Kirkland Alert

Washington’s My Health My Data Act

View PDF

At a Glance


Washington state recently passed the My Health My Data Act (“MHMDA”) — a comprehensive data privacy law that goes beyond the scope of HIPAA and similar state laws, imposing significant obligations on entities doing business or targeting consumers in Washington and a private right of action that may invite an influx of litigation. Some provisions explicitly come into effect March 2024, but others may come into effect as early as July 2023 (e.g., geofencing). Businesses handling consumer data or doing business in Washington may need to prepare for increased scrutiny of their data collection and sharing practices. 

The Law


MHMDA defines “consumer health data” as personal information reasonably associated with a consumer’s “past, present, or future physical or mental health status,” including information regarding health conditions, treatment, diagnosis, reproductive or sexual health, gender affirming care, genetic data and location data that could reasonably indicate a consumer’s attempt to acquire health services or supplies. Notably, the definition also includes data (derived “from nonhealth information”) that can be used to deduce or infer consumer health data, such as inferring health conditions or services based on a person’s purchases or location.

The law applies to any legal entity that does business in Washington or produces or provides products or services targeted to consumers in Washington, regardless of size. Nonprofits are not exempted. The breadth of the law may extend beyond entities with direct business contacts in Washington (e.g., businesses with data centers/servers in Washington). 

MHMDA imposes certain obligations and restrictions on regulated entities’ handling of consumer health data, including the following:

  • Health Data Privacy Policy: Regulated entities must link to a consumer health data privacy policy on their homepage that discloses their health data collection and sharing practices and the consumer’s rights. 
  • Data Collection: Regulated entities cannot collect, use or share a consumer’s health data or other data for purposes not disclosed in the health data privacy policy without first obtaining affirmative consent for the particular purpose of collection unless the regulated entity needs the data to provide a product or service that the consumer has requested. 
  • Data Sharing: Regulated entities cannot share consumer health data unless they have a consumer’s consent or it is necessary to provide a product or service that the consumer specifically requested. Data shared in the context of a transaction (e.g., merger or acquisition) or in bankruptcy is not considered “sharing” for the purposes of MHMDA.
  • Data Selling: No entity or person can sell or offer to sell consumer health data without obtaining a (revokable) authorization from a consumer. Data sold in the context of a transaction (e.g., merger or acquisition) or in bankruptcy is not considered a “sale” for the purposes of MHMDA.
  • Geofencing: Geofencing involves creating a virtual geographic boundary to target marketing to an individual entering or exiting that boundary. The MHMDA prohibits using a geofence around an entity providing in-person “health care services” to identify, track or target consumers or collect their health data.

Enforcement


Washington’s attorney general and individual consumers (including individuals outside of Washington) may file a lawsuit alleging MHMDA violations under the state’s Consumer Protection Act. Unlike other state privacy laws, MHMDA does not explicitly carve out consumer class actions from this private right of action.

Exemptions


The law exempts government agencies, tribal nations and government contractors processing consumer health data. 

The MHMDA also carves out certain types of data from its requirements, including, “protected health information” as defined under HIPAA, certain public and peer-reviewed research data, employee data, de-identified data, publicly available data and data covered under other laws (e.g., GLBA).

Notwithstanding these exceptions, businesses that process exempt data should recognize that MHMDA’s requirements may still apply to its non-exempt data. 

Key Dates & Next Steps


Regulated entities must comply with certain provisions by late July 2023 and fully comply with the MHMDA by March 31, 2024; though entities that the law defines as “small businesses” have until June 30, 2024, to comply. In preparation for MHMDA, we recommend considering what data you or your portfolio companies have that may be subject to MHMDA and how to comply with these new requirements. This may include updating internal policies around the data of Washington residents, drafting and publishing a new consumer health data privacy policy, implementing appropriate safeguards, revising or drafting additional consumer consents, and/or considering what business practices may need to be modified (e.g., limiting geofencing-related activities around facilities that provide healthcare services).

We expect additional developments and clarifications of certain ambiguities regarding MHMDA and will provide updates accordingly. If you have questions, please reach out to one of the authors below or your regular Kirkland contact.

Authors

Dennis Williams

Dennis Williams

Partner New York
Robert Kantrowitz

Robert Kantrowitz

Partner New York
John Lynn, P.C.

John Lynn, P.C.

Partner Bay Area – San Francisco Austin
Laila Paszti

Laila Paszti

Partner Bay Area – San Francisco

Practices

This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.