There are many health data privacy and protection laws in the US. Most people know HIPAA protects their privacy and requires protection of their personal health information. But it only affects specific business that are classified as covered entities (doctors, hospitals, pharmacies, health insurance companies) and the companies that provide services to covered entities. These are called business associates. Some states, (California, Florida, Illinois, Indiana, Kansas, Kentucky, Minnesota, New Jersey, Oregon, and Washington) extend the privacy or security requirements of HIPAA with their own health data privacy law, generally related to the equivalent of covered entities and business associates of HIPAA.
On April 27, the Washington State My Health My Data act (MHMD) was signed into law. It defined non-HIPAA “consumer” health data. This broadened the definition of personal health data extensively. It also extended the businesses subject to the law to all businesses of any size, including not for profits:
- if the business collects or processes personal health data in Washington state for any person
- or collects or processes the data of Washington state residents anywhere in the world.
Here are some questions about your organization to know if you should read further
- Do you have an office or data center in Washington state?
- Does your company sell any products that are associated with any kind of non-prescription health treatment, even over-the-counter supplements to Washington state residents?
- Does your organization collect any information about individuals’ health directly from individuals?
- Does your business purchase and behavior targeting from a data broker that may be related to consumer health?
- Does your business offer any guidance to individuals about their health and do you collect any IP addresses from your website visitors?
- Who are your business customers – does your business process (collect, analyze, store, analyze, augment, ship products, marketing) personal health data for any organization that is subject to the law?
If any of the answers to the questions above are yes, or you need clarification, read further.
MHMD definition of consumer health data
MHMD regulates collection and transfers of “consumer health data,” defined as any form of “personal information” that “identifies the consumer’s past, present, or future physical or mental health status.” The Act provides a sample list of types of health data covered by the law. The list is not restricted to the sample categories. Here is a shortened description of the sample categories:
- Individual health conditions, treatment, diseases or diagnoses.
- Social, psychological, behavioral and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms or measurements of the information described in the consumer health data definition.
- Diagnoses or diagnostic testing, treatment or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data, including:
- Genetic or genomic data.
- Any data including precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
- Any information derived from the categories above or any other non-health information e.g. inferred, derived or generated by any means that is combined with other data of an individual or used to identify a individual. This would include unique identifiers such as an advertising ID, an IP address, a device identifier, or any other form of persistent unique identifier.
There is no exemption for organizations, but data is exempt for the following:
- De-identified data
- Data covered by HIPAA
- Data covered by GLBA
- Data covered by FCRA
- Data covered by FERPA
- Data managed by government agencies or tribal nations
- Employee data
- Title XI of the Social Security Act
- The Washington health benefits exchange and rules related to the insurance commissioner
- Publicly available information from a government agency or by the consumer
- Consumer health information that is being used for research that is approved, monitored and governed by institutional review board, human subjects research ethics review board, or a similar independent oversight entity
Transparency and Consumer consent
Organizations are required to publish a privacy policy that explains the consumer health data categories collected, the purpose and use of the data and categories of organizations with whom the data is shared, the sources of the consumer health data and how consumers can exercise their privacy rights.
- Businesses need to collect consent from consumers to collect their consume health data or the must deliver products or services that are consistent with the consumer’s request
- If additional information is collected after publishing a Consumer Health Data Privacy Policy on the organization’s website, the organization will be required to get affirmative consent to collect the additional data.
- If the business uses consumer health information for any purpose other than what is associated with the expectation of the consumer, e.g., a secondary purpose, you will need first get affirmative consent from the consumer.
- If the business shares personal health data with any organization, e.g., shares a list, deploys a web pixel that is used to share data with a social media, they will need to first get consent from the consumer to do this.
Consumer Rights
Under the Washington My Health My Data act, consumers have the following rights:
- Access to their data including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties.
- A right to withdraw consent for collection and sharing of their data
- A right of deletion
Businesses have 45 days to respond and may extend that by an additional 45 days. Like other privacy laws, businesses must verify the individual that makes the request has the right to do so. Consumers have a right of appeal.
When must your business comply
If your business is subject to the law, generally, your business must be in compliance by March 31, 2024. Small businesses have until June 30, 2024 to comply. There are no minimum thresholds for revenue or number of consumers data that is collected.
For those of you that want to read the original bill, Here is a link to it: https://app.leg.wa.gov/billsummary?BillNumber=1155&Year=2023