Today, Governor Jay Inslee signed into law the My Health My Data Act (SB 1155) (the “Act” or “MHMD”), a first-of-its-kind consumer health data law. Passage of the Act was, in part, a direct response by Washington state lawmakers to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. overturning Roe v. Wade. Recognizing that the nation’s federal health law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has blind spots in protecting health-related information collected outside of contexts involving HIPAA covered entities (e.g., healthcare institutions), the legislature in passing MHMD sought to “close the gap” in privacy protections for health data that falls outside the scope HIPAA, including information related to reproductive health and gender-affirming care.
In reality, however, the Washington legislature went far beyond closing the so-called gap and addressing the various effects from the fallout from Dobbs. Ultimately, the broad scope of “consumer health data” (“CHD”) covered by the Act brings a wide range of health-related data, not previously treated as sensitive, into scope (“past, present, or future physical or mental health”). The expansive extraterritorial application of the law—it applies to both personal information of the state’s residents, as well as non-resident personal information collected while physically in the state–will require compliance by organizations in industries that are not even tangentially related to healthcare. Most notably, MHMD requires explicit consent to collect and share consumer health data, practically preventing common health-related advertising practices, and outright bans some advertising practices (geofencing medical facilities). Furthermore, MHMD has a private right of action and statutory damages, so it can be expected that the plaintiffs’ bar will bring actions that are based on a broad interpretation of the law.
Companies should begin to assess the applicability of MHMD to their organizations, as most of the operative provisions go into effect less than a year from now. For example, it would be prudent to add MHMD diligence and data mapping to the scope of current privacy and data governance projects under which companies are addressing compliance with the various state privacy laws, including in California, Virginia, Colorado, Utah, Iowa and Connecticut (with more seemingly being passed every week as many states’ legislative sessions wrap up, as we cover here and here).
When Does the Law Go Into Effect?
Pursuant to Washington law, MHMD will go into effect 90 days following adjournment of the Washington legislature’s 2023 session. The legislature adjourned on April 23, 2023, making the effective date of July 22, 2023. This said, entities regulated under the law are not required to comply with most of the operative provisions until March 31, 2024 (June 30, 2024, for “small businesses,” described below). The prohibition on geofencing (discussed further below), however, does not have a different operative date, and companies will have to comply with this prohibition starting this July.
What Businesses Are Required to Comply With The Act?
The Act has a very broad extraterritorial scope and applies to companies located in and outside of Washington state. The law applies primarily to “regulated entities,” which means any legal entity that:
- conducts business in Washington, or produces or provides products or services targeted to consumers in Washington;
- alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.
As indicated above, the law also applies to “small businesses,” which means a regulated entity that satisfies one or both of the following thresholds:
- collects, processes, sells, or shares the consumer health data of fewer than 100,000 consumers during a calendar year; or
- derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares the consumer health data of fewer than 25,000 consumers.
The manner in which “consumer” is defined adds to the breadth of the extraterritorial application. In particular, consumer is broadly defined as:
- a natural person who is a Washington resident; or
- a natural person whose consumer health data is collected in Washington.
The definition further states that consumer “means a natural person who acts only in an individual or household context, however identified, including by any unique identifier” but that the definition “does not include an individual acting in an employment context.”
The intent of the second prong of the “consumer” definition makes sense in view of the intent and Dobbs backdrop; it seeks to protect the data of individuals who travel to Washington to receive healthcare services – such as reproductive healthcare services. The effect of this definition, however, is much broader; even a transitory visit to the state by a non-resident for any purpose could, so to speak, cause data previously collected by a regulated entity, or inferences made based on previously collected data, to constitute consumer health data, if data from the transitory visit were included. This is particularly true given the breadth of the definition of “consumer health data.”
What Data is Regulated?
The Act applies to “consumer health data,” defined broadly to mean “personal information that is linked or reasonably linkable to a consumer and that identifies [or infers] a consumer’s past, present, or future physical or mental health.”
