In Part Two of our FAQ series on Washington state’s My Health My Data (MHMD) Act, we answer questions related to some of the act’s substantive requirements. As we explained in our previous FAQ, given the MHMD’s breadth – both to which entities and data it applies – regulated entities should be mindful of their attendant obligations and risk profile.
A key takeaway for regulated entities is that, in comparison to other US state consumer privacy laws, the MHMD imposes some of the most stringent privacy-compliance obligations, including opt-in consent for certain consumer health data (CHD) processing activities, deletion rights with potentially no exceptions, etc.
At a high level, what does MHMD obligate regulated entities to do?
The MHMD obligates regulated entities to:
- Obtain opt-in “consent” for certain CHD collection and sharing activities.
- Comply with data subject rights.
- Maintain reasonable data security measures, including a least-access privilege restriction.
- Enter into data processing agreements with processors.
- Not sell CHD without a “valid authorization.”
- Not implement a “geofence” around an entity that provides in-person healthcare services under certain conditions.
- The categories of CHD, and the purpose(s) for which the regulated entity collected the data and how it will use such data.
- The categories of sources from which the regulated entity collected the data.
- The categories of data the regulated entity shares.
- A list of the categories of third parties and specific affiliates with which the regulated entity shares data.
- How consumers can exercise their rights under the MHMD.
What this means: Similar to other US state consumer privacy laws, the MHMD obligates regulated entities to inform consumers the “what,” “why,” and “how” it collects, uses and shares categories of CHD. The MHMD also appears to require regulated entities to match each category of CHD they collect to the purposes for collecting that specific category, as well as the uses for that category. Unlike many other US state consumer privacy laws, the MHMD obligates a regulated entity to disclose a list of specific affiliates with which it shares CHD.
When is consent necessary under MHMD?
Consent for certain collections of CHD
The MHMD prohibits a regulated entity from collecting CHD unless it is either necessary to provide a product or service that the consumer requested, or the regulated entity obtains the “consent from the consumer for such collection for a specified purpose.” The consent must be obtained prior to the collection.
Consent for certain sharing of CHD
The MHMD defines “share” or “sharing” to mean to “release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate.” The consent must be obtained prior to “sharing,” but it is not needed in certain instances (for example, sharing necessary to provide a product or service that the consumer requested).
A regulated entity also must provide notice and obtain prior consent for the collection, use or sharing of:
What does ‘specified purpose’ limitation mean in collection of CHD?
The MHMD prohibits a regulated entity from collecting CHD unless it obtains the “consent from the consumer for such collection for a specified purpose.” However, the act is not clear as to whether a regulated entity can rely upon an overarching “consent” disclosing the collection of CHD for all purposes, or if it needs to obtain separate consent for each purpose for which the CHD will be used.
What this means: Where consent is required for collection, regulated entities will have to identify the purposes for which they are collecting CHD. At a minimum, regulated entities will have to identify those purposes on an aggregate level (not matching them to each collection of CHD but ensuring that the list of purposes is comprehensive). A middle-ground approach would be to identify a specific purpose for the collection of each category of CHD – for example, in a tabular format similar to that used by some to comply with CCPA. More conservatively, a regulated entity could present a detailed consent notice at the time it obtains consent that identifies the specific purpose for each category of CHD at issue. In all cases, regulated entities must build out a consent flow that reflects its preferred approach.
What constitutes compliant ‘consent’ to collect and share CHD under MHMD?
The MHMD defines “consent” as a “clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means.”
Examples of invalid consent
The consent must clearly and conspicuously disclose:
- The categories of CHD collected or shared.
- The purpose of the collection or sharing of the CHD, including the specific ways in which it will be used.
- The categories of entities with which the CHD is shared.
- How consumers can withdraw consent from future collection or sharing of their CHD.
What this means: Where required under the MHMD, consent is “opt in” by default, in comparison to “opt out” under many other US consumer privacy laws. As such, regulated entities likely will need to modify their consumer interaction and consent flows to meet the MHMD’s requirements. Absent receipt of a consumer’s affirmative indication in relation to the collection and sharing of their CHD, regulated entities may not be able to process CHD in the same manner in which they had prior to the act’s effective date.
Do regulated entities need to obtain separate consents for collecting, then sharing, CHD?
The MHMD indicates that consents for sharing and collecting CHD must be “separate and distinct.”
What this means: Regulated entities likely will need to update the consumer onboarding and consent flows, which might introduce friction into the consumer experience (CX). Regulated entities should have product/service and CX designers work closely with their legal teams to address the MHMD’s requirements.
What does ‘to the extent necessary to provide a product or service’ limitation mean in MHMD’s collection and sharing requirements?
The MHMD does not obligate regulated entities to obtain consent to the collection and sharing of CHD “to the extent [such activities are] necessary to provide a product or service” that the consumer “has requested.” The MHMD does not define what is “necessary” or what it means for a consumer to “request” a product or service – for example, if a regulated entity offers a product or service, and the consumer accepts the offer, does that mean that the consumer “requested” the product or service?
What this means: Generally, most organizations view certain “adjacent” personal data processing as “necessary” to provide a product or service to a consumer. These include using such data to:
- Investigate, respond to, exercise or defend legal claims.
