "consumer health data privacy policy"

March 31, 2024

June 30, 2024

§4(1)b) Obligations to publish a homepage link to the consumer health data privacy policy

End of July 2023

June 30, 2024

§4(1)(c) Consent for collection, use, or sharing categories of data not disclosed in consumer health data privacy policy

End of July 2023

June 30, 2024

§4(1)(d) Consent for collection, use, or sharing for purposes not disclosed in consumer health data privacy policy

End of July 2023

June 30, 2024

§4(1)(e) Prohibition on contracting with a processor to process in manner inconsistent with consumer health data privacy policy

End of July 2023

June 30, 2024

§5(1)(a) Consent for collection of consumer health data for a secondary purpose

March 31, 2024

June 30, 2024

§5(1)(b) Consent for sharing consumer health data for a secondary purpose

End of July 2023

June 30, 2024

§5(1)(d) Prohibition on unlawful discrimination

End of July 2023

June 30, 2024

§6(1)(a) Right to know / right of access

March 31, 2024

June 30, 2024

§6(1)b) Right to withdraw consent

End of July 2023

June 30, 2024

§6(1)(c) Right of deletion

End of July 2023

June 30, 2024

§6(1)(d)-(h) Procedural requirements related to consumer requests to exercise rights

End of July 2023

June 30, 2024

§7 Data Security

March 31, 2024

June 30, 2024

§8(1)(a)() Requirement for processor contract

March 31, 2024

June 30, 2024

§8(1)(a)(ii) Processor limit to processing consistent with contractual instructions

End of July 2023

June 30, 2024

§8(1)(b) Processor obligation to assist regulated entity in meeting its obligations

End of July 2023

June 30, 2024

§9 Consumer Authorization for Data "Sale"

March 31, 2024

June 30, 2024

$10 Geofencing Prohibition

End of July 2023

End of July 2023

 

My Health My Data Act compliant website with Clym

Book a Demo

What are the consumer rights under the Washington My Health My Data Act (MHMD)?

The Washington My Health My Data Act (MHMD) gives consumers the following rights: 

  • Right to Access
  • Right to Delete
  • Right to Withdraw Consent
  • Right to Non-Discrimination

 

How to respond to consumer requests under the Washington My Health My Data Act (MHMD)?

Consumers have the right to know if your business is collecting, sharing, or selling their health data and can request a list of third parties you've shared their data with so they can contact them directly. Consumers can also withdraw consent for data collection and sharing and request that their health data be deleted. You must delete their data from all your systems, including backups, and inform other third parties you've shared their data with to do the same. If the data is stored in backups, deletion may take up to six months.

Consumer requests can be submitted anytime through a secure method described in your privacy policy, without consumers needing to create a new account. However, you must verify their identity to process the request and you can charge a fee or deny requests if the requests are excessive or repetitive, but you must prove this.

You have 45 days to respond to consumer requests, extendable by another 45 days if needed, and must inform the consumer if there's a delay. If you deny a request, consumers have a right to appeal your decision and the appeal process has to be easy to find and use. You must respond to appeals within 45 days, providing reasons for any denial and you have to include a way for the consumer to contact the Attorney General.

 

Washington My Health My Data Act (MHMD) enforcement and penalties

The Washington My Health My Data Act (MHMD) is enforced by the Washington State Attorney General. Violations of the Act are considered unfair or deceptive acts and can result in penalties under the state's consumer protection laws. The Attorney General can bring enforcement actions against businesses that fail to comply, and consumers can also bring civil actions to enforce their rights under the Act.

 

Data Subject Rights - GDPR vs. My Health My Data Act

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 50+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

FAQs about the Washington My Health My Data Act

What does the Washington My Health My Data Act (MHMD) apply to?

The Washington My Health My Data Act (MHMD) applies to regulated entities and small businesses, which it defines as follows: 

A ‘regulated entity’ is “any legal entity that: 

  • conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and 
  • alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” 

A ‘small business’ means “regulated entity that satisfies one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.”

 

What is exempt under the Washington My Health My Data Act (MHMD) ?

Washington’s My Health My Data Act exempts the following entities and types of information: 

  • Entities or associates covered by HIPAA.
  • Health care facilities or providers under state law.
  • Programs or service organizations under federal drug abuse laws.
  • Protected health information under HIPAA.
  • Health care information when used according to state health laws.
  • Patient information when used according to federal drug abuse laws.
  • Identifiable private information used in research and clinical practice guidelines.
  • Information for quality improvement, peer review, or quality assurance committees.
  • Documents for the Health Care Quality Improvement Act.
  • Patient safety work products under federal health laws.
  • Deidentified information from health care sources.
  • Information used for public health activities or part of a limited data set.
  • Identifiable data used according to state health data laws.
  • Personal information governed by and collected, used, or disclosed under:
    • Gramm-Leach-Bliley Act (financial information).
    • Title XI of the Social Security Act (health information).
    • Fair Credit Reporting Act (credit information).
    • Family Educational Rights and Privacy Act (educational records).
    • Washington Health Benefit Exchange regulations (health benefits).
    • Privacy rules from the Office of the Insurance Commissioner.
What data subject rights does the Washington My Health My Data Act (MHMD) grant?

The Washington My Health My Data Act (MHMD) gives consumers the following rights: 

  • Right to Access
  • Right to Delete
  • Right to Withdraw Consent
  • Right to Non-Discrimination
What are the penalties for non-compliance with the Washington My Health My Data Act (MHMD)?

Violations of the Washington My Health My Data Act (MHMD) are considered unfair or deceptive acts and can result in penalties under the state's consumer protection laws. The Attorney General can bring enforcement actions against businesses that fail to comply, and consumers can also bring civil actions to enforce their rights under the Act.




illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596