Enforcement of Washington’s My Health My Data Act (MHMDA or the Act) starts now. Passed by the Washington state legislature last year and designed broadly to protect “consumer health data,” the Act is one part of a larger trend by regulators at both the state (Nevada and Connecticut) and federal levels to protect online and other information that does not fit within the narrow scope of Health Information Portability and Accountability Act (HIPAA). As discussed previously, the Act followed the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, rendering reproductive health data particularly sensitive following the abolition of a federal constitutional right to abortion. And, the Act’s broad definitions have the potential to draw in online businesses, websites, apps, and other entities (wellness, fitness, nutrition providers to name just a few), that have no offices in the state, but whose operations may include the online collection of regulated data of Washington residents, persons in Washington and, potentially, persons whose information is processed within the State.

Since its enactment last year, the Washington Attorney General’s Office has released a set of Frequently Asked Questions (FAQ) largely confirming the Act’s intended broad application – including to processors and out-of-state businesses and inferences made off regulated data. Effective March 31, the Act allows for State AG enforcement and for consumers to leverage existing unfair and deceptive act private right of action (PROA) to sue businesses directly in certain instances. PROAs are frequently leveraged by consumers to address perceived (or real) privacy harms, including from the online collection of data including through cookies, pixels, other tracking technologies, and chatbots. While the existence of the PROA means class action filings alleging violation of the My Health My Data Act will ensue, as discussed below, there are some reasons to hope the Act may go the way of the California Privacy Protection Act (CCPA)’s PROA – high expectations of a tsunami of filings tempered by courts consistent and narrow interpretation of the PROA scope.

Nonetheless, it is critical that businesses evaluate the who, what and how of compliance with the Act, and monitor emerging MHMDA jurisprudence to mitigate the risk of litigation.

The Who: “Regulated Entities,” “Processors” and “Consumers”

The MHMDA imposes obligations on “regulated entities” which is a legal entity that either: (i) conducts business in Washington or (ii) produces or provides products or services that are targeted to consumers in Washington; and who alone or jointly with others, determine the purpose and means of collecting, processing, sharing, or selling of consumer health data. While small businesses were given a short enforcement delay of three months, or through June 30, there is no financial or processing applicability threshold that must be met to come within the scope of the Act. The “jointly with other” language of the definition is expressly aimed to include processors and the State Attorney General’s FAQs expressly clarify that: “Out-of-state entities that are processors for regulated entities or a small business must comply with the Act.”

Next, the MHMDA defines a “consumer” as a person acting in their personal or household capacity – and excludes individuals acting in the employment context.  Additionally, a “consumer” is a Washington resident or a person whose consumer health data is collected in Washington. “Collect” is defined as “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.”

Together, the Act appears to include within its scope: (1) Washington residents; (2) non-Washington residents whose consumer health data is collected while they are in the State; and (3) potentially even non-resident consumer health data that is processed within in the State. As some of the largest cloud providers and their servers are located in Washington, this has led some to suggest that the online storage of consumer health data may be in scope insofar as in-state certain cloud service providers or servers are utilized. However, on this point, the State Attorney General’s FAQs provide that “An entity that only stores data in Washington is not a regulated entity.”

The What: “Consumer Health Data,” Inferences and Exceptions

The MHMDA defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.” Examples provided by the Act include:

• Health conditions, treatment, diseases, or diagnosis;
• Social, psychological, behavioral, and medical interventions;
• Health-related surgeries or procedures;
• Use or purchase of prescribed medication;
• Bodily functions, vital signs, symptoms, or measurements of information;
• Diagnoses or diagnostic testing, treatment, or medication;
• Gender-affirming care information;
• Reproductive or sexual health information;
• Biometric data and genetic data;
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
• Data that identifies a consumer seeking health care services; and
• Health information that is derived or inferred from non-health data.

Recalling the context underlying the Act’s enactment (particularly the post-Dobbs concern of information revealing reproductive health status), it is no surprise that the Act directly includes inferences within its scope. On this point, the State Attorney General’s FAQs provide the following elaborative response to the question “Are toiletries (like toilet paper or deodorant) covered by the definition of consumer health data?”:

• Ordinarily, information limited to the purchase of toiletry products would not be considered consumer health data. For example, while information about the purchase of toilet paper or deodorant is not consumer health data, an app that tracks someone’s digestion or perspiration is collecting consumer health data.
• The definition of consumer health data includes information that is derived or extrapolated from non-health data when that information is used by a regulated entity or their respective processor to associate or identify a consumer with consumer health data. This would include potential inferences drawn from purchases of toiletries.

Expressly excepted from the Act’s definition of “consumer health data” is: (1) Protected Health Information (PHI) covered by HIPAA; (2) information subject to certain federal privacy laws such as Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), the Social Security Act, and Washington state insurance rules; (3) publicly available information; (4) de-identified data and (5) certain clinical trial and research data.

The How: Components of MHMDA Compliance  

Generally, the Act follows a strict Notice/Disclosures, Consent, and Consumer Rights framework, with add-on vendor and data processing requirements.

