The Washington My Health My Data Act ("MHMDA") may not have been written by Earth, Wind, & Fire, but it is certainly poised to make medical device and pharmaceutical manufacturers move to a new beat like a classic disco hit. Drug and device makers of all sizes are likely to be impacted by the MHMDA. Signed into law on April 27, 2023, the MHMDA is designed to cover health information that falls outside of the Health Insurance Portability and Accountability Act (“HIPAA”), which applies to only certain types of health care entities. The MHMDA is slated to be in force March 31, 2024, with delayed enforcement (until June 30, 2024) for small businesses.

Before the enforcement date, drug and device makers will need to consider if their activities involve processing data that meets the definition of “consumer health data” under the MHMDA (discussed below). If so, they should take steps to comply, including evaluating and updating privacy policies, revising (or implementing) processes for consumer privacy rights requests, updating data processing agreements, assessing data security controls, and ensuring consent processes align with the new law.

PURPOSE

The MHMDA aims to “provide heightened protections” for health data on residents of Washington state, including increased notification and consent requirements related to “collection, sharing, and use of [health] information”, consumer rights such as data erasure, prohibition on sales of health data, and curtailing “geofencing” of health care facilities.

APPLICABILITY

The MHMDA applies to “regulated entities” that process “consumer health data”. “Consumer” includes both Washington residents and any natural person whose “consumer health data is collected in Washington.” Notably, “collect” is defined broadly (and not intuitively) to mean “...buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” This means the MHMDA will regulate not only health data about Washington residents, but also any health data processed in Washington.

Regulated entities include those that conduct business in Washington, produce or provide products or services targeted to Washington consumers, or any entity that “alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling of consumer health data.” There are no distinctions in the requirements based on the size of the business except for a short delay in the implementation date. Small businesses are those which collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year or, in the alternative, derive less than 50% of revenue from collecting, processing, selling or sharing consumer health data and such activities involve the consumer health data of fewer than 25,000 consumers.

The law aims to govern the processing of “consumer health data”, which means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.”

Such data includes but is not limited to information about:

• Health conditions
• Treatment
• Diseases
• Diagnoses
• Interventions
• Surgeries or procedures
• Use or purchase of prescription medication
• Bodily functions
• Vital signs
• Symptoms
• Measurements
• Diagnostic testing
• Gender-affirming care information
• Reproductive or sexual health information
• Biometric data
• Genetic data
• Precise location information that may indicate consumer’s attempt to acquire or receive health services or supplies
• Other similar information

Various information is excluded from “consumer health data”, such as information “used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest” that adheres to ethics and privacy laws and has proper oversight such as from an institutional review board. Also excluded is “protected health information” under HIPAA, plus certain information disclosed to device or drug manufacturers in connection with products or activities regulated by the Food and Drug Administration (“FDA”).

ENFORCEMENT

The MHMDA is enforceable by the Washington attorney general and permits a private right of action under the Washington Consumer Protection Act (“CPA”). The CPA allows plaintiffs to seek damages for actual injury occurred, up to $25,000 per award. Any violation of the MHMDA is deemed to meet three of the five criteria for a violation of the CPA (Section 11).

WHAT DOES THE LAW REQUIRE?

Consumer Health Data Privacy Policy

Regulated entities must implement a privacy policy for consumer health data prominently linked on the home page. The policy must include:

• Categories of consumer health data collected, purpose for collection, and how it will be used
• Categories of sources from which the consumer health data is collected
• Categories of consumer health data that is shared
• List of categories of third parties and specific affiliates with whom the regulated entity shared consumer health data
• How a consumer may exercise their rights

Consent

• Collection (i.e., processing) of consumer health data is prohibited without consent from the consumer for the specified purpose or to provide a product or service requested from the regulated entity.
• Sharing of consumer health data is prohibited unless consent is obtained (consent for sharing must be separate and distinct from the consent to collect the data) or to provide a product or service that the consumer has requested from the regulated entity.
• Consent must be obtained before the collection or sharing and include clear and conspicuous disclosures of certain information.
• Explicit authorization, separate from consent to share consumer health data, is required to sell any consumer health data. The authorization must meet all requirements of the MHMDA (Section 9(2)).

Data Subject Rights

• Consumers have the right to confirm processing and to access consumer health data (free of charge up to twice annually).
• Consumers have the right to withdraw consent and request deletion of consumer health data.
• Consumer data subject rights request must be addressed without undue delay, and no later than 45 days after the request is received. Extensions for additional time to respond can be sought (up to an additional 45 days).
• Regulated entities must offer an appeals process that is conspicuous (and similar to making the initial request).

Data Security

Regulated entities must implement reasonable security controls in relation to the company’s industry, such as administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.

Data Processing Agreements

The data processing agreement requirements of the MHMDA are very comparable to those we’ve seen in the General Data Protection Regulation (“GDPR”) and other rules:

• Processors (vendors) must only process consumer health data with a binding contract between the processor and regulated entity outlining:
  • Processing instructions
  • Limiting actions processor may take with respect to the consumer health data
• Processors may only process consumer health data consistent with the binding instructions in the contract
• Processor’s must assist the regulated entity with technical and organization measures to fulfill the obligations under the MHMDA.
• Failure by processor to adhere to the instructions means the processor is acting as a regulated entity and directly subject to all requirements of the MHMDA.

Geofencing

Regulated entities are prohibited from implementing a “geofence” around an entity that provides in-person health care services to identify or track consumers, collect consumer health data from consumers, or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

“Geofencing” means implementing a virtual boundary around a physical location that uses GPS, cell tower connectivity, cellular data, or other spatial or location detection and locates consumers.

KEY TAKEAWAYS

As mentioned previously, before March 31, 2024 (June 30, 2024, for small businesses), drug and device makers will need to consider if their activities involve processing data that meets the definition of “consumer health data” under the MHMDA. If so, they should take steps to comply, including evaluating and updating privacy policies, revising (or implementing) processes for consumer privacy rights requests, updating data processing agreements, assessing data security controls, and ensuring consent processes align with the new law.