The Washington My Health, My Data Act (WMHMDA)

The Washington My Health, My Data Act (WMHMDA) (HB 1155) was signed into law by Governor Jay Inslee on April 27th, 2023. It was designed to fill gaps in the Health Insurance and Portability Accounting Act (HIPAA) and provides stronger protections for Washington consumers' health data.

This article explains what the Washington My Health, My Data Act is, who it applies to, how it affects consumers and businesses, how to comply with the law, and the penalties for noncompliance.

What is the Washington My Health, My Data Act (WMHMDA)?

The Washington My Health, My Data Act is a law that protects Washington consumers' personal health data. It gives Washington consumers certain rights concerning their personal data and dictates how applicable businesses need to treat the health data they collect, share, and/or sell.

What is Consumer Health Under the Washington My Health, My Data Act (WMHMDA)?

Consumer health data is defined by Section 3 (8)(a) of the My Health, My Data Act as any personal information that could be used to identify a consumer's health status:

Who Does the Washington My Health, My Data Act (WMHMDA) Apply to?

The Washington My Health, My Data Act applies to regulated entities and small businesses that meet its criteria.

What are Considered Regulated Entities Under the Washington My Health, My Data Act (WMHMDA)?

A regulated entity under the WMHMDA is any organization that:

• Conducts business in Washington or
• Provides goods or services to Washington consumers, and
• Decides why and how to collect, process (use), share, or sell consumer health data

Section 3 (23) of the WMHMDA defines a regulated entity as a legal entity that does business in Washington and makes decisions about how to collect or use Washington consumers' health data:

What are Considered Small Businesses Under the Washington My Health, My Data Act (WMHMDA)?

Under the WMHMDA, a small business is a type of regulated entity that:

• Collects, processes, sells, or shares consumer health data from less than 100,000 Washington consumers per year, or
• Gets less than half of its gross revenue (total money generated before accounting for expenses) from collecting, processing, selling, or sharing consumer health data and controls, processes, sells, or shares consumer health data belonging to less than 25,000 Washington consumers

Section 3 (28) of the WMHMDA defines a small business as a regulated entity that meets specific criteria concerning the number of consumers it collects or processes health data from:

Who is Exempt From the Washington My Health, My Data Act (WMHMDA)?

There are a few entities that are not required to comply with the WMHMDA, including:

• Government agencies
• Tribal nations
• Contracted service providers that process consumer health data for a government agency

There are also certain types of information that are exempt from the WMHMDA, including:

• Health information protected by HIPAA
• Certain health care information
• Certain patient identifying data
• Information used for public health activities
• Personal information governed by other laws, such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act

Section 12 of the WMHMDA describes the information that is exempt from the law, including certain protected health and patient identifying information:

How Does the Washington My Health, My Data Act (WMHMDA) Affect Consumers?

The WMHMDA gives consumers several rights regarding their health data, including:

• The right to have their health data deleted
• The right to be free of discrimination for exercising their rights
• The right to confirm whether their health data is being collected, sold, or shared
• The right to withdraw consent to having their health data collected or shared
• The right to receive a list of third parties or affiliates their health data has been shared with or sold to
• The right to receive an email address or other online method for contacting the third parties or affiliates their health data has been shared with or sold to

Section 6 of the WMHMDA details some of Washington consumers' rights under the law, including the right to request to have their data deleted and the right to withdraw their consent:

How Does the Washington My Health, My Data Act (WMHMDA) Affect Businesses?

In order to comply with the WMHMDA, businesses must take certain steps to protect consumers' health data.

The WMHMDA requires applicable businesses to:

• Maintain a health data Privacy Policy
• Put the link to their Privacy Policy in an easy to find location on their homepage
• Get consent
• Get signed authorization before selling consumers' health data
• Refrain from using geofences around health care facilities
• Respond to consumer requests regarding their health data
• Keep the consumer health data they collect or process secure

What Does the Washington My Health, My Data Act (WMHMDA) Require?

The Washington My Health, My Data Act requires businesses that collect Washington consumers' personal health data to provide additional disclosures and get consumer consent before collecting, sharing, or using their health data. Businesses must also respond to consumers' requests to have their health data deleted.

Businesses cannot sell consumer health data without signed authorization from the consumer, and cannot use a geofence (a virtual fence that can be used to track consumers' activities within a certain location) around any health care facilities.

Section 2 (3) of the text of the WMHMDA explains the requirements that applicable businesses must meet to comply with the law:

Let's take a look at some of the steps you can take to comply with the Washington My Health, My Data Act.

Maintain a Health Data Privacy Policy

To comply with the Washington My Health, My Data Act, your Privacy Policy should contain relevant clauses, including the kinds of health data you collect and how consumers can exercise their rights.

