This is Part Twelve, the final installment of our series of legal updates on the Washington My Health My Data Act (“WMHMDA”). We are thrilled that you came along as we dove into the intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.
The kids are heading back to school, and the best season of the year arrives soon (football season, that is). In this part we will take one last trip to the beach to see what waves the Washington Office of the Attorney General (“AG”) is making with recent guidance on WMHMDA.
Catch up with the WMHMDA summer series:
Walk Down Memory Lane: Summer 2023 WMHMDA Series
In April, we introduced you to the WMHMDA with an Overview that set the tone for our summer series. There, we discussed the first-ever comprehensive state privacy regulation applicable exclusively to health data and skimmed the surface of this landmark law.
In June, things really started to heat up. We spent Part One picking out our beach reads together and identified regulated entities as the main characters of the WMHMDA. We arrived at the beach in Part Two, and we used our sand tools to dig up information about consumers covered by the WMHMDA.
In Part Three took a dip in the water and avoided getting caught in the undertow when defining the broad scope of consumer health data. That was a close one! By Part Four, the tide began to turn, and we had an insightful conversation about geofencing as we watched the sun set.
In Part Five, we celebrated the 4th of July by discussing a topic setting off fireworks in the privacy community: consent and authorization requirements for the collection, use, disclosure, sharing, sale, and other processing of consumer health data. We worked on our tan in Part Six. Because we are all privacy pros, we applied an extra coat of sunscreen (a WMHMDA consumer health data privacy policy) to avoid the burn of a potential regulatory mishap under the WMHMDA.
We had a cookout in Part Seven. We asked if you wanted fries with your biometric privacy and you said you preferred to eat carrots from the veggie tray (that’s a biometric data reference, by the way). After we ate, we turned up the volume on our Part Eight-ies playlist and sang along to that part where the Beastie Boys talk about how the WMHMDA doesn’t require you to Fight for Your Right to your consumer health data. Maybe those aren’t the lyrics…
In Part Nine we took a vacation and remembered to pack all of our WMHMDA consumer rights. Lucky for us (or maybe not so lucky), the WMHMDA provides a private right of action if something happens to consumer health data along the way! We returned from vacation just in time for a cold front to arrive in Part Ten where we had a refreshing discussion on operational considerations and how to comply with the WMHMDA. We enjoyed the dog days of summer in Part Eleven and compared WMHMDA with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
That brings us to this week – Part Twelve. What a summer! Let’s grab a light sweater and take time to enjoy the final summer nights at the beach before closing up for the season.
Washington Attorney General Making End-of-Summer Waves
In late July, the Washington AG released non-binding guidance intended to make the applicability of the WMHMDA a bit clearer. Will the highly anticipated guidance shed light on all of the open questions? (TL;DR not really). Some concepts remain murky while others continue to make waves in the privacy community.
The Frequently Asked Questions document published by the Washington AG (FAQ) addresses seven questions. We break them down below.1
1. What are the effective dates for the My Health My Data Act?
To clarify some confusing language in the law regarding effective dates, the Washington AG confirms that WMHMDA effective dates are specific to each section of the law. Geofencing prohibitions and restrictions went into effect July 23, 2023. Regulated entities must comply with the remaining portions of the law beginning March 31, 2024, and small businesses must comply with the remaining portions of the law beginning June 30, 2024.
2. What is the Attorney General’s role in enforcing the My Health My Data Act?
Because violations of the WMHMDA are also a per se violation of the Washington Consumer Protection Act (“CPA”) (more on this here), the Washington Attorney General is permitted to enforce the WMHMDA in the same manner as it enforces the Washington CPA. Recall that privacy actions are also available to consumers.
3. How will a business located outside of the state of Washington but that stores its data in Washington be impacted?
One of the key open questions on the WMHMDA is whether and how it will be applied to businesses physically located outside of Washington, but which may store, collect, or process data in Washington. The Washington AG’s response provides some clarity; however, we expect additional questions will remain about how the law can be enforced outside of the state’s borders.
This FAQ response reiterates the two-pronged test for a “Regulated Entity,” namely an entity that: (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.
Notably, however, the Washington AG expressly states that an entity that only stores data in Washington is not considered a Regulated Entity for purposes of the WMHMDA. It is not clear whether the Washington AG is emphasizing the need to meet both prongs of the test or whether this FAQ indicates that the Washington AG is going to take a narrow interpretation of the second prong given the broad definitions of “collect” and “process” in WMHMDA. So how do you rely on this FAQ? We have some thoughts below.
