2023 is proving to be an interesting legislative year in the United States, as several individual states take on new legislation aimed at protecting consumer data. California, of course, was the first and has been joined by Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Texas and Montana in putting comprehensive data privacy laws in place. As noted in this Bloomberg Law update, “at least 16 other states have introduced privacy bills that address a range of issues, including protecting biometric identifiers and health data.”
Recently, Washington enacted the My Health, My Data Act (MHMDA), a comprehensive health privacy law that imposes broad restrictions on how consumer health data can be used by companies either doing business in the state of Washington or engaging with Washington residents. It is the first state to take on this type of legislation which “differs from other comprehensive state privacy laws as it aims to regulate the collection and use solely of consumer health data.”
What makes this legislation unique
The MHMDA was introduced in response to concerns over businesses’ exploitation of consumer health data; for example, with the rise of mobile health apps and wearables, it is easier than ever for companies to gather data on people’s health. This increase in data capture has led to concerns over the potential misuse of this data, with fears that these organizations could sell the data to third parties or be used to discriminate against individuals.
The MHMDA defines consumer health data as “personal information that is linked or could reasonably be linked to a consumer’s past, present, or future physical or mental health status.” This definition of consumer health data can include traditionally non-health-related information, such as unique identifiers collected online if they have some connection to personal health.
The application of MHMDA applies broadly and includes entities conducting business in Washington or providing services to Washington residents that process consumers’ health-related data, regardless of the size or revenue of the company. With the understanding of how the MHMDA defines consumer health data, which includes protection for people identified through unique identifiers, this may create ambiguity around excluding data beyond employee and business-to-business data. Additionally, the broad interpretation of “collect,” defined as “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner,” could extend to any form of processing consumer health data, and therefore, the MHMDA could apply to consumers globally, provided their health data is collected or processed in Washington.
The MHMDA establishes novel and expansive privacy legislation, imposing new and uncertain compliance obligations on many organizations, including enhancing notice and opt-in consent requirements, data security practices, third-party management, data subject rights and limiting geofencing. Here are some key components of MHMDA that organizations subject to this law will need to address:
- Requiring opt-in consent: It also requires organizations to provide opt-in consent for any collection, use, or disclosure of consumer health data not strictly necessary to provide a service or good requested by the consumer.
- Requiring written authorization: There is an additional obligation to obtain written authorization to sell consumer health data that is separate and distinct from the consent required to collect, use, or disclose consumer health data.
- Data protection: Reasonable data security practices must be implemented to protect the confidentiality, integrity, and accessibility of consumer health data that are similar to the provisions in existing state privacy laws.
- Enhanced contractual requirements: A written contract with data use limitations and security provisions must be in place for any third parties that process consumer health data. Consumers have the right to know what data is collected and the contact information for third parties with whom it is shared.
- Data deletion: Consumers can request their data be deleted with no exceptions. This right to delete includes archives and backup tapes and extends to third parties with whom the data is shared. Consumers have the right to withdraw their consent and appeal any decisions by the organization to refuse to fulfill any data subject rights.
- Geofencing restrictions: Organizations are restricted from geofencing (using location-based technology to trigger automated actions or notifications) around facilities that provide in-person healthcare services for the purposes of identifying and tracking consumers seeking health services, collecting consumer health data or sending messages or advertisements to consumers related to their consumer health data or health services.
What to do now
The MHMDA will take effect on March 31, 2024; however, it might face some challenges in implementation and in the courts based on drafting ambiguity. While businesses processing consumer health data might find it difficult to comply with the law’s obligations, initial compliance measures to take should include:
- Reviewing and documenting existing data collection and disclosure practices,
- Developing processes to respond to consumer rights,
- Developing third-party agreements to include required provisions, and
- Discontinuing the use of geofences.
The My Health My Data Act aims to address the protection of consumer health data by establishing compliance requirements for businesses processing this data. The act provides consumers with control over their health information and promotes transparency in data usage. It has inspired similar regulations in Connecticut (SB 3) and Nevada (SB 370). The FTC has also signaled its intention to focus on safeguarding consumer health data with its recent enforcement actions against GoodRx ($1.5 million for violating the Health Breach Notification Rule) and BetterHelp ($7.8 million for deceptive and unfair practices). Organizations should carefully analyze requirements to address challenges and limitations, such as businesses’ compliance and consumers’ ability to exercise their rights. Overall, the MHMDA aims to achieve a balance between protecting consumer privacy and fostering innovation in the healthcare industry.
Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.
The information provided is intended for general information purposes only and should not be construed as legal advice. Protiviti is not a law firm and readers should consult with legal counsel to obtain advice tailored to their specific factual circumstances.