On April 17, 2023, the Washington State Legislature passed the “My Health My Data Act” (WMHMDA or the Act).* Unlike other modern state privacy laws that purport to regulate any collection of “personal data,” WMHMDA confers privacy protections only upon “Consumer Health Data.” That term is defined to include data that is linked (or linkable) to an individual and that identifies their “past, present, or future physical or mental health status.”[1] As the statute is not intended to apply to HIPAA-regulated entities or employers,[2] it has caused some confusion regarding its scope (i.e., which companies may be collecting consumer health data) as well as its requirements. Specifically, the Act refers to data that might “identify” a consumer seeking a service to “improve, or learn about a person’s mental or physical health” as an example of Consumer Health Data.[3] As a result, organizations that traditionally don’t consider themselves as collecting health data, such as grocery stores, newspapers, dietary supplements providers, and even fitness clubs, are uncertain whether the Act may be interpreted to apply to them to the extent that someone seeks out such companies either for information about health, or to improve their health.
Among other things, organizations that are subject to the Act are required to obtain consent for a variety of processing activities that relate to consumer health data. What constitutes “consent” however, differs based upon the processing activity.
FOOTNOTES
[1] Sub. House Bill 1155, § 3(8)(a) (2023).
[2] Sub. House Bill 1155, § 3(7) (excluding from the definition of “consumer” an individual acting in an employment context), § 12(1)(a)(i) (excluding HIPAA regulated entities).
[3] Sub. House Bill 1155, §§ 3(8)(a), 15 (2023).