Confused About the Washington My Health My Data Act?

The Washington Attorney General's (AG's) office released an FAQ that clarifies some important provisions of Washington's new My Health My Data Act (HB 1155)(MHMD), which was signed into law by Governor Jay Inslee on April 27, 2023. In our prior post and webinar, we explained how the broad scope and vague definitions in MHMD could be interpreted to go far beyond what is ordinarily thought of as health data and to affect people or entities that may have no or little evident connection to Washington state. The AG's FAQ addresses:

• Geofencing Effective Date: All regulated entities must comply with the geofencing restrictions by July 23, 2023.
• Effective Dates of Other Compliance Sections: By March 31, 2024, regulated entities must: post a consumer health data privacy policy on their website; comply with consumer health data (CHD) processing and sharing limitations; be prepared to comply with consumer requests; restrict internal CHD access; implement data security practices; update processor contracts with required terms; and obtain specific consent from consumers before selling or offering to sell their CHD (Sections 4 to 9). Small businesses, which are regulated entities that do not meet certain CHD processing and revenue limits, have an additional three months to comply – until June 30, 2024.
• Enforcement: "Any violation" of MHMD is a "per se" violation of the Washington Consumer Protection Act and is enforced by the AG's office and through a private right of action under the Washington Consumer Protection Act, RCW 19.86.
• Scope: Out-of-state entities that are processors for regulated entities must comply with MHMD. An out-of-state entity that "only stores data in Washington is not a regulated entity" subject to MHMD. The guidance further states Sections 9 and 10 of MHMD apply to any "person," including natural persons, legal entities and out-of-state entities. Under Section 9, to sell CHD, an out-of-state entity that is a "person" under MHMD would need the authorization of the consumer, who could be a Washington resident or a natural person whose information was processed in Washington. Also, the geofencing prohibition in Section 10 would apply to anyone, whether in state or out of state, because MHMD governs Washington residents wherever they may travel. For this reason, it might be interpreted as prohibiting a MHMD geofence anywhere in the world.
• Privacy Policy: A regulated entity covered by MHMD must prominently publish a link to its "Consumer Health Data Privacy Policy" on the entity's website homepage.
• CHD Scope: The AG clarified that CHD does not include "the purchase of toiletry products," which was not clear from the statute. Therefore, deodorant, mouthwash, and toilet paper do not relate to "bodily functions" as defined in MHMD. But health-related inferences about specific identifiable consumers based on their purchases of these products (such as whether the consumer is pregnant) is CHD. And, information from apps that track digestion or perspiration is also CHD. "Nonhealth data" that a regulated entity collects but does not process to identify or associate a consumer with a physical or mental health status is not CHD.
• Document Retention: If a consumer requests to have their CHD deleted, then the regulated entity may retain any valid CHD sale authorization that consumer provided after deleting the portion of the authorization specifying the CHD that could be sold. The redacted section of the authorization should state: "REDACTED pursuant to consumer deletion request on [insert date]".

This FAQ reflects the AG's interpretation of MHMD and is helpful guidance even though it is nonbinding and does not replace or modify MHMD itself.

DWT's Privacy and Security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other new state and federal privacy laws and regulations.