“Personal information” is very broad and defined in a manner similar to definitions in consumer privacy laws such as the California Consumer Privacy Act (“CCPA”), namely, “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.” The law clarifies that personal information “includes, but is not limited to, “data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier.” This definition, including its clarification that it applies to online IDs, is a clear shot at the use of data tied to pseudonymous IDs and pseudonymous profiles, such as that which occurs in digital advertising.
The definition includes the following enumerated, non-exhaustive list clarifying the meaning of “physical or mental health status”:
- individual health conditions, treatment, status, diseases, or diagnoses;
- social, physiological, behavioral, and medical interventions;
- health-related surgeries or procedures, diagnostic testing, and treatment;
- use or purchase of prescribed medication;
- bodily functions, vital signs, symptoms, or related measurements;
- gender-affirming care information;
- reproductive or sexual health information;
- biometric data and genetic data related to consumer health data;
- precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
- data that identifies a consumer seeking health care services; and
- any consumer health data information that is derived or extrapolated from non-health information, such as proxy, derivative, inferred, or emergent data.
There is much to unpack in that definition, including the enumerated list. The last two bullets perhaps most clearly signify the breadth of the definition of consumer health data, and are among those aspects of the definition that likely pull in what is traditionally not considered sensitive health data into the definition and within the scope of the law.
What Obligations Does the Act Impose on Regulated Entities?
Privacy Policies
Regulated entities are required to maintain a consumer health data privacy policy, with prescriptive disclosure requirements that are, to some extent, similar to certain requirements of the CCPA. The law also requires link to the consumer health data privacy policy to be “prominently publish[ed]” on each webpage where personal information is collected (effectively, most webpages), and for online services such as mobile apps, on the “platform or download page” and within the settings page or similar.
The required contents of the consumer health data privacy policy are as follows:
- the categories of consumer health data collected and the purposes of collection;
- the categories of sources from which consumer health data is collected;
- the categories of consumer health data that is shared;
- the categories of third parties and affiliates with whom the regulated entity shares consumer health data; and
- how consumers can exercise their rights with regard to consumer health data.
The law does not prescribe whether the consumer health data privacy policy must be an entirely separate, stand-alone policy, or whether it can, for example, be included within a company’s general privacy policy or state-specific privacy policy.
GDPR-Like Consent for “Collection” and “Sharing”; Signed Authorization Required to “Sell”
Regulated entities must obtain consent prior to collecting or sharing CHD. For “sales” of CHD, the Act requires regulated entities to obtain a valid authorization from the consumer. These requirements, while difficult as currently drafted, are rife with ambiguities, resulting in potential interpretations that could not have been intended and that, particularly in view of the private right of action, could have dire and unintended consequences.
The definition of “collect” ensures that the consent requirement not only covers consumer health data obtained directly from a consumer but also created by regulated entities (such as through derivations, inferences, or through combination with third-party data). Moreover, the definition would seem to require obtaining consent from the consumer when purchasing from a third party, as there is nothing in the Act that indicates that such consent is satisfied where the consumer gives a valid consent or authorization to the party sharing or selling the CHD. In many contexts, this would seem to effectively ban third party sales of CHD which the legislature, if it had so intended, could have done. Yet, due to the ambiguity, we are stuck with that potential interpretation.
“Sharing” means “to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, CHD. This definition, as compared to sale (discussed below) is seemingly meant to cover the disclosure, or other making available of CHD, in non-commercial contexts, such as where a government (e.g., in a red state) compels or requests CHD from a regulated entity (that may possess CHD regarding a particular individual or group of individuals). There is a limited exception to the consent requirement for disclosures of CHD to a third party where the regulated entity or small business has a direct relationship with the consumer and the disclosure is for purposes of providing a product or service requested by the consumer.