1. Notice: Yes, Regulated Entities Must Post a Consumer Health Privacy Policy. Regulated entities are required to post a separate, standalone privacy policy (Consumer Health PP) that complies with the Act’s disclosure requirements. The Consumer Health PP must be distinct and cannot be within a larger privacy policy or include non-MHMDA required language. In addition to disclosures around the collection and use of consumer health data, the Act requires that regulated entities name specific affiliates that will have access to consumer health data.
2. Required Disclosures. While the Consumer Health PP must be separate from a larger enterprise PP, the content required to be disclosed is similar to that required by other state privacy laws, including (i) the categories of consumer health data collected; (ii) the categories of sources from which consumer health data is collected; (iii) the purposes for which consumer health data is collected and used; (iv) the categories of consumer health data that is shared; (v) a list of the categories of third parties with which consumer health data is shared; and (vi) a description of how a consumer can exercise the rights of access, deletion, and withdrawal of consent.
3. Opt-In Consents and Authorization. The MHMDA requires regulated entities to obtain:
   1. Separate Opt-In Consents to Collect and Share Consumer Health Data: The MHMDA requires regulated entities to ask consumers for opt-in consent before collecting consumer health data and, separately, before sharing that data. Both “collect” and “share” are broadly defined, and “share” does not include monetary remuneration and includes disclosures to corporate affiliates.
   2. Valid Authorization to Sell Consumer Health Data: The MHMDA strongly discourages the sale of consumer health data. The Act does this by broadly defining “sale” as disclosing/making available for monetary or other valuable consideration, and prohibiting the sale of consumer health data unless the entity obtains a signed authorization meeting several formal requirements from the consumer. Businesses will need to evaluate whether they are engaging in the “sale” of consumer health information via their online and other marketing partnerships, where such a term has in other contexts, such as the CCPA, been extended to parts of the targeted advertising ecosystem.
4. Consumer Rights and Requests. The MHMDA provides consumers with specified privacy rights such as: right to access, right to withdraw, right to delete, and right to appeal. The right to access includes the right to a list of all third parties and affiliates with whom a regulated entity has shared or sold the consumer’s health data.
5. Data Processor Agreements. Updates to existing DPAs and Service Provider Addendums are expected to address MHMDA’s requirement that regulated entities restrict processors’ processing of consumer health data for other non-approved purposes.
6. Restrict Access to Consumer Health Data and Have Reasonable Security Measures in Place: Regulated entities must restrict access to consumer health data to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent and must maintain administrative, technical, and physical data security practices that satisfy a reasonable standard of care.
7. Geofencing. The Act explicitly prohibits the use of geofencing technology within a 2,000 ft. virtual boundary of any physical location that provides in-person healthcare services, if the geofence is used to: “(1) identify or track consumers seeking healthcare services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.”

What’s Next? Risk of Successful Class Action Litigation under the MHMDA May be Overstated.

The Act provides that a violation of the Act is an unfair or deceptive act under the Washington Consumer Protection Act (CPA), which has a PROA provision by which consumers may directly sue businesses. To bring a CPA claim, a plaintiff-consumer must show (1) an unfair or deceptive practice; (2) occurring in trade or commerce; (3) impacting the public interest; and (4) injuring a plaintiff in his or her business or property; as well as (5) causation between the unfair or deceptive practice and the injury suffered. By its express language, the Act provides that a violation of its terms (presumably, a violation of a material requirement of the MHMDA) satisfies the first three elements of a CPA claim. In other words, plaintiffs do not need to independently plead (or prove) that a violation of the Act also was deceptive or impacted the public interest, the Washington State Legislature has expressly found that it is so.

While this per se violation of the CPA finding is an enormous giveaway to consumers, the remaining two elements of a CPA claim should not be overlooked. A plaintiff will need to plead and prove injury to business or property that is caused by the defendant’s violation of the Act. While there is some Washington case law that says the injury need not be economic (i.e., monetary), the perceived harms plaintiffs commonly bring in privacy litigations – invasion of privacy, generic risk or fear of identity theft, anxiety – generally do not fit within existing CPA injury definitions. If narrowly interpreted by courts, many types of privacy harms may not satisfy the CPA’s required fourth element of injury. We also expect to see plaintiffs continue to advance – and defendants rebut – the theory that personal information is “property” capable of injury under the CPA, as they do in other contexts.

In addition to proving injury, MHMDA plaintiffs will also need to prove actual damages. This is because – unlike the California Invasion of Privacy Act (CIPA) or the CCPA – the MHMDA does not provide statutory or liquidated damages for a violation (but does allow for attorneys’ fees). The Act’s requirement for proof of actual damages, plus recent out-of-state decisions finding that healthcare harms are individualized, means the MHMDA may not be a great vehicle by which to pursue class action litigation.

Nonetheless, when generating a Consumer Health Privacy Policy, regulated entities should also consider whether to include a class action waiver, individual arbitration (updated to address the risk of mass arbitrations), or other provisions specifically to address the risk of MHMDA litigation.

The careful evaluation of business collection, use, and disclosure of consumer health information (including information that may reveal inferences about consumer health) has never been more critical than with the onset of the MHMDA and related state and federal initiatives that seek to protect consumer health and other sensitive data. While onerous, businesses can leverage existing privacy compliance programs to address the heightened requirements of the MHMDA, and the time to do so is now.