Note that this potential flexibility does not extend to out-of-state entities that are processors for entities that are considered Regulated Entities or Small Businesses under the WMHMDA. Even if those out-of-state entities have limited processing responsibilities and do not otherwise have any nexus with Washington, performing certain functions for a Regulated Entity or Small Business will require that a processor outside of Washington comply with the WMHMDA.
In sum, this FAQ response may provide some comfort to entities that only store data in Washington but remember, it is non-binding guidance. It does not necessarily prevent individuals bringing private right of actions and the conclusions stated by the Washington AG may not be dispositive in the courts. We do expect that a Court would defer to the AG’s interpretation of this law generally, but time will tell how it is ultimately interpreted. Unfortunately, the AG’s guidance does not thoroughly address other important questions regarding the extraterritorial application of the WMHMDA.
4. Is a business that is covered by the My Health My Data Act required to place a link to its Consumer Health Data Privacy Policy on the company’s homepage?
Yes. Unfortunately, this FAQ response does not address the more complicated questions about the Consumer Health Data Privacy Policy. For example, must it be a stand-alone statement (with potentially duplicative information likely to confuse consumers) or can it be incorporated into an existing website privacy policy?
5. Does the definition of consumer health data include the purchase of toiletry products (such as deodorant, mouthwash, and toilet paper) as these products relate to “bodily functions”?
Interestingly, the Washington AG’s response to this question states: “Ordinarily, information limited to the purchase of toiletry products would not be considered consumer health data. For example, while information about the purchase of toilet paper or deodorant is not consumer health data, an app that tracks someone’s digestion or perspiration is collecting consumer health data.”
It is good to see specific examples, but toilet paper and deodorant are generally innocuous products universally purchased unrelated to an individual’s health. It would have been more helpful for the Washington AG’s response to address some of the grey area in defining “consumer health data.” For example, what constitutes data about a “social intervention”; what about less innocuous “bodily functions”; and what are the outer bounds of a “health care service”?
What is clear from this FAQ response is that “consumer health data” is a very broad definition. Interestingly, an app that tracks digestion or perspiration collects consumer health data. While the drafters made it clear that WMHMDA was meant to respond to the Dobbs decision and the gap in health data not covered by HIPAA, this FAQ makes clear that WMHMDA is meant to apply not just to sensitive information (e.g., reproductive data) but very broadly, including to apps that track data that in-and-of-itself does not identify a consumer’s particular health condition.
We recommend proceeding with caution until we see how this plays out in litigation and with the Washington AG’s approach to enforcement, particularly if your company draws inferences about consumer health status based on product purchases, as described in the Washington AG’s response to Question 6.
6. If a regulated entity or small business draws inferences about a consumer’s health status from purchases of products, could that information be considered consumer health data?
The Washington AG’s response confirms that inferred health data does constitute consumer health data, noting information derived or extrapolated from non-health data when used by a regulated entity (or processor) to associate or identify a consumer with consumer health data is in scope. The response highlights an example where purchase data was used to predict pregnancy, noting that such an inference constitutes consumer health data. Further, health-related inferences made from toiletry purchase data would constitute consumer health data (even though the purchase data itself would not constitute consumer health data per Question 5).
7. How may a regulated entity or a small business comply with its obligation to retain copies of a consumer’s valid authorization for sale of consumer health data under section 9 and a consumer’s request to delete their consumer health data under section 6 of the Act?
In response, the Washington AG indicates that the entity should redact the consumer health data from the authorization and retain the redacted document for the six-year retention period. The response offers sample language: “REDACTED pursuant to consumer deletion request on [insert date].”
While specificity from the Washington AG is helpful, the process described may complicate compliance with other state and federal laws applicable to health data and may not be technically feasible with today’s recordkeeping software. To develop a strategy for responding to deletion requests under the WMHMDA, compliance will likely require more planning than some of the ad hoc approaches currently employed with existing comprehensive privacy law deletion requirements.
Can You Rely on the FAQ?
Thankfully the FAQ document hints at future updates. However, be sure to remember that the FAQ document is a “resource for general education purposes and is not provided for the purpose of giving legal advice of any kind. Readers should not rely on information in this guide regarding specific applications of the law and instead should seek private legal counsel.” For this reason, care must be taken when evaluating the current facts of your data management practices relative to WMHMDA.
