iOn April 27, 2023, Washington’s Governor signed Washington’s My Health, My Data Act (“WMHMDA” or “Act”). Beginning March 31, 2024, most entities subject to the Act will have certain obligations towards consumer health data,[1] including providing consumers with the right to access their information, withdraw their consent to certain processing, and request the deletion of their information. While the Act was promoted as a measure to help protect reproductive and gender affirming care, its scope goes beyond those discreet issues.*
The WMHMDA purports to regulate any entity that conducts business in Washington state, or produces or provides products or services targeted at consumers in Washington, and “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
While some assume that “consumer health data” refers to health-related information collected by medical practitioners, the Act uses the term to refer to non-HIPAA regulated information that is linked (or linkable) to an individual and that identifies their “past, present, or future physical or mental health status.”[2]
The Act provides as an example of consumer health data, information that might “identify” a consumer seeking a service to “improve, or learn about a person’s mental or physical health.”[3] As a result, organizations that traditionally don’t consider themselves to be collecting health data, such as grocery stores, newspapers, dietary supplements providers, and even fitness clubs, are uncertain whether the Act may be interpreted to apply to them to the extent that someone seeks out such companies either for information about health, or to improve their health.
While the scope of the Act is broad and may encompass a multitude of business activities, the Act also identifies 33 exemptions from its coverage. The following table explains and summarizes each exemption:
| Exempt Entity or Data | Description | Statutory Citation |
|---|---|---|
| 1. Employee exception | Individuals acting in an employment context are not considered consumers under the WMHMDA. As a result, employees are not within the scope of regulated entities and are not subject to the WMHMDA. | Section 3(7) |
| 2. HIPAA data-level exemption | Personal Health Information (PHI) that is protected by HIPAA is not subject to the WMHMDA. | Section 12(1)(a)(i) |
| 3. Washington state health care providers or health care facilities. | Health care information collected, used, or disclosed by entities covered under 70.02.010 RCW, such as health care facilities and providers, is not subject to WMHMDA. Health care information is any information in any medium that can identify or easily associate that information with the patient that relates to the patient’s health (70.02.010(17)) | Section 12(1)(a)(ii) (exempting health care information disclosures from care providers or health care facilities subject to 70.02 RCW) |
| 4. Entities assisting health care providers and health care facilities exemption. | Individuals that “assist” health care providers or health care facilities under Washington’s Medical Records Act are not subject to WMHMDA. | Section 12(1)(a)(ii) (exempting entities subject to 70.02 RCW) 70.02.020(1) (regulating individuals who assist providers and facilities) |
| 5. Patient identifying information for programs that diagnose or treat substance abuse exemption. | Patient identifying information collected, used, or disclosed in connection with a program for substance abuse is not subject to the WMHMDA. Patient identifying information includes names, addresses, social security numbers, or fingerprints and photos. A program is generally an individual or entity that holds itself out to provide substance abuse disorder diagnosis, treatment, or referral for treatment. | Section 12(1)(a)(iii) (exempting patient identifying information collected, used, or disclosed under the Confidentiality of Substance Use Disorder Patient law, 42 C.F.R. Part 2) |
| 6. Entities that conduct clinical research on human research subjects exemption. | Public or private entities that conduct clinical trials on human subjects, and the private information derived from such trials, are not subject to the WMHMDA. A clinical trial is defined as a study on human subjects to evaluate the effects on interventions on biomedical or behavioral health-related outcomes. | Section 12(1)(a)(iv) (exempting entities subject to 45 C.F.R. Part 46, regulating the protection of human subjects in clinical trials) |
