This is Part Ten in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”), where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.

In previous updates, we charted a course through the following topics: (1) who is subject to the Act, (2) the broad definitions of “consumer” and “consumer health data,” (3) specific requirements of WMHMDA including geofencing, consent and authorization for collecting and sharing data, (4) requirements related to the consumer health data privacy policy, individual rights, (5) the extensive private right of action, and (5) Attorney General enforcement options. Now that temperatures are really sizzling, let’s cool things down with a refreshing discussion on operational realities and next steps toward compliance with the law.

Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:

• Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
• Part One: What Regulated Entities are Subject to WMHMDA
• Part Two: Consumers Covered by WMHMDA
• Part Three: Broad Scope of Consumer Health Data
• Part Four: Geofencing Requirements
• Part Five: Consent and Authorization Requirements
• Part Six: Consumer Health Data Privacy Policy
• Part Seven: Biometric Data
• Part Eight: Individual Rights
• Part Nine: Enforcement and Private Right of Action
• Part Ten: Operational Realities and Next Steps (this is what you are reading now)
• Part Eleven: HIPAA vs. WMHMDA (yes, there will be a table for the table lovers out there)
• Part Twelve: Washington AG Guidance

What Does My Business Need to Do to Comply with WMHMDA?

Compliance with WMHMDA is a multifaceted, in-depth process that will require your business to map out the data it collects, implement systems to allow consumers to exercise their rights, and adapt your privacy policies and procedures. If your business is already compliant (or building a compliance program) with other state or federal privacy laws, you may start by leveraging similar past work. But, because WMHMDA requirements differ from existing laws in key ways, you will need to specifically consider how WMHMDA applies.

Below are some general steps your business should be considering well in advance of WMHMDA’s March 2024 effective date:

1. Assess applicability to your business

If you have been sailing through our summer series and concluded that your business may be caught in the net cast by WMHMDA you may now feel unsure of how to chart a course. We recommend using the summer series updates as a guide (or compass, if you will) to assess whether your business may be a “regulated entity” and whether it collects “consumer health data” from “consumers.” This analysis will require discussions with various stakeholders (e.g. IT, legal, customer service, project managers, etc.) to dissect the data flows including initial collection, processing activities, and external disclosures. Remember that WMHMDA does contain certain data exclusions that should be evaluated for applicability to your organization (e.g., business-to-business data, employee data, data subject to other data privacy laws, deidentified data, etc.).

Legal counsel can help you navigate the WMHMDA definitions, identify relevant exceptions, and consider FAQs from the Washington Attorney General to determine whether you may be able to avoid WMHMDA obligations outright. If you determine WHMMDA is applicable, it is best practice to document your assumptions and conclusions contemporaneously. This documentation will allow you to more nimbly respond to a regulatory inquiry or notice of a suit under the private right of action, and if necessary, defend your position that WMHMDA does not apply.

Key Questions to Ask:

• Are we a “regulated entity”?
• Do we collect data from “consumers”?
• Is the data we collect “consumer health data”?
• Where do we host our data; is it hosted in Washington?

2. Map your consumer health data

So, you are prepared for potentially rough seas by familiarizing yourself with some of the most significant compliance requirements (e.g., consumer health data privacy policy, individual rights requests, retention and destruction), but before any business can take steps to build technical and administrative workflows to comply with these requirements, it must know what “consumer health data” it processes, including where and how the data is collected and maintained and to whom it is disclosed. Your mapping process should account for the broad definition of consumer health data.

Key Questions to Ask:

• What “consumer health data” do we collect, use, disclose, share, and sell?
• How do we collect this data?
• Where and how do we store this data?
• With whom do we share this data (consider all third-party disclosures, including disclosures to vendors)?
• Do we comingle consumer health data with other types of data?
• Do we collect consumer health data we do not need?
  
  3. Create and maintain a compliant consumer health data privacy policy.

As we discussed in Part 6 of our summer series, WMHMDA requires regulated entities to have a consumer health data privacy policy that clearly and conspicuously discloses required information. Recall that these requirements are separate from and in addition to current requirements for website privacy policies and HIPAA notices of privacy practices.

The consumer health data privacy policy is likely to be duplicative of some of what is in your existing website privacy policy, but it is worth strategizing regarding technical and administrative options to align the two notice documents. It is likely that regulators will read the privacy notices in conjunction and consumers will have questions regarding the differences between such notices.

Many WMHMDA limitations on data processing and consent/authorization requirements stem from processing listed versus not listed in the consumer health data privacy policy. Therefore, accurately drafting the consumer health data privacy policy will limit the need for additional consents and resulting disruption to the user experience. Privacy policies in effect at the time of collection will govern the data collected while that privacy notice is in effect. We can almost guarantee that the consumer health data privacy policy in effect at the point of data collection will be Exhibit 1 in a WMHMDA private right of action.

