Washington State Governor Jay Inslee signed the My Health My Data (MHMD) Act into law on April 27, 2023, and it has quickly become among the most discussed privacy laws of the year. This is not without good reason. While the MHMD shares some DNA with other state privacy laws, it stands apart in many ways that current compliance programs likely don’t consider. Its broad scope and onerous requirements combine for a hefty compliance lift.
Read on for an overview of the MHMD’s deadlines, exceptions, enforcement and action items for your privacy program.
Compliance Deadlines
- Geofences – the prohibition on Geofences is already in effect as of July 23, 2023.
- “Regulated Entities” must comply by March 31, 2024.
- “Small Businesses” must comply by June 30, 2024.
Exceptions
- Employee data is excluded because MHMD only covers individuals acting in an individual or household context.
- Data-level exceptions exist for data subject to HIPAA, GLBA, FERPA, FCRA, and certain Washington State statutes.
- B2B data is excluded because businesses are not natural persons.
Enforcement
Private Right of Action
MHMD’s broad scope sets the stage for significant private litigation, but the potential for a high volume of lawsuits is only half the story. The ambiguous language in the law gives plaintiffs’ attorneys room to bring inventive suits that could catch businesses off guard. This merits added vigilance.
Washington State Attorney General
As with other privacy laws around the country, MHMD is enforced by the office of the Washington Attorney General as violation of the Washington Consumer Protection Act (WCPA). Note that the AG’s office lacks rulemaking authority.
Action Items
Data Mapping
- Expand your business’s concept of “Health Data”. To account for CHD’s broad definition, start thinking about any data that relates to health, wellness, and fitness data. Also, consider data that identifies a consumer seeking out a particular treatment. This can be as simple as geolocation data or purchase history or as complex as inferences drawn from non-health data, like extrapolations made from consumer behavior.
- Update privacy rights procedures to bring CHD into scope. Likewise, note that MHMD provides narrower exceptions to fulfilling privacy rights requests compared to other state privacy laws, meaning that privacy rights procedures will need additional review and updating.
- Be prepared to update your business’s privacy policy with CHD and the MHMD’s specific content requirements in mind.
Monitor for Future Guidance
The Washington Attorney General’s office released an MHMD FAQ over the summer, which helps clarify key points about the law. Keep a close eye on the AG office’s website for additional guidance.
Meanwhile, the ambiguities in MHMD mean litigation will test the boundaries of the law. This creates a high-risk playing field for businesses at first. But the upside is that the outcome of that litigation will help clarify the actual scope and breadth of the law.
Watch for Copycat Laws
Copycat laws have already been passed in Nevada. Based on the proliferation of privacy laws between the states in recent years, it’s likely that more statehouses will follow.
Conclusion
This concludes Part 3 of our My Health My Data blog series discussing this new, important privacy law. We invite you to visit our previous installments Part 1: What You Should Know About Washington’s My Health My Data Act and Part 2: The Implications: Washington’s My Health My Data Act.
For information on how Myna can help you with any or all of these requirements, please contact Dave Cohen, Director, at Myna Partners at: dave.cohen@levelupconsult.com, and we’d be happy to set up a free, short consultation to hear about your program needs.