Here is a big one.  The folks at Washington state took a look at the current patchwork of privacy laws in the US (FTCA, HIPAA, GLBA, FERPA, BIPA, CCPA, CPRA, CPA, CPDPA, ICDPA, VCDPA, UCPA, CCCP – all but one are real) and decided that Washington needs a new privacy law aimed at consumer health data (vaguely defined) that establishes a private right of action (defined pretty well).  I am talking about the “My Health My Data Act,” aka “My Lawsuits, My Class Action Lawsuits Act”, which was signed into law this week.  Yes, consumer health data is a hot enforcement topic (see GoodRx, Flo Health, BetterHelp).  Yes, consumer health data is sensitive information that often falls outside the purview of HIPAA.  And yes, someone in the Washington Legislature tasked a PoliSci intern to take a sledgehammer to this issue by drafting this new law.  

A summary of the Act, copied from the House Bill Analysis, is at the bottom of this post.  Here is the gist.

Scope – Entities and Information

The Act applies to any “regulated entity” defined as any entity that conducts business in Washington or targets services to consumers in Washington, and collects/shares/sells consumer health data, and determines the purpose and means of processing the data.  No revenue thresholds; no minimum data thresholds, no carve outs for nonprofits – just all entities providing services to Washington residents.

The data regulated is “Consumer health data,” which is defined in the broadest, vaguest way possible, as personal information (i.e., information that identifies or is reasonably capable of being associated with a consumer) relating to the past, present, or future physical or mental health of a consumer, including e.g., information relating to “individual health conditions,” “social, psychological, behavioral, and medical interventions,” “use or purchase of medication,” “bodily functions,” or “efforts to research or obtain health services or supplies.”  HIPAA PHI is thankfully carved out from the definition.  Still, this definition is way too vague and broad.  This would sweep data collected by almost any app, from white noise machines for focusing all the way to Amazon’s sales of bandaids.

Most Notable Requirements

Businesses subject to the MHMDA will be required (among other things) to:

• Obtain consent prior to the collection or sharing of consumer health data except as necessary to provide a product or service requested by the consumer;
• Obtain a valid authorization from the consumer (which includes a signature and the contact details of the buyers) prior to “selling” (i.e., exchanging data for monetary or other valuable consideration) consumer health data;
• Post a privacy policy addressing the collection, use, and disclosure of consumer health data and data subject rights under the law;
• Respect the following data subject rights: know, access, withdraw sharing consent, delete;
• Enter into DPAs with processors; and
• Maintain administrative, technical, and physical data security practices to protect consumer health data.

Prohibition on Geofencing

And that’s not all.  The law also prohibits “geofencing” around any entity that provides in-person health care services to identify, track, collect data from, or send messages to a consumer that enters the virtual perimeter.  There are no exceptions for having obtained consent or otherwise.  The way this provision is prohibition is drafted would prohibit apps from tracking data about Washingtonians in any health facility anywhere in the US regardless of whether the user authorized location use, and even if the tracking entity is the health facility itself.  So, if your grocery store has a pharmacy, then your grocery store app will be prohibited from helping you in the store.  Just wild.

Lawsuits… Lawsuits Everywhere

Most importantly, violations of the Act will be enforceable under the Washington Consumer Protection Act , which limits damages to $7,500 per violation, with treble damages an option up to $25,000, and most importantly, may be filed as a class action.  Plaintiff lawyers rejoice.

Effective Date

The law will go into effect on March 31, 2024, except the geofencing prohibition, which will go into effect in July 2023.

The full text of the act is here.

---

Below is the summary of the MHMDA:

Key Definitions and Scope.

“Regulated entity” means any legal entity that:

• conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington;
• collects, shares, or sells consumer health data; and
• determines the purpose and means of the processing of consumer health data.

“Regulated entity” does not include a government agency or a tribal nation.

“Consumer health data” means personal information relating to the past, present, or future physical or mental health of a consumer including any personal information relating to:

• individual health conditions, treatment, status, diseases, or diagnoses;
• social, psychological, behavioral, and medical interventions;
• health-related surgeries or procedures, diagnostic testing, and treatment;
• use or purchase of medication;
• bodily functions, vital signs, symptoms, or related measurements;
• efforts to research or obtain health services or supplies;
• gender-affirming care information;
• reproductive or sexual health information;
• biometric and genetic data related to consumer health data;
• location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and
• any consumer health data information that is derived or extrapolated from non-health information, such as proxy, derivative, inferred, or emergent data.

