On April 27, 2023 the Washington State “My Health My Data Act” (the “WMHMDA”) was signed into law by Governor Jay Inslee and took effect on July 23, 2023. This is a consumer protection law that creates extensive consumer data rights and employer obligations associated with health-related data.
We are committed to updating you on legislation that may impact your business, which is why we’re providing a brief overview of the WMHMDA and three items employers should immediately consider for compliance if any part of their business touches Washington. This includes businesses that process cloud data with either Amazon Web Services or Microsoft – the two largest cloud-based process providers – since both are domiciled in the state of Washington.
Overview:
The WMHMDA came out of the Dobbs v. Jackson Women’s Health Organization decision that sent abortion law regulation back to the states. In the opinion’s aftermath, Washington State quickly moved to close the gap for Washingtonians in protections to health data. HIPAA only covers health data collected by specific healthcare entities. The WMHMD falls under Title 19 of the Revised Code of Washington for business regulations.
The legislative intent was to purposefully make WMHMD’s definitions broad. There was notable healthcare employer pushback in the hearings in 2023 about it unfairly harming healthcare employers. The hearings that occurred before the House Civil Rights & Judiciary Committee on January 24, 2023, had testimony from healthcare employers who were concerned with the bill’s private right of action. They wanted a right to cure to counterweight the broad definitions and private right of action, but never entered the act after any of the four legislative hearings by both houses of the legislature.
The WMHMDA has broad definitions that describe any consumer in the state of Washington, but also any consumer who has their health data processed in the state of Washington and not just collected. There is also a robust private right of action in the WMHMDA that would give a plaintiff’s attorney abilities to pursue entities with thin connections to Washington other than where their data is processed. The WMHMDA is part of the Washington Consumer Protection Act, where private causes of action and class action lawsuits are permitted. Litigants may recover attorneys’ fees and treble damages of up to $25,000.
The WMHMDA applies to any entity that offers “healthcare services,” which means any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health. This definition can apply broadly to grocery stores, gyms, health food stores, and traditional healthcare facilities like hospitals and clinics. The WMHMDA applies to entities gathering information on not only individual mental and physical health conditions, treatment, diseases, or diagnosis, but also to data related to reproductive health, genetic data, gender-affirming care, and as granular as biometric information.
It’s the inclusion of the geofencing provision that can potentially cause surprise to employers. A “geofence” means technology that uses global positioning coordinates, cell tower connectivity, cellular data, and wifi data to set a virtual boundary, a fence, around a specific physical location. Once your device crosses into the location, then notice is given to the entity that set the fence. The statute sets the geofence boundary at 2,000 feet or less from the perimeter of the physical location. The legislature gave the scenario that a woman seeking an abortion could receive automatic messages once she crossed the geofence boundary. The unintended consequence may be that a store that tracks an IP address that correlates purchases to gender, or a gym that records health data, or a yoga studio, will all be liable under the act.
The WMHMDA employs different effective dates for different provisions and categories of regulated entities. Enforcement begins on March 31, 2024, for all regulated entities which are not small businesses. Enforcement begins on June 30, 2024, for small businesses, as defined by the WMHMDA.
The far reach of WMHMDA requires elevated compliance. The following three items need to be on the checklist for any employer in Washington that deals in health data, has a business presence in Washington, or has cloud data processed with Amazon Web Services or Microsoft: a specific health data policy is needed, it needs to be on all webpages, and consent must be explicit.
1. Consumer Health Data Policy:
Privacy policies will not cover compliance with the WMHDMA. There must be a unique consumer health data privacy policy that clearly and conspicuously discloses five requirements:
- Categories of consumer health data collected and the purpose, including how the data will be used.
- Categories of sources from which the consumer health data is collected.
- Categories of consumer health data that are shared.
- A list of the categories of affiliates that the data is shared with.
- How a consumer can exercise the rights provided with reference to the Washington Consumer Protection Act. This policy must be made in handbooks as well as online.
2. Website Link Placement:
The WMHMDA requires that the consumer health data privacy policy be published on its own unique webpage. A link to the consumer health data privacy policy must be on every single webpage where personal data, not just health data, is collected. As stated in the statute, “personal information” means information that identifies a particular consumer and includes a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier. This could encompass an entire website that needs the consumer health data privacy policy linked throughout.
3. Consent:
The consent must be unambiguous, informed consent. The consumer health data privacy policy must first disclose the additional purposes of obtaining the consumer’s affirmative consent prior to the collection, use, or sharing of such consumer health data. Affirmative, unique assent is required with the WMHMDA and it cannot be buried in any other consent or policy. It is opt-in level consent to collect and use any consumer data.
These three points are a high-level overview of this consumer protection law. For those with a business that touches the state of Washington, we encourage full compliance to be immediately considered and are here to help support those efforts. Contact us for guidance!