On June 30, 2023, the Washington Attorney General (AG) published a series of Frequently Asked Questions (FAQs) related to the My Health My Data Act (MHMDA). As we discussed previously, the MHMDA will impose new requirements on entities involved in collecting, processing, sharing, or selling consumer health data belonging to Washington residents beginning as early as March 2024. This is the first law passed in the United States that creates data processing requirements specifically for consumer health data that falls outside of the scope of the Health Insurance Portability and Accountability Act (HIPAA) (though it is no longer the only one, with Connecticut and Nevada passing copycat legislation soon after the Washington law was enacted).
The MHMDA can be enforced by both the Washington Attorney General’s office and through a private right of action under the Washington consumer protection statute. And, though the law specifically applies to “consumer health data,” its potential application and subsequent legal exposure for companies is broad, given its relatively broad definitions and coverage. Companies that previously fell outside of the scope of HIPAA for the processing of health data (such as certain health-related mobile apps) now have additional data processing obligations for which they must account. This is in addition to state comprehensive privacy laws that are increasingly regulating certain categories of health data as “sensitive” data and also adding compliance obligations for these types of companies.
In lieu of the described novelty, ambiguities, and potential legal exposure, the AG has provided these FAQs in advance of the MHMDA taking effect. The MHMDA does not grant the AG formal rulemaking authority (which means that the FAQs here are informal and non-binding). Nonetheless, the FAQs provide an important perspective on how the AG will interpret the law. Regulated entities should familiarize themselves with the AG’s guidance to ensure compliance with the requirements imposed by the MHMDA, specifically in the areas highlighted by the AG. Additionally, even though the FAQs do not necessarily bind how a court would interpret the law, it is possible that courts will also defer to the Washington AG’s various interpretations (which would make the FAQs also relevant for the law’s private right of action).
In this post, we identify notable takeaways from the Washington Attorney General’s FAQs on the My Health My Data Act. We are happy to answer any questions you have about the MHMDA and its potential implications for your data privacy compliance program.
- Important Effective Dates. The MHMDA employs different effective dates for different provisions and categories of regulated entities. FAQ 1 of the AG’s guidance clarifies that there are three key dates relevant to regulated entities under the Act. (1) Section 10 of the Act– which prohibits geofencing by regulated entities – will go into effect on July 23, 2023. Sections 4 to 9 of the Act – which outline new requirements, obligations, and consumer rights – will take effect (2) on March 31, 2024, for all regulated entities which are not small businesses, and (3) on June 30, 2024, for small businesses, as defined by the Act.
- Broad Application to Out-of-State Entities. FAQ 3 clarifies that the Act will only apply to out-of-state entities that (a) conduct business in Washington, or produce or provide products or services that are targeted to consumers in Washington, and (b) alone or jointly with others, determine the purpose and means of collecting, processing, sharing, or selling of consumer health data. The Act will not apply to entities that only store data in Washington.
- Inferences Considered Consumer Health Data. FAQs 5 and 6 clarify that any inferences about a consumer’s health status which are drawn from nonhealth data fall under the scope of “consumer health data” as defined by the Act. For example, the purchase of toilet paper and deodorant would not ordinarily be considered consumer health data, but an app that uses such information to track an individual’s digestion or perspiration is collecting consumer health data. Likewise, a pregnancy prediction score assigned by a retailer to shoppers based on the purchase of certain products is protected consumer health data. This indicates that the AG interprets the Act as having an expansive definition of consumer health data.
- Clarifying the Requirement to Store Consumer Authorizations. FAQ 7 resolves a potential conflict between Sections 6 and 9 of the MHMDA – related to the storage of consumer authorizations for the sale of data. Section 9 of the Act requires any person, not just regulated entities, to obtain authorization from a consumer before selling or offering to sell their data. Both the seller and purchaser of such data are required to retain a copy of the authorization – which may include record of consumers heath data – for six years. Under Section 6 of the Act, consumer health data must be deleted from a regulated entity’s network upon request by the consumer. If a consumer requests deletion under Section 6, authorizations kept on file under Section 9 must be redacted to remove any information about the data sold.