While it is not officially summer, it is after Memorial Day, a.k.a. the perfect time to pick out your beach reads. We recommend bumping Quarles’ series on the Washington My Health My Data Act (“WMHMDA”)  to the top of your reading list. While not a frothy historical romance or twisty thriller, the series offers a deep dive into the uncharted waters of the WMHMDA delivered with dose of humor as sharp as a shark’s tooth. WMHMDA is already shaping up to create a sea change in the privacy space – and not just for the health and life sciences industry. As such, it is likely to be one of the hottest privacy topics this summer.

Origin Story

We provided an initial overview of the landmark law and its origins immediately after its passage, but we provide a quick recap below.  

WMHMDA

WMHMDA was signed into law by Governor Jay Inslee on April 27, 2023, making it the first state legislation to offer a comprehensive privacy approach specific to consumer health data. While five other states passed comprehensive consumer privacy legislation thus far in 2023, WMHMDA is shaping up to be arguably the most consequential due to its scope, compliance requirements, individual rights, and private right of action. The Washington legislature’s unique approach differs from the typical comprehensive or sectoral binary approach that U.S. privacy legislation traditionally follows, effectively blurring the lines between the two approaches and presenting a new set of compliance requirements for a broad range of entities, in and out of Washington.

Table of Contents

We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:

• Part One: What Regulated Entities are Subject to WMHMDA (this is what you are reading now)
• Part Two: Consumers Covered by WMHMDA
• Part Three: Broad Scope of Consumer Health Data
• Part Four: Geofencing Requirements
• Part Five: Consent and Authorization Requirements
• Part Six: Privacy Policy
• Part Seven: Individual Rights
• Part Eight: Enforcement and Private Right of Action
• Part Nine: Operational Realities and Next Steps
• Part Ten: HIPAA vs. WMHMDA (for table lovers)

Our series begins with this overview of “regulated entities” subject to WMHMDA. This concept is crucial to understanding the Act, and we will refer to “regulated entities” throughout our series.

“Regulated Entities” Subject to WMHMDA

If you are counting at home, this is the first of what will be many mentions of the breadth of this Act. WMHMDA’s definition of “regulated entities” is broad enough that most non-governmental entities will need to think through its applicability. Something that sets WMHMDA apart from all existing U.S. state comprehensive privacy laws is that there is no threshold for applicability based on revenue or number of consumers whose data is processed. Instead, WMHMDA takes an approach similar to the EU General Data Protection Regulation (“GDPR”) and applies to “regulated entities” broadly defined as any legal entity that:

• Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
• Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data

The definition excludes “government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.” Aside from these entities, WMHMDA does not provide full entity exemptions, including no exemption for non-profit entities, as seen with several other state comprehensive privacy laws. And although there are data-level exemptions, which we will discuss in Part 3, there are also no entity-level exemptions that we typically see (e.g., entities subject to HIPAA, FERPA, GLBA).

WMHMDA includes a “small business” concept, where small businesses are entities subject to the Act as a subset of “regulated entities.” Small businesses must meet the same compliance obligations as regulated entities, and the only benefit for small businesses is a slightly delayed compliance date for WMHMDA obligations.

Are Regulated Entities Limited to Washington-Based Businesses? No. The definition of a “regulated entity” only requires a nexus to Washington (namely, an entity that “produces or provides products or services that are targeted to consumers in Washington”). It is not yet clear how broadly this nexus requirement will be interpreted, but potentially the mere presence of websites accessed by consumers in Washington could trigger the first prong of the definition. Time will tell whether regulators will issue guidance or leave this for the courts to decide.

Controllers and Processors. The second prong of the definition adopts GDPR-like data-controller language (i.e., “alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data”).

In addition to controllers, WMHMDA does include the concept of “processors.” The Act defines a “processor” as “a person that processes consumer health data on behalf of a regulated entity or a small business.” Processors’ use of consumer health data must be limited to the contractual instructions from the regulated entity. WMHMDA does not include prescriptive contractual requirements or significant liability for processors. However, if processors process consumer health data outside the scope of the processor’s contract with the regulated entity, the processor will become a regulated entity subject to all WMHMDA obligations with respect to such data.

Additional issues raised by WMHMDA are forthcoming. Turn on your grill, grab your floaties, and get ready to dive in.