Without much fanfare, the Washington attorney general’s office updated its My Health My Data (MHMD) Act guidance FAQ in January 2024. Specifically, the updated guidance states that the consumer health data privacy policy must have its own “separate and distinct link” on a regulated entity’s homepage and “may not contain additional information not required under the My Health My Data Act.”

This updated FAQ means regulated entities likely will need to have a wholly separate consumer health data privacy policy that addresses only the MHMD Act’s privacy policy requirements as the Washington Attorney General’s guidance states that the consumer health data privacy policy may not contain any information not required under the MHMD Act. As a result, regulated entities likely won’t be able to rely on a one-size-fits-all general privacy policy that also, for example, addresses the privacy policy requirements under the California Consumer Privacy Act and other state consumer privacy laws. Further, regulated entities will likely not be able to have the consumer health data privacy policy be a subsection within the regulated entity’s general privacy policy. (For more information about the MHMD Act’s privacy policy content requirements, please refer to our June 2023 blog post.)

The consumer health data privacy policy also must be linked separately and distinctly on the regulated entity’s homepage. The MHMD Act defines “homepage” to be not only the introductory page of the website but also any other webpage where personal health data is collected – which means, in practice, that each regulated entity will need to propagate the link to its consumer health data privacy policy across its website footers.

This update to the FAQ means the MHMD Act further imposes upon website operators’ limited website footer real estate by requiring a separate link to the consumer health data privacy policy in addition to other states’ requirements for links to general privacy policies, notices at collection, and/or opt-out/do not sell links. In the end, these requirements may add to a consumer’s confusion of having to click through and piece together different privacy policies, statements and/or disclosures in an effort to understand how regulated entities process their data.

Authors

Mari Dugas

Andrew Epstein

Lei Shen

Posted by Cooley