This is Part Six in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”) in which Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.

The sun is shining and summer is in full swing. Today, we are applying an extra coat of sunscreen and diving into WMHMDA’s consumer health data privacy policy requirements to avoid those sunburns and the burn of a potential regulatory mishap under the WMHMDA (should these alerts come with an SPF rating? Or perhaps, a “Regulatory Protection Rating”? When used as directed, of course).

Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:

• Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
• Part One: What Regulated Entities are Subject to WMHMDA
• Part Two: Consumers Covered by WMHMDA
• Part Three: Broad Scope of Consumer Health Data
• Part Four: Geofencing Requirements
• Part Five: Consent and Authorization Requirements
• Part Six: Privacy Policy (this is what you are reading now)
• Part Seven: Biometric Data
• Part Eight: Individual Rights
• Part Nine: Enforcement and Private Right of Action
• Part Ten: Operational Realities and Next Steps
• Part Eleven: HIPAA vs. WMHMDA (for table lovers)
• Part Twelve: Washington AG Guidance

What is a Consumer Health Data Privacy Policy?

Notice obligations are required under WMHMDA in the form of a “consumer health data privacy policy” that must be prominently linked on a website homepage. Many of the required disclosures will be duplicative of disclosures in a regulated entity’s existing website privacy policy (e.g., requirements under the California Consumer Privacy Act (“CCPA”). However, WMHMDA does not appear to allow for a new WMHMDA, "consumer health data" - specific section of an existing website privacy policy. Consumer health data privacy policy required disclosures include:

• The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
• The categories of sources from which the consumer health data is collected;
• The categories of consumer health data that is shared;
• A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
• A description of how a consumer can exercise the rights provided in WMHMDA (we will discuss this more in part eight of this series).

How Does a WMHMDA Consumer Health Data Privacy Policy Differ from Other Privacy Notices?

A consumer health data privacy policy differs from other privacy notices in several key ways. Namely, it must include:

• A list of specific affiliates with whom consumer health data is shared. Note that WMHMDA requires listing specific affiliates, not merely the categories of affiliates, where “categories” is what we are used to seeing in other state comprehensive privacy laws (e.g., CCPA).
• A list of categories of consumer health data. This differs from the more common, catch-all “health care data” category we see in other comprehensive privacy policy requirements. Regulated entities should be prepared to drill down into their data mapping processes to distinguish between standard “health data” as personal information and WMHMDA’s categories of health data. Interestingly, WMHMDA does not provide required categories of “health data.” So, how will a regulated entity know how to categorize health data for the consumer health data privacy policy? Without guidance, regulated entities may choose to take a conservative approach (especially in the face of WMHMDA’s individual right of action) and turn to the definition of “consumer health data” as a guide.

Restrictions Stemming from the Consumer Health Data Privacy Policy

WMHMDA places restrictions on processing consumer health data purposes not listed in the consumer health data privacy policy. Specifically, regulated entities cannot collect, use, or share additional categories of consumer health data or for purposes not disclosed in the consumer health data privacy policy without disclosing such additional categories/purposes and obtaining prior affirmative consent. Furthermore, regulated entities may not contract with processors that process consumer health data in a manner that is inconsistent with the regulated entity’s consumer health data privacy policy.

These restrictions highlight the importance of understanding the granular details of consumer health data processing to support the accurate tracking of such categories and the purpose(s) of processing. Entities must balance providing transparency in actual practices against evolving needs development and business planning, and the necessity of IP protections (e.g., trade secrets and patents) when drafting consumer health data privacy policy “categories” and “purposes.” In sum, it is an exercise more complicated than the histology of a sunburn (uh, you know, loss or Langerhans cells, vascuolated kerantinocytes, etc.). Artful drafting will also be required to describe processing in vendor arrangements to ensure alignment with the regulated entity’s consumer health data privacy policy.

Notes from Quarles

Regulated entities must have consumer health data privacy policies posted by March 31, 2024 (June 30, 2024 for small businesses). Now is the time for regulated entities to consider appropriate methods to meaningfully convey the categories of consumer health data and purposes for collection, use, and sharing (without conflicting with existing website privacy policies or notices of privacy practices).

As website homepages get more crowded, regulated entities should make efforts to differentiate between the standard website privacy policy, a consumer health data privacy policy, and a notice of privacy practices (if applicable). While we typically see plain language drafting requirements for these types of consumer-facing notices, the increasing number and evolving nature of privacy policy requirements seem to guarantee consumer confusion. As such, regulated entities may consider additional training for consumer-facing customer service and privacy teams on the receiving consumer inquiries.

Because WMHMDA allows for a private right of action the consumer health data privacy policy will be a critical component in avoiding a regulatory burn. If a regulated entity does not have a linked consumer health data privacy policy that complies with WMHMDA, it will be apparent (to regulators and consumers) that its WMHMDA compliance may be lacking. So, think of a compliant consumer health data privacy policy like sunscreen. You are almost guaranteed to burn without it, and, yes, you have to reapply (reassess) it periodically.

On that note - an annual website privacy policy review is a best practice. Although not explicitly required by WMHMDA, consumer health data privacy policies likely require more frequent review with evolving consumer health data processing uses and changes in affiliates.

Eager to explore new ways to avoid the burn? Part Seven, we will look closer at biometric data collection under WMHMDA. We will also address the Washington Attorney General’s first set of FAQs (released June 30) in a forthcoming update. Until then…turn on your grill and reapply!