“Consumer health data” does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws and is monitored or governed by an independent oversight entity.

The Washington My Health My Data Act does not apply to:

• health care information collected, used, or disclosed in accordance with the state Uniform Health Care Information Act;
• protected health information, or information treated like protected health information, that is collected, used, or disclosed by covered entities and businesses associates subject to and in accordance with the federal Health Insurance Portability and Accountability Act; and
• patient identifying information collected, used, or disclosed in accordance with federal law relating to confidentiality of substance use disorder records.

Privacy Policy Requirement.

A regulated entity must maintain and prominently publish on its homepage a consumer health data privacy policy that discloses:

• the specific types of consumer health data collected and the purposes of collection;
• the sources from which consumer health data is collected;
• the specific consumer health data that is shared and the list of third parties and affiliates with whom the regulated entity shares consumer health data; and
• how a consumer may exercise consumer rights with regard to consumer health data.

A regulated entity must make additional privacy policy disclosures and obtain consumer consent before collecting or sharing categories of consumer health data not disclosed in the privacy policy, and before collecting or sharing consumer health data for additional purposes. A regulated entity may not contract with a service provider to process consumer health data in a manner that is inconsistent with the regulated entity’s consumer health data privacy policy.

Consent Requirement.

A regulated entity may not collect or share consumer health data except with the consumer’s consent or to the extent strictly necessary to provide a product or service that the consumer requested from the regulated entity. A consumer’s consent must be obtained prior to the collection or sharing of any consumer health data and must disclose:

• the categories of consumer health data collected or shared;
• the purpose of the collection or sharing;
• the entities with whom the consumer health data is shared; and
• how the consumer can withdraw consent.

A consumer’s consent for the sharing of consumer health data must be separate and distinct from the consumer’s consent for the collection of consumer health data.

Consumer Rights Concerning Consumer Health Data.

A consumer has rights with regard to consumer health data concerning the consumer, including the right to:

• confirm whether a regulated entity is collecting or sharing consumer health data;
• access consumer health data;
• confirm that a regulated entity has not sold consumer health data;
• withdraw consent from the regulated entity’s collection and sharing of consumer health data; and
• have consumer health data deleted.

Within 30 calendar days of receiving a consumer’s request to delete consumer health data concerning the consumer, a regulated entity must delete the consumer health data from its records and notify all affiliates, service providers, and other third parties with whom the regulated entity has shared the consumer health data of the consumer’s deletion request. All notified affiliates, service providers, and other third parties must honor the consumer’s deletion request and delete the consumer health data from all records.

Data Security Requirements.

A regulated entity must restrict access to consumer health data by the regulated entity’s employees, service providers, and contractors to only as is necessary to further the purposes for which a consumer provided consent or to provide a product or service the consumer has requested. A regulated entity must establish and maintain administrative, technical, and psychical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity’s industry to protect confidentiality, integrity, and accessibility of consumer health data.

Obligations of Service Providers.

A service provider may process consumer health data only pursuant to a binding contract between the service provider and the regulated entity. The contract must set forth the processing instructions and limit the actions a service provider may take with respect to consumer health data. A service provider may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract.

If a service provider fails to adhere to the regulated entity’s instructions or processes consumer health data in a manner that is outside the scope of the service provider’s contract with the regulated entity, the service provider is considered a regulated entity.

Prohibition on Sale of Consumer Health Data.

It is unlawful for any person to sell consumer health data. To “sell” means to share consumer health data for monetary or other valuable consideration. “Selling” does not include sharing:

• to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity’s assets;
• by a natural person selling their own consumer health data pursuant to a written contract with a third party; or
• by a regulated entity to a service provider when the sharing is consistent with the purpose for which the consumer health data was collected.

Prohibition on Geofencing of Certain Health Care Entities.

It is unlawful for any person to implement a geofence around any entity that provides in-person health care services where the geofence is used to identify, track, collect data from, or send notifications or messages to a consumer that enters the virtual perimeter. “Geofence” means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and any other form of location detection to establish a virtual boundary around a specific physical location.