“Sale,” on the other hand, is defined much more broadly to encompass any “exchange of consumer health data for monetary or other valuable consideration.” The lack of a requirement for monetary consideration would seem to, effectively, pull into the scope of the law any exchange of consumer health data in a commercial context, similar to the manner in which some of the consumer privacy laws like the CCPA define the term. The requirement for the authorization to list the specific “purchaser,” however, raises significant ambiguity as to the intent and meaning of the broad definition of sale when viewed against its lack of a requirement for monetary consideration. Specifically, the term “purchaser” would seem to exclude parties that receive and process data in exchange for non-monetary consideration (such as that which occurs in the digital advertising ecosystem). The breadth of the definition of sale would seem to indicate that all sales constitute sharing. However, given the differential requirements of a consent as compared to an authorization (each listed below), obtaining an authorization may not satisfy the requirements for consent. Moreover, the Act states that any “authorization must be separate and distinct from the consent obtained to collect or share,” which seems to indicate that both a consent and authorization would be required in a transaction that involves both sharing and sale.
Unlike consent for sharing which may list categories of recipients (which has the effect of allowing sharing with multiple recipients under one consent), separate authorizations appear to be required for each purchaser. Achieving separate authorizations for each purchaser likely unachievable in many contexts, and could have a chilling effect on the use of CHD, including for purposes that were not intended by the legislature.
The consent that must be obtained prior to the collection or sharing of any CHD must include the following:
- the categories of consumer health data collected or shared;
- the purpose for the collection or sharing;
- the categories of entities with whom the consumer health data is shared; and
- how the consumer can withdraw consent from future collection or sharing.
The authorization required for sale of CHD must contain:
- the specific CHD concerning the consumer that the person intends to sell;
- the name and contact information of the person collecting and selling the CHD;
- the name and contact information of the person purchasing the CHD;
- a description of the purpose for the sale;
- a statement that the provision of goods or services may not be conditioned on the consumer signing the authorization;
- a statement that the consumer has a right to revoke the authorization at any time and a description on how to submit a revocation of the valid authorization;
- a statement that the CHD sold pursuant to the authorization may be subject to redisclosure by the purchaser and may no longer be protected by the MHMDA;
- an expiration date for the authorization that expires no later than one year from when the consumer signs the authorization; and
- the signature of the consumer and the date of execution.
The authorization must be “signed,” which under Washington’s Uniform Electronic Transactions Act (“UETA”) would permit electronic signatures.
In addition to the challenge of simply obtaining the aforementioned consents and authorizations, the following are a handful of non-exhaustive issues with which companies will have to grapple after receiving the applicable consents and/or authorizations.
- Ensuring scope of use and disclosure aligns with consents and authorizations (both internally and as to third-party recipients;
- Honoring and operationalizing duration/time limitations on authorizations;
- Preventing future “collection” of CHD that is internally created upon revocation of consent; and
- Similar and related issues will arise for recipients of CHD pursuant to consents and authorizations.
Consumer Rights Concerning Consumer Health Data
Regulated entities must receive and process consumer rights requests, including requests to exercise the right to:
- confirm whether a regulated entity is collecting, sharing, or selling consumer health data;
- access to consumer health data, including a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data;
- withdraw consent for the regulated entity’s collection and sharing of consumer health data; and
- have consumer health data deleted (with very onerous notification and clawback requirements with respect to sharing recipients).
Unlike the CCPA and other state privacy laws, there are not explicit exceptions that apply to a regulated entity’s obligations to process consumer requests. By way of example, while the CCPA provides eight exceptions that specifically excuse a CCPA “business” from complying with a deletion request; MHMD does not include any.
Regulated entities must fulfill consumer requests within 45 days of receipt of a request. This response period may be extended once by another 45 days when reasonably necessary. Information provided in response to a consumer request must be provided free of charge up to two times per year. Similar to the consumer privacy laws, regulated entities authenticate a consumer request—with authentication defined as using reasonable means to determine that a request is being made by, or on behalf of, the consumer who is entitled to exercise such consumer rights with respect to the CHD at issue—but this does not extend the regulated entity’s duty to comply with the consumer’s request within the mandated time period. However, if a regulated entity is unable to authenticate the request using commercially reasonable efforts, the regulated entity is not required to comply with a request to initiate an action and may seek additional information from the consumer reasonably necessary to authenticate the consumer and his or her request.
