.The Washington My Health My Data Act (WHMDA) is a new law that aims to protect the privacy and security of personal health information in Washington State. The law applies to any entity that collects, uses, or discloses personal health information in Washington or about Washington State residents. Not for profit organizations and patient advocacy groups that serve the rare disease community are significantly and possibly inadvertently affected by the law. The WHMDA will take effect for non-profits and other small businesses on March 31, 2024 for a requirement to implement restricted access to consumer health information and on June 30, 2024 for the full requirements of the law for non-profit and other small businesses.
One of the important aspects of the WHMDA is that it defines personal health information very broadly; broader than the federal Health Insurance Portability and Accountability Act (HIPAA). According to the law, personal health information means any information that relates to the past, present, or future physical or mental health or condition of an individual, or that identifies or could reasonably identify an individual. This includes
- individual health conditions, treatment, status, diseases, or diagnoses;
- social, psychological, behavioral, and medical interventions;
- health-related surgeries or procedures, diagnostic testing, and treatment;
- use or purchase of medication;
- bodily functions, vital signs, symptoms, or related measurements;
- gender-affirming care information;
- reproductive or sexual health information;
- biometric and genetic data related to consumer health data;
- precise location information that could reasonably indicate a consumer’s attempt to
- acquire or receive health services or supplies; and
- any consumer health data information that is derived or extrapolated from non-health information, such as proxy, derivative, inferred, or emergent data.
When Compliance is not required:
If a non-profit, e.g., rare disease patient advocacy group, collects personal health information via a research project that has an independent oversight entity such as an Institutional Review Board (IRB) it is exempt from the Washington My Health My Data act. If a non-profit is a Business Associate under HIPAA or is covered by other Washington State specified health information privacy and security laws, it is also exempt from the law.
Compliance Requirements
If a non-profit is subject to the law they must:
1. Publish a Health Data Privacy Notice that includes:
The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; The categories of sources from which the consumer health data is collected; The categories of consumer health data that is shared; A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and How a consumer can exercise their rights.
2. Obtain written consent from:
individuals to collect data and before disclosing their health information to third parties, unless an exception applies.
3. Provide individuals with the right:
to access, correct, delete, and transfer their health information.
4. Implement:
reasonable administrative, technical, and physical safeguards to protect health information from unauthorized access, use, or disclosure.
5. Notify:
individuals and the state attorney general of any breach of health information within 30 days
6. Maintain:
records of consent and disclosure for at least six years
7. Comply:
with the state’s consumer protection act and other applicable laws
Other Information:
The law grants individuals the right to sue covered entities for violations of their privacy rights and seek injunctive relief, actual damages, statutory damages of up to $10,000 per violation. The state attorney general can also enforce the law and impose civil penalties of up to $2,500 per violation or $25,000 per individual affected by a breach.
For additional information on the act see the Washington State Attorney General’s page
For a related articles see https://assuredspc.com/resource-library/