In this multipart FAQ series, we break down Washington state’s My Health My Data (MHMD) Act (the “MHMD Act” or “Act”). The MHMD Act is arguably one of the most stringent privacy laws in the US, and it further complicates the already byzantine US-patchwork approach to privacy. While the MHMD Act purports to focus on healthcare-related data and close the “gap” that exists for entities not governed by the Health Information Portability and Accountability Act (“HIPAA”), it applies on a much wider basis to more data and to organizations whose core business may have nothing to do with healthcare.
In this Part One FAQ, we answer to whom and to what data the law applies, among other answers. In later parts, we will explore the law’s specific requirements and enforcement issues – including a private right of action that could trigger a litigation avalanche.
At a high level, what is the law’s purpose?
The MHMD Act’s preamble proclaims that privacy is a fundamental right, and that health information is among the most sensitive categories of information. In this light, the preamble continues to identify that the Act’s purpose is to provide Washingtonians with heightened protections for – and control around – their health data.
Through the preamble and contemporaneous statements in support of the law, the Washington Legislature attempted to make clear that the MHMD Act seeks to regulate traditional and nontraditional healthcare-oriented companies in relation to “consumer health data” as a result of the US Supreme Court’s reversal of Roe v. Wade. The law’s impact, however, goes far beyond this laudable goal and will apply to organizations whose core services are not focused on healthcare – including nonprofits and entities that may otherwise be able to take advantage of “entity-level” exemptions under other state privacy laws.
When does the law go into effect?
Due to idiosyncrasies in the legislature’s drafting, certain provisions of the MHMD Act come into effect on July 23, 2023 (for example, the prohibition on implementing specific geofences around an entity that provides in-person health care services), while others come into effect on March 31, 2024 (and June 30, 2024, for “small businesses” as defined by the Act).
Who is the law intended to protect?
The law is intended to protect “consumers,” which include any natural person who is a Washington resident and/or natural persons whose consumer health data is collected in Washington. Consumers include only individuals acting in an individual or household context and do not include those acting in an employment context.
What this means: Unlike other state-level privacy laws, this law protects and provides rights to natural individuals who are not residents of Washington state, including the right to sue for violations of the law. The concept of “consumer” is not even limited to US residents and would appear to provide protections to natural persons anywhere globally (so long as their consumer health data is “collected” in Washington, with “collect” defined to include “processing” of consumer health data in any manner). The MHMD Act does not appear to apply to people acting as representatives of their businesses or as employees of businesses, which is more consistent with other state laws.
To what organizations does this law apply?
- Regulated entities inside and outside of Washington state
The law applies to a “regulated entity,” which is any legal entity (excluding government agencies, tribal nations and certain other entities in relation to providing services on behalf of government agencies) that (i) “conducts business” in Washington, or that “produces or provides products or services that are targeted to consumers in Washington,” and; (ii) determines the means and purposes of collecting or processing “consumer health data.”
What this means: Unlike other US state consumer privacy laws, because the MHMD Act has no revenue thresholds, no minimum number of consumers before the law applies and, largely, no entity-level exemptions (for example, nonprofits and entities subject to other federal or state privacy laws), the MHMD Act will sweep in a vast number of organizations inside and outside of the state.
- Data controllers
For the law to apply to an organization, the organization must determine the purposes and means of collecting, processing, sharing or selling consumer health data (in other words, acting as a “controller” under other privacy laws).
What this means: While it appears the law is not intended to apply to processors that only process personal information on behalf of data controllers, the odd manner in which the MHMD Act defines “collect” casts some doubt on that interpretation. “Collect” is defined to include “otherwise process[ing]” consumer health data and may sweep in “service providers” that attempt to de-identify, aggregate, anonymize or otherwise process consumer health data for purposes other than providing a service directly back to the regulated entity.
- Small businesses
The law defines “small business[es]” and sets certain thresholds to fall within this designation. Small businesses, however, are a subset of “regulated entities” and are not exempted from the Act.
What this means: The MHMD Act imposes a complex set of requirements – and potential lawsuits and regulatory actions – on small organizations that may not have the means or ability to comply and largely affords only a brief three-month reprieve from most of the law’s obligations.
Beyond traditional healthcare organizations
As discussed further below , based on the definition of “consumer health data,” the law may apply to a multitude of entities that are not traditional healthcare organizations – including app providers (not just those focused on mental or physical health), original equipment manufacturers (OEMs), brick-and-mortar stores, informational websites and platforms.
What this means: It would be prudent to analyze closely whether the MHMD Act’s broad (and sometimes circular) definitions capture any activity in which an organization may be engaged.
My business is not located in Washington state. Does this law still apply to it?
