Washington is a national leader in protecting the privacy of consumer health decisions and health data. In 2023, Attorney General Bob Ferguson requested legislation to significantly expand privacy protections for personal health data. The Washington My Health My Data Act (HB 1155) passed the Washington State Legislature on April 17, 2023, and was signed into law by Governor Jay Inslee on April 27, 2023. Washington My Health My Data Act, 2023 Wash. Laws 191.
The My Health My Data Act is the first privacy-focused law in the country to protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act, or HIPAA. The Act was developed to protect a consumer’s sensitive health data from being collected and shared without that consumer’s consent. Washington’s concern for the urgent need to enhance privacy protections for health data is widely shared: 76% of Washingtonians express support for the My Health My Data Act.
Under the law, regulated entities must follow specific requirements about how and when they may collect and share personal health data.
1: What are the effective dates for the My Health My Data Act?
The My Health My Data Act includes effective dates on a section-by-section basis.
All persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.
2: What is the Attorney General’s role in enforcing the My Health My Data Act?
Section 11 of the My Health My Data Act provides that any violation of the Act is a per se violation of the Washington Consumer Protection Act (CPA), RCW 19.86, which is enforced by the Attorney General as well as through private action.
3: How will a business located outside of the state of Washington but that stores its data in Washington be impacted?
Generally, all persons and businesses that conduct business in Washington (or provide services or products to Washington), and that collect, process, share, or sell consumer health data are impacted by the Act. Subject to some exceptions, a regulated entity is a legal entity that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. An entity that only stores data in Washington is not a regulated entity.
A processor is as a person that processes consumer health data on behalf of a regulated entity or a small business. Out-of-state entities that are processors for regulated entities or a small business must comply with the Act.
Sections 9 and 10 of the Act apply to persons, which generally includes natural persons, corporations, trusts, unincorporated associations, and partnerships. Out-of-state entities that fall within the definition of person must comply with sections 9 and 10 of the Act.
4: Is a business that is covered by the My Health My Data Act required to place a link to its Consumer Health Data Privacy Policy on the company’s homepage?
Yes. Section 4(1)(b) of the My Health My Data Act explicitly provides that “[a] regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage.” The Consumer Health Privacy Policy must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under the My Health My Data Act.
5: Does the definition of consumer health data include the purchase of toiletry products (such as deodorant, mouthwash, and toilet paper) as these products relate to “bodily functions”?
Information that does not identify a consumer’s past, present, or future physical or mental health status does not fall within the Act’s definition of consumer health data. Ordinarily, information limited to the purchase of toiletry products would not be considered consumer health data. For example, while information about the purchase of toilet paper or deodorant is not consumer health data, an app that tracks someone’s digestion or perspiration is collecting consumer health data.
6: If a regulated entity or small business draws inferences about a consumer’s health status from purchases of products, could that information be considered consumer health data?
Yes. The definition of consumer health data includes information that is derived or extrapolated from nonhealth data when that information is used by a regulated entity or their respective processor to associate or identify a consumer with consumer health data. This would include potential inferences drawn from purchases of toiletries. For example, in 2012 the media reported that a retailer was assigning shoppers a “pregnancy prediction score” based on the purchase of certain products; this information is protected consumer health data even though it was inferred from nonhealth data. Likewise, any inferences drawn from purchases could be consumer health data.
In contrast, nonhealth data that a regulated entity collects but does not process to identify or associate a consumer with a physical or mental health status is not consumer health data.
7: How may a regulated entity or a small business comply with its obligation to retain copies of a consumer’s valid authorization for sale of consumer health data under section 9 and a consumer’s request to delete their consumer health data under section 6 of the Act?
Under section 9 of the My Health My Data Act, it is unlawful for anyone to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. When a consumer grants a person valid authorization to sell their consumer health data, both the seller and purchaser are required to retain a copy of the valid authorization for six years. Section 6 of the My Health My Data Act empowers consumers to have their consumer health data deleted from a regulated entity’s or small business’ network, including archived or backup systems.
If after executing a valid authorization, a consumer exercises their section 6 right to have their consumer health data deleted, a regulated entity or small business may meet its obligation to delete the consumer’s health data and its obligation to retain a copy of the valid authorization by redacting the portion of the valid authorization that specifies the consumer health data for sale (for example, by applying a redaction that states: “REDACTED pursuant to consumer deletion request on [insert date]”).
8: Does the definition of consumer health data include the purchase of non-prescription medication?
MHMD defines consumer health data to include the “use and purchase of prescribed medication.” Non-prescription data is only considered consumer health data if the regulated entity draws an inference about a consumer’s health status from its purchase of non-prescription medication.
This FAQ may be periodically updated and is provided as a resource for general educational purposes and is not provided for the purpose of giving legal advice of any kind. Readers should not rely on information in this guide regarding specific applications of the law and instead should seek private legal counsel.