| 7. Entities that conduct clinical research using the Guidelines for Good Clinical Practice exemption. | Individuals, companies, organizations, or institutions that are responsible for generating clinical trial data who use the ICH Harmonized Guidelines on the “Guidelines for Good Clinical Practice” are not subject to the WMHMDA. | Section 12(1)(a)(iv) (exempting information obtained using the ICH for Good Clinical Practice Guidelines) |
| 8. Entities that conduct clinical investigations by the Food and Drug Administration (“FDA”) exemption. | Individuals or companies that conduct clinical investigations for the FDA using human subjects are not subject to the WMHMDA. | Section 12(1)(a)(iv) (exempting the protection of human subjects for FDA trials under 21 C.F.R. Parts 50, 56) |
| 9. Personal data used or shared in clinical trial research exemption. | Personal data used or shared during research conducted in accordance with the laws outlined in sections 5, 6, and 7 of this table are not subject to the WMHMDA. The laws are: 45 C.F.R. Part 46, ICH for Good Clinical Practice Guidelines, and 21 C.F.R. Parts 50 and 56. | Section 12(1)(a)(iv) |
| 10. Creation of quality improvement committee exemption. | Any information or documents used to create health care quality improvement committees, programs or policies are not subject to the WMHMDA. The entities subject to this exemption are health care institutions, medical facilities, health care service contractors, health maintenance organizations, health carriers, ambulatory surgical facility, hospitals, or any other person or entity providing health care coverage. | Section 12(1)(a)(v)(A) (exempting quality improvement committees and information used to create them under 43.70.510, 70.230.080, and 70.41.200 RCW) |
| 11. Health care provider filing charges or presenting evidence exemption. | Any information or documents used by a health care provider to file charges or present evidence against a member of their profession based on misconduct or other such charge are not subject to the WMHMDA. A health care provider is defined in 7.70.020 RCW, as a person licensed by Washington state to provided health care services or an employee or agent of a person or entity licensed to provide health care services. | Section 12(1)(a)(v)(B) (exempting peer review committees for purposes of filing charges or presenting evidence of misconduct of other medical professionals under 4.24.250 RCW) |
| 12. Quality assurance committee exemption. | Any information or documents used by facilities (undefined) or assisted living facilities to create and maintain a quality assurance committee are not subject to the WMHMDA. | Section 12(1)(a)(v)(C) (exempting quality assurance committees created by 74.42.640 or 18.20.390 RCW) |
| 13. Hospitals reporting health care-associated infections exemption. | Any information relating to data collection and reporting of a health care-associated infection by a hospital is not subject to the WMHMDA. Such data concerns a condition that results from adverse reaction to the presence of an infectious agent or toxin that was not present at the time of admission to the hospital. A hospital is any place that provides accommodations, facilities, and services for a continuous period of over 24 hours or more for things such as observations, care, or treatment (43.70.056 RCW). | Section 12(1)(a)(v)(D) (excepting reporting of health care-associated infections per 43.70.056 RCW) |
| 14. Department of Health contracts with independent entities exemption. | Under Washington law, the Department of Health may contract with independent entities to receive notifications and report adverse events and incidents. In such reporting, medical facilities and health care workers may provide the independent entity with information on incidents or other adverse events. Such disclosures are not subject to the WMHMDA. | Section 12(1)(a)(v)(D) (excepting information about notification of an adverse incident per 70.56.040(5) RCW) |
| 15. Notification of adverse health events exemption. | The Washington legislature has created an adverse health events and incident notification and reporting system. Information and documents contained within a report of an adverse health event prepared by a medical facility this reporting system is not subject to the WMHMDA. A medical facility for purposes of this exception is a childbirth center, hospital, psychiatric hospital, or correctional medical facility as defined under 70.56.010(10) RCW. | Section 12(1)(a)(v)(D) (excepting information on notification of adverse health events in 70.56.020(2)(b) RCW) |
