Washington State Governor Jay Inslee signed the My Health My Data (MHMD) Act into law on April 27, 2023, and it has quickly become among the most discussed privacy laws of the year. This is not without good reason. While the MHMD shares some DNA with other state privacy laws, it stands apart in many ways that current compliance programs likely don’t consider. Its broad scope and onerous requirements combine for a hefty compliance lift.
Read on for an overview of the MHMD’s scope for your privacy program.
Broad Applicability and Scope
National Reach
- “Regulated Entities” and “Small Businesses” are subject to MHMD if they control Consumer Health Data and either conduct business in Washington or target Washington consumers with their products and services.
- Small Businesses are Regulated Entities that meet certain thresholds based on revenue and the number of consumers whose data is processed annually. Small Businesses have an extra 3 months to comply with the law.
- Processors are entities that process data on behalf of Small Businesses and Regulated Entities.
Exceptionally Broad Statutory Definitions
The breadth of MHMD comes from how it defines key terms. We tackle each term’s definition and how that affects your business in turn. See terms below:
- Consumer Health Data (“CHD”) – “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
- Individual health conditions, treatment, diseases, or diagnosis
- Social, psychological, behavioral, and medical interventions
- Health-related surgeries or procedures
- Use or purchase of prescribed medication
- Bodily functions, vital signs, symptoms, or measurements
- Diagnoses or diagnostic testing, treatment, or medication
- Gender-affirming care information and reproductive or sexual health information, including “efforts to research” related services
- Biometric data (any data generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics that identifies a consumer and specifically includes imagery of the face and voice recordings from which an identifier template can be extracted, etc.)
- Genetic data (any data that concerns a consumer’s genetic characteristics, regardless of format)
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
- Data that identifies a consumer seeking “healthcare services,” meaning services to “assess, measure, improve, or learn about a person’s mental or physical health”
- Any information that a Processor, Regulated Entity, or Small Business processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (note that this includes AI modeling based on CHD)
Takeaway:
This definition is expansive and non-exhaustive, meaning CHD includes more than conventional health data, as defined by HIPAA and other privacy laws. Start thinking of CHD as health, wellness, fitness, and care-seeking information rather than just medical information.
- Consumer – “a natural person who acts only in an individual or household context, however identified, including by any unique identifier.”
- Natural persons that reside in Washington
- Natural persons whose CHD is collected in Washington
Takeaway:
While MHMD excludes employees, it covers only individuals acting in an individual or household context, even non-Washington residents located around the country are considered consumers under MHMD if their data is collected in Washington.
- Collect – “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.”
Takeaway:
MHMD uses “Collect” as a catch-all term for just about any contact with CHD. This includes the act of storing CHD in Washington, a process that at minimum requires compliance with the valid authorization and geofence requirements discussed below.
Conclusion
This concludes Part 1 of our MHMD Act Insight Series discussing the overview of this new, important privacy law. We invite you to check back in the coming weeks to read the future installments. Next week, in Part 2 we’ll unravel the crucial MHMD Requirements and the following week, we’ll provide an in-depth exploration of MHMD Implications for compliance and what it entails.
For information on how Myna can help you with any or all of these requirements, please contact Dave Cohen, Director, at Myna Partners at: dave.cohen@levelupconsult.com, and we’d be happy to set up a free, short consultation to hear about your program needs.