Washington’s My Health My Data Act (MHMDA), signed into law last year, is here and goes into effect on March 31, 2024, with small businesses having until June 30, 2024 to comply. As previously reported, the new data privacy law is broad and will have significant impact for both Washington residents and persons whose business or data flows through the state. In brief, the legislation is intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Our previous LawFlash provides a more detailed analysis, but some key aspects of the Act are as follows:

• The Act covers “regulated” (those that conduct business in Washington or target Washington consumers) and “small business” (groups that collect data of fewer than 100,000 consumers per year) entities
• The Act restricts how entities can collect, use, and process “consumer health data,” which includes information that is linked to the consumer’s “past, present, or future physical or mental health status”
• Covered entities must maintain a “consumer health data privacy policy” on their homepage and include a number of disclosures on what data will be collected as well as how collected data will be used
• Violations of the Act may lead to private class action lawsuits under the Washington Consumer Protection Act or an investigation and possible enforcement from the Washington State Attorney General (AGO)

Earlier this year, the Washington AGO issued guidance offering its interpretation of the MHMDA, indicating how the state’s enforcement agency may focus its efforts. For instance, the guidance makes clear that the AGO believes all entities subject to the law will need to create and maintain a new and distinct link to an MHMDA-specific privacy policy on their web homepages.

The AGO also notes that it interprets the MHMDA as a strict liability statute, with violations of the statute amounting to a per se violation of the state’s Consumer Protection Act. This in turn authorizes fines of up to $7,500 per violation and creates an avenue for private action.