Washington’s My Health My Data Act Goes Into Effect

Client Alert
Written By Trevor Rubin

Download PDF

Washington’s My Health My Data Act (MHMDA), signed into law last year, is now in effect. MHMDA’s intent was to address consumer health-related data not otherwise protected under HIPAA, and it accordingly significantly expands the scope of regulated information. MHMDA has broad applicability for businesses, including non-profits, that offer goods or services to Washington residents. There is no applicability threshold, although “small businesses” (entities that collect data of fewer than 100,000 Washington consumers per year) have until June 30, 2024 to comply.

“Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including the following:

  • Individual health conditions, treatment, diseases, or diagnosis;

  • Social, psychological, behavioral, and medical interventions;

  • Bodily functions, vital signs, symptoms, or measurements of the foregoing information;

  • Gender-affirming care information;

  • Reproductive or sexual health information;

  • Biometric data;

  • Genetic data;

  • Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;

  • Data that identifies a consumer seeking health care services; or

  • Information that is derived or extrapolated from non-health information (such as via algorithms or machine learning).

MHMDA requires entities collecting physical or mental health data to provide a distinct consumer health notice as a link on its website, separate from its general privacy policy, that discloses only the requirements of MHMDA, namely the purposes of collection, the categories of data being collected, and the rights of individuals concerning their health data.

Importantly, MHMDA includes a private right of action. Violations of MHMDA may lead to private class action lawsuits or an investigation and possible enforcement from the Washington State Attorney General.

The lawyers in Pierson Ferdinand’s Privacy and Data Security practice group are available to assist you with an evaluation of your data collection and handling practices and disclosures to ensure they align with the requirements of applicable laws.

Kimberly Booher kimberly.booher@pierferd.com

Michael Kar michael.kar@pierferd.com

Maryam Meseha maryam.meseha@pierferd.com

Disclaimer: This communication is for informational purposes only and is not intended to provide legal advice for a specific situation or create an attorney-client relationship. You should not act upon this information without seeking advice from a lawyer licensed in your own state or country. Under rules applicable to the professional conduct of attorneys in various jurisdictions, content in this alert may be considered advertising material. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Trevor Rubin https://k23s.com
Previous

FTC’s New Non-Compete Ban and Impact On M&A
Next

SEC Issues Final Rule on Climate-Related Disclosures to Investors