Regulated entities must also establish a process for consumers to appeal the regulated entity’s refusal to take action on a request, similar to what is required in a handful of state consumer privacy laws. Within 45 days of receipt of an appeal, the regulated entity must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reason for the decision(s). If the appeal is denied, the regulated entity must also provide the consumer with an online mechanism or other method through which the consumer may contact the Washington attorney general to submit a complaint.
Prohibition on Geofencing of Certain Health Care Entities
The Act prohibits the implementation of a geofence—defined as technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of location detection to establish a virtual boundary of 2,000 feet or less from the perimeter of a specific physical location—around any entity providing in-person health care services where the geofence is used to:
- identify or track consumers seeking health care services;
- collect consumer health data from consumers; or
- send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
Given the breadth of “health care services,” this definition certainly encompasses more than hospitals, doctor’s offices, and health care facilities.
Data Security
Regulated entities must restrict access to consumer health data by employees, processors, and contractors to only those individuals for which access is necessary to further the purposes for which a consumer has provided consent or to provide a product or service that the consumer has requested.
In addition, regulated entities must establish and maintain data security practices that, at a minimum, satisfy the reasonable standard of care within the regulated entity’s industry to protect consumer health data.
Processors
Regulated entities must enter into binding contracts with processors that process consumer health data on behalf of the regulated entity setting forth processing instructions for the processor and limiting the actions that may be taken by the processor with respect to data processed on behalf of the regulated entity. Processors may process consumer health data only pursuant to a binding contract between it and the regulated entity and in a manner that is consistent with the binding instructions set forth in the contract.
In addition, processors must assist regulated entities through the utilization of appropriate technical and organizational measures in fulfilling the regulated entity’s obligations relating to consumer health data.
Does The Act Provide Any Exemptions From Compliance?
Unlike the CCPA and similar consumer privacy statutes, the Act does not provide for any entity-level exemptions from compliance. Instead, the Act includes a number of data-level exemptions applicable to personal information that is collected, used, or disclosed pursuant to specified federal and state law, including:
- protected health information for purposes of HIPAA;
- health care information collected, used, or disclosed in accordance with Washington’s Uniform Health Care Information Act (“UHCIA”);
- patient identifying information collected, used, or disclosed in accordance with federal law relating to the confidentiality of substance use disorder records; and
- personal information governed by the Gramm-Leach-Bliley Act (“GLBA”), the Fair Credit Reporting Act (“FCRA”), and statutes and regulations pertaining to the Washington Health Benefit Exchange.
In addition, the obligations imposed under the Act do not restrict regulated entities’ and processors’ ability to collect, use, or disclose consumer health data to:
- prevent, detect, protect against, or respond to security incidents, theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
- preserve the integrity or security of systems; or
- investigate, report, or prosecute those responsible for such actions.
How Will the Act Be Enforced?
There is a private right of action under MHMD. This is by way of the state’s Consumer Protection Act (“CPA”), its UDAP/unfair competition law. Violations of MHMD are deemed a violation of the CPA and are subject to its private right of action that allows consumers to recover statutory damages of up to $7,500 per violation, reasonable attorney’s fees, and costs. In addition, the MHMD also provides the Washington attorney general with the authority to investigate and prosecute claims under the CPA on behalf of the state or its residents as well.
The commentary on the My Health My Data Act in this blog post should not be viewed as a lack of support for rights of individuals to seek health care services and privacy rights in relation to the same, most notably in respect of reproductive and sexual health, and gender-affirming care, which are both implicated under the Act. We recognize and applaud the Washington state legislature’s intent to ensure access to these types of health care services and to protect the privacy of those who seek such care. The commentary we provide in this blog post, to the extent it is critical of the bill, is focused on the various compliance challenges that organizations will face due to its breadth, which reaches far beyond the legislature’s laudable intent.