| 16. Manufacturers when legally disclosing patient’s information exemption. | Information and documents collected and maintained by a manufacturer when collected, used, or disclosed is governed by Washington state medical records law 70.02, RCW. A manufacturer is any person who designs, manufactures, fabricates, assembles, or processes a finished device as defined in 21 C.F.R. § 802.3(o). If the disclosure is done in accordance with 70.02 RCW, then those manufacturers are not subject to the WMHMDA. | Section 12(1)(a)(v)(E) (excepting information and documents a manufacturer has and collected, used, or disclosed for purposes in 70.02 RCW) |
| 17. Information and documents for disclosing under the Federal Health Care Quality Improvement Act of 1986 exemption. | The Federal Health Care Quality Improvement Act of 1986 provides protections for certain disclosures of clinical privileges if the person disclosing believes such action is in furtherance of quality health care. Information and documents created for such disclosures are not subject to the WMHMDA. | Section 12(1)(a)(vi) (excepting information and documents for disclosures per the Federal Health Care Quality Improvement Act of 1986 and the related regulations) |
| 18. Patient Safety Work Product exemption. | Patient Safety Organizations that collect Patient Safety Work Product are not subject to the WMHMDA. Patient Safety Work Product is any data, records, reports, analysis, or statements that could improve a patient’s safety, health outcomes, or quality of health care and was developed by a Patient Safety Organization. A Patient Safety Organization is an entity that is certified by the Agency for Healthcare Research and Quality. | Section 12(1)(a)(vii) (excepting Patient Safety Work Product under 42 C.F.R. Part 3, which implemented the Patient Safety and Quality Improvement Act of 2005) |
| 19. Deidentify health care-related information exemption. | Individuals or entities that deidentify health care-related information using standards established in 45 C.F.R. Part 164 are not subject to the WMHMDA. | Section 12(1)(a)(viii) (excepting health care related information listed in the subsection (a) that is deidentified in accordance with 45 C.F.R. Part 164) |
| 20. HIPAA Covered entities exemption. | Any information derived from any section 1-18 above and is maintained by a HIPAA covered entity or business associate, is not subject to the WMHMDA. | Section 12(1)(b)(i) |
| 21. Washington state health care provider exemption. | Any information derived from any section 1-18 above and is maintained by entities that qualify as “health care providers” under Washington’s Medical Records Act are not subject to WMHMDA. Health care providers refers to individuals licensed or authorized to provide health care in Washington State. | Section 12(1)(b)(ii) (exempting entities subject to 70.02 RCW) 70.02.010 (19) (defining health care providers) 70.02.020 (1) (regulating health care providers) |
| 22. Washington state health care facility exemption. | Any information derived from any section 1-18 above and is maintained by entities that qualify as “health care facilities” under Washington’s Medical Records Act are not subject to WMHMDA. Health care facilities refers to hospitals, clinics, nursing homes, laboratories, or similar places where a health care provider provides health care to patients. | Section 12(1)(b)(ii) (exempting entities subject to 70.02 RCW) 70.02.010 (16) (defining health care facilities) 70.02.020 (1) (regulating health care providers) |
| 23. Program or qualified service organization in connection with substance abuse exemption. | Any information derived from any section 1-18 above and is maintained by entities that are programs or qualified service organizations are not subject to the WMHMDA. A program is an individual or entity that holds itself out to provide substance abuse disorder diagnosis or treatment. A qualified service organization is an individual or entity that services a program, like data processing, bill collecting or medical staffing, among other potential services. | Section 12(1)(b)(iii) (definitions under 42 C.F.R. Part 2) |
| 24. HIPAA authorized disclosures for public health activities and purposes exemption. | A covered entity under HIPAA may disclose certain protected health information for public health activities such as to a public health authority for certain reasons. Such use and disclosures are not subject to the WMHMDA. | Section 12(1)(c) (exempting information used for public health activities as allowed under 45 C.F.R. Sec. 164.512) |
