Breaking Down Washington State’s My Health, My Data Act

The panorama of data privacy regulation in the U.S. has changed yet again, adding further complexity to the development and maintenance of compliant data policies and practices. Just this spring, Washington state enacted a rigorous, consent-driven law protecting personal health information. The My Health My Data Act (MHMDA) aims to prevent regulated entities from sharing protected health information without proper consumer permission or an established necessity.

What is the MHMDA?

The latest state law designed to introduce more stringent data privacy requirements in the U.S., MHMDA expands on the protections outlined in the Health Insurance Portability and Accountability Act (HIPAA). The goal of the act is to provide stronger coverage for consumer data beyond HIPAA covered health care providers, including data collected by apps and websites.

Broadly, the act requires additional disclosures and consumer consent for collecting and sharing health information, gives consumers the right to have their health data deleted, prohibits entities from selling consumer health data without authorization and bans the use of geofences around in-person healthcare facilities.

The MHMDA applies to any legal entity that conducts business in Washington or targets Washington consumers, and collects, processes, shares or sells consumer health data. The broad definition of consumer health data within this law means that many organizations that would not typically fall into the health care industry could be affected. Also noteworthy, there is no minimum number of data subjects or minimum company revenue stipulated for this regulation, so small businesses must also comply. The MHMDA does not apply to government agencies, tribal nations or data processing already covered by HIPAA and other health care data laws.

The key dates for compliance with the MHMDA are:

• July 23, 2023: Deadline to comply with geofencing requirements
• March 31, 2024: Deadline for regulated entities to comply with all other obligations
• June 30, 2024: Deadline for small businesses to comply with all other obligations

Should organizations fail to comply by the deadline, Washington’s Attorney General’s Office can enforce the law using the state’s Consumer Protection Act. Consumers can also enforce on their own through a private right of action.

What Classifies as “Health Data” Under the MHMDA?

Under the MHMDA, the definition of “consumer health data” is broader than what was previously defined by existing state and federal statutes. It encompasses "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status."  A full list of what constitutes consumer health data under the MHMDA can be found in Section 3 of the bill, and examples include general health information, biometric data, genetic data and gender-related care. Notably, the law considers data relating to consumers seeking health care data as covered under this law (e.g., search queries related to reproductive health). Several of the data definitions within MHMDA differ from HIPAA, such as:

• Precise location information that could “reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”
• Broadened explanation of biometric data (which is typically considered as retinal scans, fingerprints, voice prints and other physical identifiers) to include keystroke patterns or rhythms that contain identifying information. 
• Tracking of efforts and activity to research a wide range of health-related services and products.

This law also provides many of the consumer privacy rights that have become fundamental to most emerging laws. Consumer rights defined under the law include confirming the data activities taking place regarding an individual’s personal heath data, right to access data, right to delete data and ability to withdraw consent for data storage and processing. Organizations are allowed a 45-day period to respond to and fulfill consumer requests and actions.

How Does My Organization Become Compliant?

Though not a comprehensive list, some of the notable actions covered entities must take to achieve compliance include: 

• Creating a policy that discloses the consumer health data collected and shared.
• Obtaining consumer consent to collect or share any data beyond what is disclosed or necessary, and receiving separate authorization to sell the data.
• Deleting consumer data if requested by the consumer, including archives and backups, within 45 days.
• Establishing and maintaining reasonable cybersecurity best practices to maintain the confidentiality, integrity and accessibility of consumer health data. 
• Eliminating any geofences around areas that provide in-person health services.

How Should My Organization Proceed?

Start preparing now. Most organizations have less than a year to comply with the MHMDA, with the geofencing portion already in effect as of July 2023, and the first deadline for all other requirements approaching in March 2024.

Importantly, the geofencing requirements are imminent and span a wider set of organizations and activities than many businesses may realize. The MHMDA defines a geofence as “technology that uses GPS coordinates, cell tower data, Wi-Fi data or other forms of spatial or location data to create virtual boundary up to 2,000 feet from the perimeter of a physical location or to locate a consumer within such virtual boundary.” This information is often tracked and used for advertising targeting, consumer notifications and other services, but its collection and use in a health care setting is now strictly prohibited in Washington state. Many organizations likely have geofencing and other tracking tools incorporated in the background of their websites and consumer interfaces, and may now be in violation of this rule unknowingly. It’s critical to assess existing tracking tools in place, and redesign as needed to meet the MHMDA’s strict geofencing requirements.

In addition to assessing geofencing practices, organizations should begin reviewing what data they collect from consumers, to determine if it falls into the broad scope of the law, and where it does, identify how it is stored, protected and shared. 
Compliance with the MHMD Act will also require more than just the collaboration of privacy and cybersecurity teams.  The C-suite, marketing, the IT department, compliance and legal teams will need to become involved in plans and decisions about how the organization will adapt its data practices to ensure compliance across all perspectives.

As a robust data privacy program requires a cross-functional approach, it also requires continual improvement and attention (annual audit is not usually sufficient). Employees should be trained on the parameters of the laws and requirements and encouraged to report potential violations or risks, in support of early intervention and remediation. Engaging outside firms can also help organizations with assessing their current protocols and providing a roadmap for any changes that need to be implemented.

Organizations should also carefully audit and improve current privacy and cybersecurity practices. Once the necessary process changes for compliance are identified, it is time to begin making changes, both for the near-term deadline and longer-term outlook. Strong privacy and cybersecurity practices will not only support compliance with the MHMDA, but also improve resilience and decrease the likelihood of future incidents and breaches. Overall, privacy leaders and security teams should:

• Evaluate whether existing security programs align to the expectations of the MHMDA
• Regularly maintain and update security protocols
• Train employees on proper cybersecurity best practices
• Only give employees access to consumer data that is necessary for their roles
• Implement data retention policies
• Use industry standard (or better) data and hardware destruction methods 
   

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.