- Protect an interest for the life or physical safety of a consumer or another individual.
- Conduct internal research to develop, improve, or repair products or services.
- Perform internal operations that are reasonably aligned with a consumer’s expectations.
Many organizations also commonly use personal data to improve their products and services. The Washington legislature, however, considered and did not adopt a proposed amendment that would have allowed a regulated entity to use CHD for these and other similar purposes. This creates both a risk that the MHMD does not permit such activities absent a consumer’s consent and an argument that the Washington legislature viewed such an explicit permission as superfluous.
Collection activities likely “necessary” to provide a product or service include collecting directly identifiable information that allows the regulated entity to fulfill the specific business transaction. Sharing activities likely “necessary” to provide a product or service include disclosing CHD to a third party at the consumer’s direction – for example, a gym referral service that, in response to consumer-supplied CHD that includes health conditions, exercise objectives and a request to be connected to potential gyms, identifies potential gyms, and then connects the consumer to the gyms while disclosing the consumer’s CHD so the gyms can then conduct outreach to the consumer. In this example, the gym referral service receives no payment or other consideration from the gyms for the disclosure of CHD.
Data subject rights
Are there significant differences in data subject rights under MHMD, compared to other US state consumer privacy laws?
While many of the MHMD’s rights (access/know, consent withdrawal, deletion, appeal and anti-discrimination) are common in other US state consumer privacy laws, the MHMD imposes knowledge and deletion rights unlike those afforded under these other laws. Some of these are outlined below.
Right to know
The MHMD obligates regulated entities not only to inform consumers of the categories of third parties and affiliates to which they have shared or sold CHD, but also to provide a specific “list” identifying all such third parties and affiliates, and an active email address or other online mechanism that consumers can use to contact these entities.
Right to delete
The MHMD does not contain typical exceptions found in other US consumer privacy laws, such as the ability to retain CHD to respond to legal claims despite receiving and responding to a deletion request. It also obligates regulated entities to flow down deletion requests to affiliates, processors and others with which the regulated entity has shared such CHD.
What this means: Regulated entities may find it challenging to comply with the MHMD’s data subject rights’ regime. Regulated entities likely will find it necessary to have a true data map to respond accurately to right to know requests. Regulated entities also may need to make compliance choices – in other words, whether to comply with the right to delete or retain the data to defend against a legal claim – that could create potential liability.
How does MHMD define ‘sale’ of CHD?
The MHMD defines a “sale” as the “exchange of CHD for monetary or other valuable consideration.” The MHMD excludes certain activities from constituting sales, such as exchanges related to corporate-organizational transactions (e.g., mergers, acquisitions, etc.), as well as disclosures to processors.
What this means: Similar to other US state consumer privacy laws, the MHMD defines data “sales” broadly and beyond transfers in exchange for money. To avoid having to provide a way for consumers to opt out, regulated entities should evaluate whether any transmissions or any other types of external disclosures of CHD constitute a “sale” (or “sharing”) under the MHMD. For example, regulated entities that leverage third-party advertising cookies on their websites should evaluate whether such a practice constitutes a “sale” under the MHMD. In addition, making transfers to vendors without imposing required contractual limitations may constitute “sales.”
What’s required to get valid authorization for sale of CHD?
For regulated entities, prior to selling or offering to sell CHD, they must obtain a “valid authorization” from the consumer to engage in such practice. The authorization must be a “document” that identifies:
- The specific CHD to be sold.
- The seller’s name and contact information.
- The purchaser’s name and contact information.
- A description of the sale’s purpose.
- A statement that the consumer’s signing of the authorization will not impact the provision of the goods or services.
- A statement that the consumer has the right to revoke the authorization.
- A statement that the CHD may be subject to redisclosure and not further protected by the MHMD.
- A one-year expiration date for the authorization.
- The consumer’s signature and date.
What this means: The onerous nature of the MHMD’s “sale” obligation may cause regulated entities to reconsider such “sales.” For example, due in part to the breadth of the “consumer health data” and “sales” definitions, regulated entities that operate websites and use third-party advertising cookies may decide to no longer leverage such tools.
Does MHMD require regulated entities to authenticate data subject requests and, if so, how?
The MHMD does obligate regulated entities to “promptly take steps to authenticate a consumer request” to exercise rights under the act using “commercially reasonable efforts.” Regulated entities may not require a consumer to create a new account in order to exercise consumer rights pursuant to this chapter (but may require a consumer to use an existing account). Beyond those instructions, the language of the MHMD does not provide further insight on or guidance for meeting this standard.
What this means: Unlike, for example, California’s rules or Colorado’s rules concerning authenticating or verifying data subject requests, the MHMD lightly informs regulated entities how to authenticate a consumer request. However, regulated entities likely can leverage processes they’ve built out under other state privacy laws to address the MHMD’s requirements.
What are regulated entities’ obligations to secure CHD?
The MHMD obligates regulated entities to establish, implement, and maintain administrative, technical and physical data security practices. They’re also required to restrict access to CHD only to those employees, processors and contractors for which access is necessary to provide a product or service or further to the purposes for which the consumer provided consent.