| 25. Use of HIPAA limited data set exemption. | A covered entity under HIPAA may use or disclose a limited data set as defined under HIPAA. A limited data set cannot contain direct identifiers of the individual such as names, addresses, social security numbers, among many other listed. If the limited data set use and disclosure is proper, then such use and disclosure is not subject to the WMHMDA. | Section 12(1)(c) (exempting information limited data set use as allowed under 45 C.F.R. Sec. 164.514) |
| 26. Use of identifiable data for the Washington State health care claims database exemption. | Washington law established a statewide database for health care claims. WMHMDA uses the term “identifiable data,” but that is not a defined term under 43.371.010 RCW (the definition section within the Statewide Heath Care Claims Data statute). Identifiable data used for the Washington statewide health care database is not subject to the WHMDA. | Section 12(1)(d) (exempting identifiable data collected, used, or disclosed for the database created in 43.371 RCW) |
| 27. Use of identifiable data for the electronic sales tracking system for the Pharmacy Quality Assurance Commission exemption. | The Pharmacy Quality Assurance Commission implemented an electronic sales tracking system to monitor nonprescription sale of products or medicine containing certain ingredients. Identifiable data used in connection with this tracking system is not subject to the WMHMDA. | Section 12(1)(d) (exempting identifiable data collected, used, or disclosed for the tracking system created in 69.43.165 RCW) |
| 28. Financial institutions exemption. | Companies that offer consumers financial products or services that are governed by the Gramm-Leach-Bliley who use personal information are not subject to the WMHMDA. | Section 12(2)(a) (exempting personal information governed by the Gramm-Leach-Bliley (15 U.S.C. 6801) and the implementing regulations) |
| 29. Social security health plan exemption. | Personal information that is collected, used, or disclosed for the purposes of a health plan under the Social Security Act is not subject to the WMHMDA. | Section 12(2)(b) (exempting personal information used under Part C of Title XI of the Society Security Act, 42 U.S.C. 1320d et seq.) |
| 30. Fair Credit Reporting Act exemption. | Personal information collected, used, or disclosure in connection with the Fair Credit Reporting Act is not subject to the WMHMDA. | Section 12(2)(c) (exempting personal information governed by the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.) |
| 31. Educational institutions exemption. | Personal information that is governed by FERPA is not subject to the WMHMDA. | Section 12(2)(d) (exempting personal information governed by FERPA, 20 U.S.C. 1232(g)) |
| 32. Washington Health Benefit Exchange under the Affordable Care Act exemption. | Personal information collected, used, or disclosed in connection, general functions, and restrictions of Washington’s Affordable Care Act health insurance exchange is not subject to the WMHMDA. | Section 12(2)(e) (exempting personal information under Washington Health Benefit Exchange, 43.71 RCW and 45 C.F.R. Sec. 155.260) |
| 33. Privacy rules adopted by the Office of the Insurance Commissioner exemption. | Washington law allows the Office of the Insurance Commissioner to issue rules on privacy of information. Health care service providers that provide health plans or health benefit plans, such as health insurance coverage, must adhere to the rules issued by the Commissioner. Actions that adhere to these rules are not subject to the WMHMDA. | Section 12(2)(e) (exempting personal information subject to privacy rules created by the state Insurance Commissioner under 48.02 or 48.43 RCW) |
| 34. Prevention, detection, protection, or response to illegal activity under Washington state or federal law exemption. | The collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or other malicious activity is not subject to the WMHMDA. In addition, if the collection, use, or disclosure of consumer health data will preserve the integrity of security systems or will assist in the investigation, reporting, or prosecution for such actions, then that activity is not subject to the WMHMDA. If a regulated entity collects, uses, or disclosures consumer health information for a reason stated directly above, then that entity bears the burden of demonstrating such use of consumer health information complies with the relevant exemption. | Section 12(3), (4) |
[1] Consumer Health Data “means personal information that is linked or reasonably linkable to a consumer and that identified the consumer’s part, present, or future physical or mental health statutes.” Section 3(8)(a).
[2] Sub. House Bill 1155, § 3(8)(a) (2023).
[3] Sub. House Bill 1155, §§ 3(8)(a), 15 (2023).
