On April 27, 2023, Washington’s Governor Inslee signed the My Health My Data Act (MHMDA) into law, adding a new wrinkle to the increasingly complex patchwork of state privacy laws. As opposed to the other recently enacted laws that broadly regulate any type of personal information, MHMDA creates new consumer rights and obligations for businesses relating specifically to consumers’ health-related data. The law expressly aims to close the gap between current industry practices and consumers’ knowledge of how their health-related data is collected, stored, and transferred by expanding the obligations of businesses that process such data but are not covered by the Heath Insurance Portability and Accountability Act (HIPAA). Most sections of the MHMDA will come into effect on March 31, 2024 (June 30, 2024, for small businesses). Crucially, the MHMDA includes a private right of action for aggrieved consumers to bring a claim directly against a business to recover any actual damages sustained, including reasonable attorney's fees. Civil penalties can rise to $7,500 per violation but can also include treble damages, capped at $25,000. A violation of the MHMDA can also be enforced by Washington’s attorney general as a violation of the Washington Consumer Protection Act.
MHMDA applies to any entity that (i) conducts business in the state of Washington or provides services targeted to Washington consumers, and (ii) determines the purpose and means of processing consumers’ health-related data. Notably, unlike all of the recently enacted and currently pending comprehensive U.S. state privacy laws, there is no minimum number of data subjects or revenue threshold that businesses need to satisfy in order to fall within its scope. Moreover, since MHMDA applies to any consumer whose health-related data is collected in Washington, its scope seems to include in out-of-state residents whose health information is collected by Washington-based businesses.
The MHMDA regulates the collection and processing of "consumer health data," defined broadly as "personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health." This definition is so expansive that some types of information not traditionally considered health-related — like unique identifiers collected by the operator of an Internet property that has some nexus to personal health — could be covered. MHMDA prohibits regulated entities from collecting or sharing any consumer health data without consumer consent unless such collection or sharing is necessary to provide a product or service that the consumer has requested from the regulated entity.
Businesses subject to the MHDMA must afford consumers with certain rights, including rights to know what data the business collects, to whom the business discloses that data, and the right to withdraw consent and request that data be deleted. MHMDA also requires regulated entities to maintain reasonable data security practices to protect consumer health data. Interestingly, MHMDA also makes it unlawful to implement a "geofence" to track and collect consumers’ data around a business that provides in-person "health care services."