Further, because the consumer health data privacy policy is public, we expect regulators will use it as a first step in assessing compliance with WMHMDA. In other words, a properly drafted consumer health data privacy policy is to your compliance program with the WMHMDA as a keel on a sailboat - it provides stability and makes it difficult to capsize. We also recommend that you schedule at least annual reassessments of your privacy notices now so you can reassess the contents of the notices and determine whether updates need to be made. Of course, any changes in consumer health data collection, use, or sharing practices should be reflected in the consumer health data privacy policy in real time.

Key Questions to Ask:

• Does this consumer health data privacy policy contain all WMHMDA requirements?
• Does it accurately reflect the flow of data into, through, and out of the business?
• Is it clear to the consumer how the consumer health data privacy policy differs from existing privacy notice documents?
• Are front-line staff prepared to answer questions from consumers regarding privacy policies?
• Is it clear to consumers and regulators the categories of people and data to which the consumer health data privacy policy applies?
• Is the consumer health data privacy policy drafted in an easy-to-understand way?
  
  4. Determine whether geofencing prohibitions apply for in-person health care services

Batten down the hatches! Keep in mind that unlike the March 31, 2024 effective date for most WMHMDA requirements, the geofencing prohibition is already in effect. Based on your data map, you should consider where and how your business deploys geofence technology and, if yes, whether such geofence is used in a manner prohibited under WMHMDA.

Key Questions to Ask:

• Do we use geofence technology?
• Is geofence technology used around facilities that provide in-person health care services?
  
  5. Create a system for handling consumer requests

While WMHMDA creates consumer rights like those seen under other state comprehensive privacy laws (e.g., right to access, delete, withdraw consent from collection, sharing or sale of consumer health data), WMHMDA also introduces novel and/or more stringent requirements (e.g., absolute right to delete, required retention standards, etc.).

Accordingly, it is critical that front-line staff be trained to appropriately manage and triage consumer requests. Creating and implementing policies and procedures, as well as a training program related to consumer requests is vital. Note, the private right of action applies to violations of consumer rights requests.

Key Questions to Ask:

• Who will respond to consumer requests?
• Beyond obvious intake channels for consumer requests (consumer-facing call centers), are there other channels where consumer requests may originate?
• Are staff members appropriately trained to manage consumer requests?
• Do we have policies and procedures to manage consumer requests?
• Will we handle requests on a case-by-case basis or build workflows for automating some aspects of managing consumer requests?
  
  6. Ensure appropriate consents and/or authorizations are in place for the processing and sale of consumer health data

WMHMDA requires opt-in for all “processing” in excess of processing necessary to provide consumer-requested products and services. The law does not have opt-in exceptions for many common use cases and requires an authorization distinct from the consent required to be obtained to permit the sale of data.

Building in appropriate authorizations and consents will require IT engagement and will also disrupt the existing consumer experience. Thus, we recommend you initiate a series of discussions with appropriate stakeholders to timely and appropriately budget for and build consents and authorizations into your user experience in a way that creates as little disruption as possible. This discussion is similar to the discussion businesses had when deciding how to provide the California Consumer Privacy Act’s (CCPA) notice at or before the point of collection. However, don’t let this one float by. A proactive and early discussion will allow you the flexibility to change course (or tack) if needed.

Key Questions to Ask:

• Where is the best place in the user experience to obtain consents and/or authorizations from consumers?
• How long of a process will it be to build out the technical requirements for the consent process (including systems to track these consents/authorizations)?
• What do consumers need to consent to/authorize for existing use cases?
• As products and services change, how nimble can we be with new consent/authorization requirements?
  
  7. Consider third-party data sharing diligence and management

Once you have mapped your data and you have a better sense of the third parties, vendors, and affiliates that process consumer health data on behalf of your business, you should assess any necessary updates to those relationships, including amendments to data processing agreements (DPAs) to account for WMHMDA. You may also want to consider updating DPAs to address WMHMDA copycats (we’re looking at you Nevada and Connecticut).

Key Questions to Ask:

• Does the broad definition of consumer health data under WMHMDA cause additional vendors to be characterized as the “processors”

8. Continue to monitor FAQs, industry reaction, and implications of developing business plans before WMHMDA’s effective date.

The Washington State Office of the Attorney General is releasing FAQs related to WMHMDA. This subregulatory guidance will provide insight into how the Attorney General’s Office intends to interpret and enforce the WMHMDA.

It will be some time before Washington courts take on relevant WMHMDA cases, so the enforcement landscape, like the sea, will be fluid. In sum, be prepared to watch the regulatory headwinds and to reassess your compliance with WMHMDA accordingly.

Key Questions to Ask:

• Do we have any forthcoming use cases or business models that we should consider now before WMHMDA goes into effect?
• Given our experience analyzing WMHMDA thus far, how long will it take us to build the infrastructure to launch a new product or feature that will collect, process, or use consumer health data?
• Do we have sufficient insurance to cover liabilities arising from our WMHMDA obligations?

In Part Eleven, we will prepare for fall and the start of school with a chart comparing WMHMDA and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Until then...