The MHMD provides that the security practices must, at a minimum, satisfy the “reasonable standard of care” within the regulated entity’s industry that are appropriate to the volume and nature of the CHD at issue.
What this means: Except for access restriction requirements, the MHMD does not prescribe specific security practices or controls. Rather, it employs a reasonableness standard that is common under existing privacy and data security laws. The MHMD sets the floor for reasonableness based on industry practices. As such, regulated entities will need to evaluate how their “industry” addresses personal information security (which could vary widely depending on a regulated entity’s business). However, regulated entities additionally should consider:
- Benchmarking not only at their industry’s level, but also against similar peers within their industry.
- Confirming that the entity complies with its existing security program.
- Performing and documenting risk assessments and the controls used to mitigate identified material risks.
- Building their security program around and based on accepted industry standards, such as CIS Top 20, ISO 27001/2, NIST Cybersecurity Framework, and Health Insurance Portability and Accountability Act (HIPAA) compliance.
Implementing compliant access rights and controls likely will require regulated entities to gain a detailed understanding of their personal information flows, the purposes for which they must process personal information, and the personnel needed (or not needed) to achieve those purposes. Again, implementing access controls is not necessarily a new concept, but the stakes may be higher given the private right of action existing in the statute.
Data processing agreements with ‘processors’
How does MHMD define ‘processor’ – and what parts of MHMD must processors comply with?
The MHMD defines a “processor” as “a person that processes consumer health data on behalf of a regulated entity or a small business.” Processors must:
- Abide by deletion requests subject to the MHMD’s requirements.
- Enter into contracts with regulated entities or small businesses that meet the MHMD’s requirements.
- Process CHD only in a manner consistent with the regulated entity’s instructions.
- Assist regulated entities in fulfilling their obligations under the MHMD (including by implementing appropriate technical and organizational measures).
What this means: Unlike other US state consumer privacy laws, the MHMD directly applies to processors in several respects, so processors must be proactive in their contracting and operational efforts to comply with the MHMD.
Why do regulated entities want to convert their vendors to ‘processors’ under MHMD?
To avoid certain CHD disclosures from constituting impermissible “sales” or “sharing” and for which a regulated entity would have additional compliance obligations under the MHMD, regulated entities will want to enter into written agreements with their vendors that complies with the act’s requirements to make them “processors.”
What this means: On a practical level, regulated entities should want to control how entities to which they are disclosing CHD are using such data. This matters from several different vantage points, such as customer trust, proprietary business information value and information security. The added benefit under the MHMD is that disclosing CHD to a “processor” falls outside the act’s “sales” and “sharing” definitions.
What should contracts between regulated entities and their vendors contain to convert vendors into ‘processors’?
Similar to other US state consumer privacy laws, the MHMD obligates regulated entities to enter into binding contracts with their processors that set forth the relevant CHD processing instructions and limit the actions the processor may take with respect to the CHD (e.g., processing it only on a regulated entity’s behalf).
What this means: Regulated entities need to maintain an accurate understanding of organizations to which they disclose CHD and for what purposes. Further, regulated entities likely will want to enter into contracts that obligate processors only to process CHD for the purposes of providing services back to the regulated entity; otherwise, such activities could violate the MHMD’s consent requirements and cause the disclosure of CHD to these entities to constitute a CHD “sale” or “share” for which additional compliance obligations are then triggered. This may result in protracted negotiations with some service providers that desire, for example, to use personal information to improve their own services (such as their algorithms).
Can processors become directly subject to MHMD?
Yes, the MHMD provides that a processor can become a “regulated entity” when it either fails to comply with regulated entity’s instructions or processes CHD outside the scope of the processor’s contract.
What this means: To avoid becoming inadvertently subject to the MHMD, “processors” likely will need to enter into contracts with regulated entities that satisfy the MHMD’s requirements, even if a regulated entity does not ask for it. Moreover, vendors desiring to act as processors to avoid more onerous compliance obligations under the MHMD will need to understand their data processing activities and avoid processing that could convert them into a “regulated entity.”
What’s a ‘geofence’?
Under the MHMD, a “geofence” is a virtual boundary formed by using spatial or location detection technology around a physical location. For example, a geofence around a reproductive services facility (such as an abortion clinic) would be composed of technology that could identify such location’s physical perimeter by 2,000 feet or less or identify individuals within such space. The MHMD prohibits any person (regardless of whether it is a regulated entity) from implementing a geofence around an entity that provides in-person healthcare services where such geofence is issued to:
- Identify or track consumers.
- Collect CHD from consumers.
- Send communications to consumers related to their CHD or healthcare services.
What this means: This provision of the MHMD goes into effect on July 23, 2023. This prohibition may impact multipurpose locations such as grocery chains that also operate pharmacies where, for example, the grocery chain wants to send a notification to consumer that the consumer is close to the aisle where the consumer has previously purchased a product.
The MHMD reflects a growing trend of new and additional privacy protections beyond those afforded under federal law. In our final FAQ installment, we will address the MHMD’s private right of action, which could lead to a considerable uptick in consumer privacy class action litigation.