The law seeks to regulate organizations that are not located in Washington state. It applies to any business that “produces or provides products or services that are targeted to consumers in Washington,” which does not require a physical presence in the state. Moreover, it is possible the concept of “conducting business” by itself may be adequate for jurisdiction over non-Washington businesses (e.g., an organization with a website that is accessible by Washington residents). As such, the law has extraterritorial reach.
To what type of data or information does the law apply?
The law applies to “consumer health data.” The MHMD Act, however, defines “consumer health data” in a rather complex and more encompassing manner than one might typically expect.
- General definition
“Consumer health data” means:
- “[P]ersonal information” that “identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.”
- Information that “identifies the consumer’s past, present, or future physical or mental health status.”
What this means: Unlike other US privacy laws (for example, breach notification laws), the MHMD Act does not define consumer health data in relation to diagnosis or treatment by a medical professional. The lack of this qualification arguably brings in a large swath of health-adjacent or health-related data.
- Specifically identified information
The law applies to data beyond traditional health data because the law defines “physical or mental health status” to include the following, without limitation (with potentially broader data categories highlighted in red):
- Individual health conditions, treatment, diseases or diagnoses.
- Social, psychological, behavioral and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms or measurements of the information described in the consumer health data definition.
- Diagnoses or diagnostic testing, treatment or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data, including:
- Genetic data.
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
- Data that identifies a consumer seeking healthcare services.
- Any information that a regulated entity or small business – or their respective processor – processes to associate or identify a consumer with the data described above that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred or emergent data by any means, including algorithms or machine learning).
What this means: Organizations that do not think of themselves as having anything to do with healthcare or processing health-related data may be subject to the Act. For example, an app provider or OEMs collecting precise geolocation information – for purposes totally unrelated to monitoring an individual’s “health” – may be collecting “consumer health data,” because it is conceivable that someone other than the app provider or OEM could use the information to ascertain whether the individual traveled to a hospital, doctor or spa to acquire or receive health services or supplies. An IP address for a visitor to a nonprofit’s website focusing on depression would likely be considered consumer health data. The consumer health data definition could include a unique identifier tied to a cookie when an individual visits a wellness provider’s website for purposes of ascertaining recipes.
- Nonhealth information
Significantly, consumer health data also includes any “nonhealth information” that a regulated entity, or its processor, uses to identify or associate a consumer with other categories of consumer health data, including proxy, derivative, inferred or emergent data by any means, including algorithms or machine learning.
What this means: The law also applies to data used to re-identify individuals and tie them to consumer health data (for example, purchase histories tied to a consumer that may identify a consumer’s bodily functions).
- Carve outs to consumer health data
There are some information-level carve outs from the consumer health definition, including certain data collected in the clinical trial/research context and publicly available information (though oddly defined). The law also includes carve outs for certain information regulated by other laws – including HIPAA, the Gramm-Leach-Bliley Act and laws pertaining to quality improvement and peer review committees, hospitals and other healthcare-oriented functions. Finally, consumer health data does not include de-identified data, although the law defines it in a restrictive manner.
Does this law apply to companies that collect precise geolocation information, even if they have nothing to do with healthcare or the physical or mental status of a consumer?
The law likely applies to any regulated entity (including companies) that collects precise geolocation information that could reveal consumer’s activities related to acquiring healthcare services, regardless of the entity’s intent or use in collecting such information. This may include, for example, mapping software that captures location information related to visits to doctors’ or dentists’ offices, wellness providers (for example, massage therapists) or pharmacies, regardless of whether the regulated entity is collecting such information for purposes of inferring an individual’s attempts to acquire healthcare services or supplies. This arguably requires nonhealthcare-related companies to anticipate how their users may use services in a manner that relates to or reveals their healthcare activities.
Does the MHMD Act regulate companies engaged in Big Data analytics or the use of artificial intelligence and machine learning related to consumer health data?
Yes. For example, a regulated entity that uses artificial intelligence and machine learning to identify other consumer health data from nonhealth information, or to derive other consumer health data, would likely be covered by the Act.
As you can see from the FAQs above, the MHMD Act operates very differently from other state privacy laws. It arguably has one of the widest applications, including to organizations outside the state of Washington. The MHMD Act also provides protection and a private right of action to non-Washington residents (perhaps on a global basis). Moreover, the definition of consumer health data is so broad that it appears to pull in general IT service providers whose services might process certain personal data that could expose health-related information about consumers. As such, organizations of all shapes and sizes should very carefully analyze whether and how the law may impact them. In our next FAQ installment, we will answer questions related to significant obligations and risks of the MHMD Act – including a potentially game-changing opt-in regime and a private right of action.