This is Part Two in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”) where Quarles is doing a deep dive into the various factors and intricacies of the Act that are shaping up to create a sea of change in the privacy space – and not just for the health and life sciences industry.
We provided a high-level overview of the landmark legislation and its origins immediately after its passage. We started our summer series with a basic rule of Red Cross water safety – know who is in the pool with you (i.e., who are the regulated entities subject to WMHMDA). In this part, we are grabbing our sand tools and digging into the consumers captured by WMHMDA.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Overview
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA (this is what you are reading now)
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements
- Part Six: Privacy Policy
- Part Seven: Individual Rights
- Part Eight: Enforcement and Private Right of Action
- Part Nine: Operational Realities and Next Steps
- Part Ten: HIPAA vs. WMHMDA (for table lovers)
Consumers Covered by WMHMDA
In addition to the broad range of regulated entities to whom WMHMDA applies, the Act also includes a very broad definition of “consumer.” Under WMHMDA, “consumer” is defined as:
- A natural person who is a Washington resident; or
- A natural person whose consumer health data is collected in Washington.
“Consumer” means a natural person who acts only in an individual or household context, however identified, including by any unique identifier. “Consumer” does not include an individual acting in an employment context.
Employee and B2B Data. Given this definition, WMHMDA seems to exclude employees and B2B data. WMHMDA takes a different approach than the California Consumer Privacy Act and follows the more typical state comprehensive laws in excluding employee and B2B data.
Mere Processing in Washington. Although employee and B2B data is excluded, the definition of “consumer” is still much broader than it appears. The geographic elements of the definition broaden its applicability. The breadth of the definition stems from the second prong (i.e., a natural person whose consumer health data is collected in Washington).
WMHMDA defines “collect” as any type of processing (i.e., to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner). Consequently, data of individuals without Washington connections are subject to WMHMDA if that data is collected (read: merely processed) in Washington. The nexus between a “consumer” and Washington could arguably be as limited as a transaction between non-Washington residents and non-Washington-based businesses being processed in a cloud server located in Washington.
A New “Offshoring” Consideration? As we know, some of the largest cloud service providers have Washington headquarters and/or data centers. The health and life sciences industry is already aware of data offshoring considerations under Medicare and Medicaid programs. It is possible that WMHMDA’s broad definitions of “consumer” and “collect” will require businesses to analyze data location and transfer across Washington state lines as well. After all, if businesses can limit data “collection” and processing in Washington, WMHMDA exposure is arguably decreased.
A first data localization consideration for U.S.-based businesses maintaining data in the U.S., we may start to see cloud service providers offer WMHMDA accounts with processing outside Washington state in addition to their existing HIPAA accounts limiting offshoring. Will this create a ripple effect leading businesses to scrutinize vendor and remote employee locations to avoid “collection” of data in Washington? We will have to see how businesses react to this data localization consideration.
In Part 3 we will dive into the open-ended definition of “consumer health data” regulated by WMHMDA. It is a very broad definition rooted in public policy decisions made by the legislature; and it will be key to remember the definition of a “consumer” when analyzing the scope of implicated data.
Additional issues raised by WMHMDA are forthcoming. Until next time… turn on your grill, grab your floaties, and get ready to dive in.
