On April 17, 2023, the Washington legislature passed the My Health My Data Act (MHMD) (HB 1155). The bill now heads to the Washington Governor who can sign it, veto it, or allow the bill to become law without signature.

We have been tracking MHMD since it was first introduced in early January, provided a detailed analysis of the bill after it first passed the House in mid-March, and discussed its definition of “consumer health data” and private right of action in our April 10 weekly post. In the below post, we add to our analysis by providing five key takeaways about MHMD.

1. Enforcement – Private Right of Action

For years, Washington has tried to pass privacy legislation only to have it repeatedly fail on the issue of enforcement. For example, in March 2020, we saw the Washington Privacy Act fail (for a second time) on the issue of including a private right of action.

MHMD broke through this deadlock and will be enforceable both by the Washington Attorney General’s office and through a private right of action via the Washington Consumer Protection Act. We will have a deep dive analysis into the contours of the private right of action in an upcoming article. For now, it is enough to note that the inclusion of a private right of action significantly expands the risk companies face when complying with law.

2. Broad Applicability to Businesses

The emerging state privacy law model has used thresholds for applicability based on revenue (e.g., $25 million annual gross revenue), number of consumers’ data processed (e.g., process or control personal data of 100,000 consumers), and/or status as a data broker (e.g., control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data).

In comparison, MHMD applies to “regulated entities,” which is defined as any legal entity that: “(a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” The definition excludes government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.

Rather than basing its applicability on the traditional thresholds, MHMD creates a category of entities called “small businesses” which are regulated entities that (a) collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year and/or (b) derive less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data, and control, process, sell, or share consumer health data of fewer than 25,000 consumers. However, the impact of qualifying as a small business is only a three month delayed effective date as compared to regulated entities.

In addition, while Section 12 provides a number of exemptions, those exemptions are limited to data level, not entity level, exemptions. For example, MHMD contains a CCPA-like data level exemption for personal information subject to the Gramm-Leach-Bliley Act. (The fact that financial institutions do not have an entity level exemption is perhaps indicative of the overall intended breadth of the bill.) Section 12 of MHMD does contain a number of healthcare-related exemptions based on existing health data laws, which is consistent with MHMD’s stated purpose to extend protections for health data not covered by those laws.

Finally, the definition of “consumer” is broader than the typical definition. MHMD defines the term to include not only Washington residents but also “a natural person whose consumer health data is collected in Washington.” MHMD defines “collect” broadly to include activities such as accessing, retaining, acquiring, or receiving consumer health data in any manner.

MHMD excludes from the definition of consumer “an individual acting in an employment context” and states that “consumer” means a natural person who acts “only in an individual or household context.”

3. Broad Definition of Consumer Health Data

MHMD applies to “consumer health data.” That said, anyone trying to understand the scope of MHMD must understand that the definition of consumer health data is much broader than traditional concepts of health data.

As a starting point, MHMD defines consumer health data to include biometric information. In turn, biometric information is broadly defined as “data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes, but is not limited to: (a) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or (b) Keystroke patterns or rhythms and gait patterns or rhythms
that contain identifying information.”

Therefore, for example, face scans and voice recordings from which an identifier template can be extracted (not are extracted) are covered by MHMD even though a covered business (and consumer) may not think of them as health data.

More generally, the definition of “consumer health data” broadly states it means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” MHMD then lists 13 non-exclusive examples. One of those examples is “data that identifies a consumer seeking health care services.” “Health care services” is broadly defined to mean “any service provided to a person to assess, measure, improve or learn about a person’s mental or physical health.”

During the legislative process business advocates argued that the definition could cover someone buying ginger at a grocery store because ginger can be used as a home remedy for nausea. Business advocates also argued that the definition could extend to the purchase and use of ordinary products such as groceries, athletic equipment, footwear, perfumes, jewelry, toys, and cleaning products (to name a few). An amendment to exclude these products was defeated in the Senate with bill proponents maintaining that the definition is not as broad as feared. Ultimately, the scope of this definition will likely be up to the courts to determine given the inclusion of a private right of action.

In addition, the definition of “personal information” states that it “includes, but is not limited to, data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier.” This definition becomes important because, as discussed below, MHMD requires consent for the collection and sharing of consumer health data and “valid authorization” for the sale of consumer health data. Therefore, covered businesses will need to carefully think through their collection of persistent unique identifiers from Washington residents and what obligations that might trigger.

Finally, it is worth noting that there are exceptions for publicly available information, deidentified data, and information used for certain types of research.

4. Strong Consent-Based Requirements and Privacy Rights

In our prior blog post we examined MHMD’s requirements in greater detail, but here is a summary of some of its more notable requirements:

Consent to Collect or Share

Regulated entities must obtain consent (a defined term) to collect or share (another defined term) consumer health data unless the collection or sharing is necessary to provide a product or service that the consumer has requested. Consent must be obtained prior to the collection or sharing and the request for consent must contain certain specified information.

Valid Authorization to Sell Consumer Health Data

Regulated entities must obtain a consumer’s valid authorization to sell consumer health data. This must be done by providing the consumer with specific disclosures.

Rights

Consumers have the right to:

• Confirm whether the regulated entity is collecting, sharing or selling their consumer health data;

• Access the consumer health data;

• Obtain a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism to contact these third parties;

• Withdraw consent; and

• Delete their consumer health data

Privacy Policy

Regulated entities must maintain a “consumer health data privacy policy” that contains certain types of disclosures.

Geofencing

“Persons” (a term that is defined broader than regulated entities) are prohibited from implementing a geofence around an entity that provides in-person health care services under certain circumstances. This provision of MHMD does not have a delayed effective date like the data privacy provisions.

5. Quick Effective Date

For regulated entities, MHMD’s data privacy provisions will go into effect on March 31, 2024. For small businesses, those provisions go into effect June 30, 2024.

[View source.]