Washington Attorney General Publishes Updated FAQ for My Health My Data Act

Mari Dugas, Andrew Epstein, Lei Shen
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Cooley LLP

Without much fanfare, the Washington attorney general’s office updated its My Health My Data (MHMD) Act guidance FAQ in January 2024. Specifically, the updated guidance states that the consumer health data privacy policy must have its own “separate and distinct link” on a regulated entity’s homepage and “may not contain additional information not required under the My Health My Data Act.”

This updated FAQ means regulated entities likely will need to have a wholly separate consumer health data privacy policy that addresses only the MHMD Act’s privacy policy requirements as the Washington Attorney General’s guidance states that the consumer health data privacy policy may not contain any information not required under the MHMD Act. As a result, regulated entities likely won’t be able to rely on a one-size-fits-all general privacy policy that also, for example, addresses the privacy policy requirements under the California Consumer Privacy Act and other state consumer privacy laws. Further, regulated entities will likely not be able to have the consumer health data privacy policy be a subsection within the regulated entity’s general privacy policy. (For more information about the MHMD Act’s privacy policy content requirements, please refer to our June 2023 blog post.)

The consumer health data privacy policy also must be linked separately and distinctly on the regulated entity’s homepage. The MHMD Act defines “homepage” to be not only the introductory page of the website but also any other webpage where personal health data is collected – which means, in practice, that each regulated entity will need to propagate the link to its consumer health data privacy policy across its website footers.

This update to the FAQ means the MHMD Act further imposes upon website operators’ limited website footer real estate by requiring a separate link to the consumer health data privacy policy in addition to other states’ requirements for links to general privacy policies, notices at collection, and/or opt-out/do not sell links. In the end, these requirements may add to a consumer’s confusion of having to click through and piece together different privacy policies, statements and/or disclosures in an effort to understand how regulated entities process their data.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide