Washington’s My Health My Data Act Goes Into Effect
Washington’s My Health My Data Act (MHMDA), signed into law last year, is now in effect. MHMDA’s intent was to address consumer health-related data not otherwise protected under HIPAA, and it accordingly significantly expands the scope of regulated information. MHMDA has broad applicability for businesses, including non-profits, that offer goods or services to Washington residents. There is no applicability threshold, although “small businesses” (entities that collect data of fewer than 100,000 Washington consumers per year) have until June 30, 2024 to comply.
“Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including the following:
Individual health conditions, treatment, diseases, or diagnosis;
Social, psychological, behavioral, and medical interventions;
Bodily functions, vital signs, symptoms, or measurements of the foregoing information;
Gender-affirming care information;
Reproductive or sexual health information;
Biometric data;
Genetic data;
Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
Data that identifies a consumer seeking health care services; or
Information that is derived or extrapolated from non-health information (such as via algorithms or machine learning).
MHMDA requires entities collecting physical or mental health data to provide a distinct consumer health notice as a link on its website, separate from its general privacy policy, that discloses only the requirements of MHMDA, namely the purposes of collection, the categories of data being collected, and the rights of individuals concerning their health data.
Importantly, MHMDA includes a private right of action. Violations of MHMDA may lead to private class action lawsuits or an investigation and possible enforcement from the Washington State Attorney General.
The lawyers in Pierson Ferdinand’s Privacy and Data Security practice group are available to assist you with an evaluation of your data collection and handling practices and disclosures to ensure they align with the requirements of applicable laws.
Kimberly Booher kimberly.booher@pierferd.com
Michael Kar michael.kar@pierferd.com
Maryam Meseha maryam.meseha@pierferd.com
This publication and/or any linked publications herein do not constitute legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, the author(s) and PierFerd assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, this publication may constitute Attorney Advertising. © 2024 Pierson Ferdinand LLP.