Section 4 of the WMHMDA describes the clauses that you should include in your health data Privacy Policy:

Sec. 4. (1)(a) Except as provided in subsection (2) of this section, beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses:

(i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used

(ii) The categories of sources from which the consumer health data is collected;

(iii) The categories of consumer health data that is shared;

(iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and

(v) How a consumer can exercise the rights provided in section 6 of this act.

Let's go over some examples of what each clause should include.

The Types of Health Data You Collect and What You Do With it

This clause explains what categories of health data you collect, your reasons for collecting it, and how you use it.

Johns Hopkins Notice of Privacy Practices explains the types of data it collects, including medical information, and what it uses it for, including fundraising activities, hospital directories, and research purposes:

Where You Get the Health Data You Collect

This section of your Privacy Policy explains the sources of the health data you collect, such as directly from consumers when they provide their information to receive a product or service, or from third parties.

SimpleClinic Online's Patient Privacy Policy explains that it gets personal information from patients when they access its website and submit forms, book appointments, or make payments:

What Health Data You Share With Third Parties

Let consumers know what types of health data you share with third parties and for what purposes.

Florida Medical Clinic's Notice of Privacy Practices explains the categories of health data it may share with third parties in certain circumstances, such as physician's dictated notes shared with a third-party transcription service:

What Third Parties You Share Health Data With

This clause is where you list the categories of third parties you share the health data you collect with, such as service providers or business partners.

MedStar Health's Patient Privacy Policy explains that it may share its patients' health information with other healthcare workers, people outside of the hospital involved with providing care for a patient, and with a patient's health plan for treatment purposes, as well as with insurance providers for payment purposes:

Similarly, Rite Aid's Notice of Privacy Practices outlines the types of third parties it may share customers' health information with, including the Food and Drug Administration (FDA) and law enforcement agencies:

How Consumers Can Exercise Their Rights

You should include information about how consumers can exercise their rights, including how to withdraw consent for future collection or sharing of their health data.

You can include step-by-step instructions or links within your Privacy Policy describing how consumers can:

• Delete their data
• Withdraw their consent

You should also include information about how consumers can appeal your decision concerning their request if they don't agree with it. Your appeals process should be easily accessible and similar to the process consumers use to exercise their other rights.

The Patient Advocacy Foundation's Patient Privacy Policy explains how its patients can exercise their rights, including requesting copies of their personal information and opting out of advertising cookies and future contact from the organization. It also describes how long it keeps the personal information it collects, as well as how it responds to online tracking mechanisms:

Put Link to Health Data Privacy Policy in a Prominent Location

Once you have your health data Privacy Policy written, the WMHMDA requires you to put a link to the Privacy Policy in a conspicuous location on the homepage of your website. Applicable businesses must comply with this section by June 30th, 2024.

Seattle Children's Hospital puts links to both its Website Privacy Policy and its Notice of Privacy Practices where they can easily be found in its website footer:

Get Consent

You will need to get consent from Washington consumers before collecting their health data unless it is in relation to providing a product or service the consumer has requested from you.

For instance, if a consumer asks a company to sell them a weight loss supplement, the company can ask for the consumer's health information if it is necessary to receive it in order to provide the right dosage of the product.

You will also need to get consent before sharing a consumer's health data with a third party. The consent for sharing health data must be separate from the consent for collecting the consumer's health data.

When requesting consumer consent to share or sell their health data, you must communicate:

• The types of health data to be collected or shared
• Your reasons for collecting or sharing consumer health data
• How the health data will be used
• The third parties you intend to share the health data with
• The steps consumers can take to withdraw their consent for future collection or sharing of their health data

Section 5 of the My Health, My Data Act explains that businesses must get consent before sharing or selling consumers' health data:

One effective method for getting consumer consent is by using a tickable checkbox or a button next to a statement that users agree to the collection of their health data.

You can link your Privacy Policy or Terms and Conditions agreement (or both) within the statement so that users can read about what health information you intend to collect and how you will use it.

Before consumers can sign in to their Amazon Pharmacy account, they must agree to both Amazon's Conditions of Use and its Privacy Notice, which it links below the Continue button as well as on its website footer:

Get Signed Authorization Before Selling Health Data

The My Health, My Data Act requires businesses to get "valid authorization" before selling consumers' health data. Valid authorization must be separate from consumer consent given to allow their health data to be collected or shared.

Valid authorization must contain:

• The health data you want to sell
• Your name and contact info
• The name and contact info of the person you intend to sell health data to
• Your reason for selling the data
• How the health data will be collected and used by the purchaser
• A statement that providing goods or services is not dependent on the consumer signing the valid authorization
• A statement that the consumer can revoke the valid authorization at any time
• How a consumer can revoke the valid authorization
• A statement that once the health data is sold, it may not be protected by Section 9 of Washington's My Health, My Data Act
• An expiration date of one year after the consumer signs the valid authorization
• The consumer's signature and date of signature

Once the valid authorization is signed, you must provide a copy to the consumer and you and the purchaser must keep copies of the valid authorization for at least six years from the date the consumer signs it.

