How Washington State Just Changed the Consumer Health Data Privacy Game

2023 is proving to be an interesting legislative year in the United States, as several individual states take on new legislation aimed at protecting consumer data. California, of course, was the first and has been joined by Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Texas and Montana in putting comprehensive data privacy laws in place. As noted in this Bloomberg Law update, “at least 16 other states have introduced privacy bills that address a range of issues, including protecting biometric identifiers and health data.”

Recently, Washington enacted the My Health, My Data Act (MHMDA), a comprehensive health privacy law that imposes broad restrictions on how consumer health data can be used by companies either doing business in the state of Washington or engaging with Washington residents. It is the first state to take on this type of legislation which “differs from other comprehensive state privacy laws as it aims to regulate the collection and use solely of consumer health data.”

What makes this legislation unique

The MHMDA was introduced in response to concerns over businesses’ exploitation of consumer health data; for example, with the rise of mobile health apps and wearables, it is easier than ever for companies to gather data on people’s health. This increase in data capture has led to concerns over the potential misuse of this data, with fears that these organizations could sell the data to third parties or be used to discriminate against individuals.

The MHMDA defines consumer health data as “personal information that is linked or could reasonably be linked to a consumer’s past, present, or future physical or mental health status.” This definition of consumer health data can include traditionally non-health-related information, such as unique identifiers collected online if they have some connection to personal health.

The application of MHMDA applies broadly and includes entities conducting business in Washington or providing services to Washington residents that process consumers’ health-related data, regardless of the size or revenue of the company. With the understanding of how the MHMDA defines consumer health data, which includes protection for people identified through unique identifiers, this may create ambiguity around excluding data beyond employee and business-to-business data. Additionally, the broad interpretation of “collect,” defined as “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner,” could extend to any form of processing consumer health data, and therefore, the MHMDA could apply to consumers globally, provided their health data is collected or processed in Washington.

The MHMDA establishes novel and expansive privacy legislation, imposing new and uncertain compliance obligations on many organizations, including enhancing notice and opt-in consent requirements, data security practices, third-party management, data subject rights and limiting geofencing. Here are some key components of MHMDA that organizations subject to this law will need to address:

  • Consumer health data privacy policy: The act requires organizations to develop and maintain a consumer health data privacy policy with specific disclosures about their data practices that are presumably separate from an organization’s existing privacy notice.
  • Requiring opt-in consent: It also requires organizations to provide opt-in consent for any collection, use, or disclosure of consumer health data not strictly necessary to provide a service or good requested by the consumer.
  • Requiring written authorization: There is an additional obligation to obtain written authorization to sell consumer health data that is separate and distinct from the consent required to collect, use, or disclose consumer health data.
  • Data protection: Reasonable data security practices must be implemented to protect the confidentiality, integrity, and accessibility of consumer health data that are similar to the provisions in existing state privacy laws.
  • Enhanced contractual requirements: A written contract with data use limitations and security provisions must be in place for any third parties that process consumer health data. Consumers have the right to know what data is collected and the contact information for third parties with whom it is shared.
  • Data deletion: Consumers can request their data be deleted with no exceptions. This right to delete includes archives and backup tapes and extends to third parties with whom the data is shared. Consumers have the right to withdraw their consent and appeal any decisions by the organization to refuse to fulfill any data subject rights.
  • Geofencing restrictions: Organizations are restricted from geofencing (using location-based technology to trigger automated actions or notifications) around facilities that provide in-person healthcare services for the purposes of identifying and tracking consumers seeking health services, collecting consumer health data or sending messages or advertisements to consumers related to their consumer health data or health services.

What to do now

The MHMDA will take effect on March 31, 2024; however, it might face some challenges in implementation and in the courts based on drafting ambiguity. While businesses processing consumer health data might find it difficult to comply with the law’s obligations, initial compliance measures to take should include:

  • Reviewing and documenting existing data collection and disclosure practices,
  • Developing processes to respond to consumer rights,
  • Developing third-party agreements to include required provisions, and
  • Discontinuing the use of geofences.

The My Health My Data Act aims to address the protection of consumer health data by establishing compliance requirements for businesses processing this data. The act provides consumers with control over their health information and promotes transparency in data usage. It has inspired similar regulations in Connecticut (SB 3) and Nevada (SB 370). The FTC has also signaled its intention to focus on safeguarding consumer health data with its recent enforcement actions against GoodRx ($1.5 million for violating the Health Breach Notification Rule) and BetterHelp ($7.8 million for deceptive and unfair practices). Organizations should carefully analyze requirements to address challenges and limitations, such as businesses’ compliance and consumers’ ability to exercise their rights. Overall, the MHMDA aims to achieve a balance between protecting consumer privacy and fostering innovation in the healthcare industry.

Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

To learn more about our privacy, legal consulting and security  solutions, contact us. 

The information provided is intended for general information purposes only and should not be construed as legal advice. Protiviti is not a law firm and readers should consult with legal counsel to obtain advice tailored to their specific factual circumstances.

Joseph Emerson

Security and Privacy

Arnold Park

Legal Consulting

Subscribe to Topics

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. #ProtivitiTech

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible.

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. #ProtivitiTech

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! #ProtivitiTech #DataPrivacy

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. #ProtivitiTech #TechnologyInsights

Load More