Unraveling the Washington My Health My Data Act: What You Need to Know

Following in the footsteps of other state-specific data privacy legislation, Washington State has established a new law called the Washington My Health My Data Act (MHMDA).

The landscape of data privacy regulation and protection within the United States is continually evolving. Amid widespread data breaches, growing concerns about privacy rights and technological advancements, various industry standards and regulatory actions have emerged. The U.S. lacks a comprehensive federal data privacy law like the European Union's GDPR, prompting individual states to determine their own initiatives.

Washington went beyond what other states like California have done, addressing gaps in health data protection left by HIPAA (the federal law governing health data privacy for covered entities). MHMDA introduces sweeping provisions that redefine how personal data, particularly health-related information, is handled across various organizations.

What MHMDA Covers

MHMDA sets up a comprehensive privacy framework for entities operating within Washington State that handle consumer health data. Consumer health data is broadly defined to encompass not only traditional health information but also extend to categories such as "bodily functions," "biometric information," "data identifying a consumer seeking health care services" (inclusive of any service related to mental or physical health assessment, measurement, improvement or learning) and "precise location information."

The act also provides a non-exhaustive list of consumer health data examples including:

  • Health conditions, treatment, diseases, diagnoses, surgeries or procedures
  • Use or purchase of prescribed medication
  • Bodily functions, vital signs, symptoms or measurements of information
  • Gender-affirming, reproductive or sexual health information
  • Biometric data and genetic data
  • Data that identifies a consumer seeking health care services
  • Health information that is derived or inferred from non-health data

How to Follow MHMDA

Within this framework, there are strict notice and consent requirements, along with limitations on certain advertising practices. MHMDA supersedes other state privacy laws.

Under MHMDA, regulated entities must:

  1. Publish an independent consumer health data privacy policy aligned with legal mandates that is accessible through a separate and distinct link on a company's website.
  2. Obtain informed, opt-in consent for both the collection and sharing of consumer health data beyond what is necessary to provide a product or service that a consumer has requested.
  3. Acquire comprehensive, signed authorization for any commercial transactions involving consumer health data.
  4. Not use geofencing for advertising purposes in the area around facilities offering in-person healthcare services.
  5. Establish protocols for addressing consumer requests concerning data access, deletion or consent withdrawal.
  6. Deletion requests include a passthrough requirement to send a notification of the consumer's request to all processors, affiliates and third parties with which the consumer health data has been shared.
  7. Verify that contracts with vendors accessing consumer health data incorporate suitable data privacy provisions.

Enforcing MHMDA and Potential Penalties

The Washington Attorney General's Office will supervise enforcement of MHMDA. They are empowered to impose warnings, restitution, civil penalties and legal fees in cases of non-compliance.

Additionally, consumers have the right to pursue legal action against companies for violating MHMDA. We are anticipating this to result in extensive litigation, although plaintiffs must demonstrate the damages that arose from any alleged violations. MHMDA does not specify statutory damages.

MHMDA went into effect on March 31, 2024 for most regulated entities, but small businesses are allowed three additional months to comply—by June 30, 2024. 

How We Move Forward

With MHMDA in effect, healthcare companies must prepare for a paradigm shift in privacy regulation. The sweeping provisions and strict rules of MHMDA will usher in a new era of data governance, and it is vital that all organizations engaging with Washington consumers’ health data are prepared. Navigating the complex landscape will require meticulous compliance frameworks, proactive risk mitigation measures and a thorough understanding of the implications for businesses and consumers alike.

If you have questions about MHMDA or want to strategize a plan for your company, Spectrum Science can help. Contact us today.

Like what you see?
let’s talk