Section 9 of the WMHMDA describes the steps you must take to obtain valid authorization to sell a consumer's health data:

Don't Use Geofences Around Health Care Facilities

You can't use a geofence to:

• Identify consumers seeking health care
• Track consumers seeking health care
• Collect health data from consumers
• Send messages, notifications, or advertisements to consumers about their health data or healthcare services

Section 3 (14) of the WMHMDA defines a geofence as a virtual boundary that is no more than 2,000 feet from the border of a physical location that can be used to locate a consumer:

Section 10 of the WMHMDA explains that it is illegal to use a geofence to track or advertise to consumers seeking health care:

Respond to Consumer Requests Concerning Their Health Data

You will need to respond to consumers' requests concerning their health data - including requests to confirm their data is being collected, sold, or shared, and requests to delete their health data - in a timely manner.

If a consumer requests their data be deleted, you must contact any third parties or affiliates you have shared their data with and notify them of the consumer's request.

You must respond to consumer requests within 45 days of receiving them. You may extend your response time by an additional 45 days if needed, but must notify the consumer of the extension and the reasons for the extension within the initial 45 days.

You will also need to notify consumers of how to appeal your decision regarding their request if they disagree with it. You should respond to appeals within 45 days of receiving them.

If you deny a consumer's appeal, you must explain your reasons for denying it and provide the consumer with a way to contact the attorney general if they wish to submit a complaint.

Keep Health Data Safe

You should take appropriate steps to keep the health data you collect and process safe, including:

• Restricting access to consumers' health data to those parties necessary for fulfilling your purposes or providing goods or services requested by a consumer
• Maintaining technical, physical, and administrative security measures (such as using firewalls and security cameras and training staff)

Section 7 of the WMHMDA describes the steps businesses must take to keep consumers' health data secure:

How is the Washington My Health, My Data Act (WMHMDA) Enforced?

The attorney general is the enforcing body of the WMHMDA. However, consumers can also bring private action against an entity for suspected violations of the law.

According to Section 11 of the WMHMDA, a violation of the law counts as an unfair business practice, which is a violation of the Consumer Protection Act. The Consumer Protection Act is enforced by the attorney general:

What are the Penalties for Non-Compliance with the Washington My Health, My Data Act (WMHMDA)?

Violations of the Washington My Health, My Data Act are punishable by the attorney general under the state's Consumer Protection Act. Consumers can also take private action against companies that violate the WMHMDA.

Fines vary depending on whether the action is brought privately or by an Attorney General, as well as depending on what types of damages are being sought, with average fines ranging from $7,500 to $25,000.

Summary

The Washington My Health, My Data Act gives Washington consumers certain rights concerning their health data and outlines how applicable organizations should handle the personal health information they collect.

The WMHMDA applies to regulated entities that fulfill the following criteria:

• Does business in Washington, or
• Provides products or services to Washington consumers and
• Makes decisions about how and why to collect, process, share, or sell consumer health data

It also applies to small businesses that:

• Collect, process, sell, or share health data belonging to less than 100,000 Washington consumers each year, or
• Get less than half their gross revenue from collecting, processing, selling, or sharing consumer health data and control, process, sell, or share health data belonging to less than 25,000 Washington consumers

The Washington My Health, My Data Act does not apply to government agencies, tribal nations, or service providers that process health data for government agencies. The WMHMDA doesn't apply to certain types of health data that is protected by other laws or is used for public health activities.

The WMHMDA gives consumers the rights to:

• Confirm whether their health data is being collected, sold, or shared
• Receive a list of third parties their health data has been shared with or sold to
• Request their health data be deleted
• Withdraw consent for having their health data collected or shared
• Receive an online contact method for the third parties or affiliates their health data was shared with or sold to
• Be free of discrimination for exercising their rights

To comply with the WMHMDA, regulating entities and small businesses must take the following steps:

• Have a health data Privacy Policy on their website
• Put a conspicuous link to their Privacy Policy on their homepage
• Get consent from consumers before collecting or processing their health data
• Get valid authorization before selling consumers' health data
• Avoid using geofences to track consumer behavior near healthcare facilities
• Respond to consumer requests concerning their health data
• Keep consumer health data secure

A health data Privacy Policy should contain relevant clauses, including:

• What kind of health data you collect or process
• What you do with the health data you collect
• Which sources you obtain consumer health data from
• What health data you share with third parties
• The categories third parties you share health data with
• How consumers can exercise their rights

The WMHMDA is enforced by the attorney general and through private action, and punishment can include financial penalties.