On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. While the 2023 legislative season has been busy for state “comprehensive” privacy laws, this law is likely to have the most impact on businesses. The My Health My Data Act covers a very wide range of entities, consumers, and data, as we describe below. And, it contains a private right of action. With the law coming into effect in the first half of 2024, organizations will want to take steps now to understand the scope of this law and its onerous obligations.
What Entities are Covered by the Act?
The law applies to “regulated entities” as defined by the Act. The definition is sufficiently broad that it will apply to most non-governmental entities – including non-profits. A “regulated entity” is any entity that (1) conducts business in Washington, or produces or provides products or services targeted to consumers in Washington, and (2) alone, or jointly with others, determines the purpose and meanings of collecting, processing, sharing, or selling of consumer health data.
The Act also defines “small businesses.” However, “small businesses” are a subset of regulated entities and the only difference in the Act is that for some provisions, there is a different effective date for small businesses. As we discuss below, there are a number of exclusions in the Act, primarily for data covered by other enumerated privacy laws.
What Consumers are Covered by the Act?
“Consumer” means (1) a natural person who is a Washington resident; or (2) a natural person whose consumer health data is collected in Washington. The definition excludes employees and B2B data (unlike CCPA). While the first prong seems to set a geographic boundary on the scope of consumers covered, the second prong creates a surprising broader scope. The second prong could be interpreted to mean that personal data of individuals with no connection to Washington are captured by the law if the data is “collected” in Washington. “Collect” means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
What Data is Covered by the Act?
The law applies to “consumer health data.” Given the broad scope of the definition, it is easier to first think about what data is not included in the Act.
There are exceptions for data that is subject to certain enumerated privacy laws such as HIPAA, GLBA, FCRA, FERPA, and existing Washington state laws related to health care and insurance. The exception covers nearly all health information processed by a HIPAA covered entity or a business associate processing the data on behalf of a covered entity. Data that is not covered by HIPAA, but that originates from and is maintained by a covered entity or business associate and intermingled with HIPAA-covered data is excluded.
The law also excludes employee and B2B information (since those persons are excluded from the definition of consumers). There is also an exception for data used for certain peer-reviewed research in the public interest. Deidentified information (as defined in the Act) and “publicly available” information are also excluded.
With the lens of what data is not in scope, we turn to the actual definition of “consumer health data.” This is defined as any personal information that is “linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition goes on to enumerate a list of data types that are included within “physical or mental health status,” though the list is non-exclusive. The list includes data that identifies a consumer seeking health care services and any information that is derived or extrapolated from non-health information.
Putting it into Practice. The enactment of this law fits within the growing trend of increased focused around health information and the privacy laws that govern it. Given the sweeping scope of this law, companies should carefully evaluate to what extent the law may apply. We may see some companies geo-blocking consumers from Washington and avoiding processing data in Washington as a way to limit potential exposure under the Act. In the coming days we will discuss other aspects of the law, including the consumer rights provisions and consent requirements.