Washington's Approach to Health Data Privacy: The My Health, My Data Act
Historically, the Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone of health data privacy in the United States. However, the dynamic nature of technology and the ever-expanding ways in which health data is collected, shared, and utilized have led states to take matters into their own hands.
Washington State has emerged as a new leader in this effort, with the My Health, My Data Act (MHMDA).
Garnering widespread support with a 76% approval rate among Washingtonians, this act represents a significant stride toward safeguarding health data privacy. Soon to be fully effective in July 2024, the MHMDA underscores a pivotal moment in the evolution of health data privacy laws.
Introducing the MHMDA
The Washington My Health, My Data Act is designed to enhance the protection of the personal health information of consumers in Washington state, as well as individuals whose consumer health data is collected in Washington. This means that the legislation targets entities conducting business in Washington or those aiming their products and services at Washington residents.
These entities, categorised as "regulated entities" and "small businesses," are defined based on their health data processing activities and revenue:
Regulated entities are those that conduct business in Washington or target Washington consumers
Small businesses are entities that collect data of fewer than 100,000 consumers a year, or that derive less than 50% of their gross revenue from consumer data (with data pulled from no more than 25,000 consumers)
The MHMDA distinguishes itself by its broad definition of "consumer health data," which encompasses biometrics, location data, health services, and any information that can identify a consumer's health data. The Act is enforced by the Attorney General and enables private right of action for consumers.
Key provisions of the Act
The MHMDA lays out stringent obligations for the handling of health data:
Maintain a specific consumer health data privacy policy
Obtain consent before collecting or sharing health data; a separate authorization is required for selling data
Provide consumers with rights to access, withdraw consent, and delete their health data
Implement security measures and contractual requirements for data processors
Prohibit the use of geofences for targeting or tracking consumers related to healthcare services
Unlike other state privacy laws, the MHMDA allows private action to be taken against bodies that breach the law. Moreover, the MHMDA allows the Washington Attorney General to enforce action for violations and impose civil penalties that can rise to $7,500 per violation.
What do health data processors need to do to comply with the MHMDA?
The broad scope of the MHMDA means that its impact extends beyond traditional healthcare providers; it covers retailers, tech companies, and businesses involved in processing consumer health data.
This means that many organizations, that may have not traditionally been classified as part of the health sector (e.g. under HIPAA), now must reassess their data handling practices under this new law.
Entities must ascertain whether the law applies to them, identify any consumer health data they collect, stop geofencing, and establish a comprehensive compliance program. This program should include a detailed privacy policy and updated third-party agreements to ensure alignment with the MHMDA's requirements.
As the health privacy field becomes more stringent, all stakeholders must prioritize how they manage such data, especially those handling the information of Washington residents. Ensuring compliance with the MHMDA is not just a legal necessity but a step toward fostering greater trust and safety in a data-driven world.