The Requirements: Washington’s My Health My Data Act – Part 2 MHMD Series

Washington State Governor Jay Inslee signed the My Health My Data (MHMD) Act into law on April 27, 2023, and it has quickly become among the most discussed privacy laws of the year. This is not without good reason. While the MHMD shares some DNA with other state privacy laws, it stands apart in many ways that current compliance programs likely don’t consider. Its broad scope and onerous requirements combine for a hefty compliance lift.   

MHMD imposes many requirements that your business should take note of, including several never-before-seen obligations. For the requirements that overlap with current state privacy laws, the procedures driving your business’s compliance should still be reviewed and updated to bring CHD into scope. We have grouped our overview of these requirements into unique and overlapping categories to highlight the MHMD’s novel challenges. 

Read on for an overview of the MHMD’s requirements for your privacy program. 

Unique Requirements 

Geofences

Geofences are virtual fences around real, physical locations. They use GPS and similar technologies to track who enters and leaves the premises, and when. MHMD outright bans the use of geofences for certain purposes within 2,000 feet of facilities that provide in-person health services and facilities that store CHD. The prohibited purposes of geofences include tracking, identifying, collecting CHD from, and sending notifications or advertisements to consumers.  

The geofences ban has already taken effect as of July 23, 2023.  

Opt-in Consent to Collect CHD

Obtain prior, opt-in consent from consumers before collecting or processing their CHD, except when processing is necessary to provide the products or services that the consumer requested. This consent must be tied to a specific purpose. Additionally, a separate opt-in consent is required before disclosing CHD to third parties apart from service providers, except when processing is necessary to provide requested products and services.  

Valid Authorization to Sell CHD

Before selling or even making an offer to sell CHD, businesses must obtain consumers’ valid authorization. Valid authorization goes beyond consent, requiring the business have the consumer sign and date a document written in plain language that provides specifics on the CHD to be sold, the purchaser, the purpose of the sale, and additional content like an explanation of the consumer’s right to revoke their authorization and the means of revocation.  

Overlapping requirements

Privacy Policy 

Draft and publish a privacy policy directed at privacy practices related to CHD. 

Privacy Rights

  • Right to Know: Notably, consumers have the right to receive a list of third parties and affiliates to whom their CHD has been shared, and an email address to contact each.
  • Right to withdraw consent from collection or sharing 
  • Right to Delete: Notably, this includes archived and backup data.  
  • Right to Appeal 

Data Protection Agreements 

Draft, review, and implement agreements with relevant processors that include instructions for processing CHD and bind the processor to the MHMD’s relevant requirements. 

Security

Implement administrative, technical, and physical security measures to protect CHD and specifically implement need-to-know access controls around CHD. 

Conclusion

This concludes Part 2 of our My Health My Data blog series discussing this new, important privacy law. We invite you to continue reading our previous and upcoming installments. In Part 1, What You Should Know About Washington’s My Health My Data Act we share a concise overview of MHMD. Check back next week to read Part 3 in which we’ll discuss MHMD’s deadlines, exceptions, enforcement, and action items.

For information on how Myna can help you with any or all of these requirements, please contact Dave Cohen, Director, at Myna Partners at: dave.cohen@levelupconsult.com, and we’d be happy to set up a free, short consultation to hear about your program needs.