On January 31, 2024, Cooley lawyers Brooke Fritz and Andrew Epstein led a virtual presentation on Washington state’s My Health My Data (MHMD) Act. Below are some key highlights from the discussion.
The MHMD Act’s origins and purposes:In an effort to close the “gap” that exists between consumer knowledge and industry practice under federal protections for “health information” and to further the Washington state Legislature’s “choice-defending” agenda, Washington enacted a law designed to provide heightened protections for – and control around – individuals’ consumer health data.
Applicability: The MHMD Act protects Washington residents and other individuals whose consumer health data is collected or processed in Washington. If the consumer health data flows through Washington, it’s arguably in scope. The MHMD Act applies to statutorily defined “regulated entities” and “small businesses” inside and outside of Washington, without the jurisdictional thresholds commonly found in other US state consumer privacy laws.
Broad definition of “consumer health data”:The MHMD Actdefines “consumer health data” broadly, with no relation to diagnosis or treatment by a medical professional, thus encompassing a large swath of health-adjacent or health-related data. The MHMD Act also identifies certain adjacent information to be related to physical or mental health status, meaning that such information constitutes consumer health data.
Compliance obligations: The MHMD Act requires regulated entities to maintain a separate consumer health data privacy policy, obtain opt-in consent for consumer health data collection and sharing activities that are not necessary to provide a product or service that the consumer requested, maintain reasonable information security measures, and more.
Commercial implications: Regulated entities will need to analyze their consumer health data flows and consider how they are using consumer health data beyond providing a requested product or service. Regulated entities also may need to maintain new or additional user consents, modify their use of consumer health data for non-necessary purposes, and enter into appropriate agreements with entities to which they disclose consumer health data. Additionally, regulated entities will need to be able to respond to certain data subject requests.
Enforcement risks: Unlike many other US state consumer privacy laws, the MHMD Act allows private individuals, in addition to the Washington state attorney general, the right to bring claims individually or as a class against noncompliant regulated entities.
Watch the full conversation on demand ›
For more information, please email Brooke Fritz and Andrew Epstein.