Clifford Chance

Washington State's My Health My Data Act (MHMDA), passed in 2023, contains several mandates that will require many organizations doing business in the United States to update their operational and legal processes by March 31, 2024.

MHMDA applies to any legal entity that operates in Washington, or provides products or services targeted to Washington consumers, and that acts as a data controller with respect to consumer health data (each such entity is defined in the MHMDA as a "regulated entity"). Unlike other states' privacy laws currently in place, there are no revenue or volume thresholds that would exempt entities from compliance with the regulation. Washington's unique approach may also set a precedent for laws in other states and is worth tracking for U.S. and global businesses that want to stay ahead of evolving health data privacy regimes.

If your business has any touchpoint with Washington State, it is important to determine whether you are subject to MHMDA; and if yes, how your organization will come into compliance within the next few weeks.

Washington's stated goal in passing MHMDA is to give Washington consumers greater protections and control over their health data. The definition of "consumer health data" (or "CHD") is expansive: "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status." CHD includes data derived or extrapolated from non-health data (e.g., purchase history), including via algorithms and machine learning, that a regulated entity uses to identify a consumer's health condition, use of medication, medical procedures or diagnoses, etc.

These entities must update their privacy practices, how they handle and use CHD, and their interaction protocols with consumers in Washington by March 31, 2024. Small businesses are granted an extension until June 1, 2024, to meet these requirements.

Regulated entities that violate MHMDA risk both government enforcement as well as private claims.  Washington State's Attorney General has enforcement authority under MHMDA and recently updated set of FAQs, a signal that the office may be gearing up for enforcement as soon as March comes to a close.  The FAQs discuss key compliance steps and clarify the scope of the statute, providing insight into where the AG will focus enforcement efforts in the coming months. 

The MHMDA also provides for a private right of action, allowing consumers to file suit against companies who violate their rights under the law.  Most U.S. state privacy laws have not included a private right of action, with the most notable exception being Illinois's Biometric Information Privacy Act (BIPA).  It is too early to predict whether MHMDA will spark as much litigation as BIPA has in recent years, but this should serve as a cautionary tale for regulated entities and emphasize the importance of compliance. 

MHMDA requirements and related steps to take to comply

• Create a separate privacy policy specific to CHD that is displayed on a distinct webpage linked in the regulated entity's website homepage footer. MHMDA is prescriptive about what must be included in this privacy policy, including highlighting the categories of CHD that the entity collects, how the CHD will be used, a list of third parties with whom CHD will be shared (e.g., third-party service providers, affiliated entities), and a summary of consumers' rights under the law. It is not sufficient to embed these terms in, or link to, an existing privacy policy.
• Evaluate the types of data you collect from Washington consumers and determine whether they fall within the definition of CHD. This exercise likely will not be straightforward. For example, the definition of CHD excludes data covered by HIPAA, but regulated entities will still need to consider whether other data they collect that does not fall under HIPAA would nevertheless be caught by MHMDA. Further complicating the analysis, CHD includes data inferred from non-health data (e.g., if a regulated entity tracks retail purchases to infer a consumer's pregnancy status).
• If your organization does process CHD, identify who has access to this data within your organization and any affiliates or third parties with whom you share it. Create a list of those third parties to include in your CHD-specific privacy policy. Restrict access to CHD to only those necessary to provide the product or service for which the consumer provided consent.
• Get opt-in consent from the consumer to collect CHD and additional, separate opt-in consent to share it with any listed third parties. Without consent, regulated entities may use and share only what CHD is necessary to provide the product or service. Operational changes may be necessary to implement new or different consent procedures.
• Do not sell CHD without valid authorization from the consumer to do so. This restriction on "selling" may encompass targeted advertising and transfers to third-party service providers, unless your contracts with those third parties contain flow-down obligations that comply with MHMDA.
• Update your retention practices to (A) maintain copies of consumer authorizations for 6 years and (B) redact the authorizations in accordance with MHMDA if a consumer requests deletion of CHD that would otherwise need to be retained under (A).
• Evaluate your organization's existing data subjects' rights processes and update them as needed. Individual data subjects may request to know whether you are sharing and/or selling their CHD, know the identity of third parties with access to their CHD, withdraw consent to collect, share, or sell their CHD, and delete their CHD. Be prepared to comply with data subject requests within 45 days. MHMDA has limited exceptions and consumers have the right to appeal any rejected requests, so it is important to document the basis for any rejections.

It may be that your organization's existing privacy program, particularly if already tailored to GDPR, will largely comply with MHMDA's requirements. Nonetheless, considering the uncertainties surrounding the interpretation and enforcement of MHMDA, it is important to assess if this holds true. Regulated entities should consider undertaking a risk analysis that evaluates the benefits of using CHD against the costs of implementing or updating consent procedures, increased contracting with sub-processors, and potential enforcement actions by Washington's AG or class action lawsuits for MHMDA violations.