Washington My Health My Data Act - MHMDA (Bill 1155) is a consumer health privacy bill that was passed by the Washington State Legislature on April 17, 2023, and became effective on July 23, 2023. The official website of the Attorney General of Washington refers to MHMDA as the first privacy-focused law in the country that protects personal health data falling outside the ambit of the Health Insurance Portability and Accountability Act, or HIPAA.
MHMDA was enacted to address the growing data privacy concerns regarding personal health data that is collected outside the traditional healthcare settings without taking consumers' consent. Health data today is often collected through wearable devices like Apple Watch, fitness apps, and wellness platforms, which do not fall under HIPAA’s scope. MHMDA aims to cover the gap left behind by HIPAA, particularly in the case of non-covered entities, as described before. This law bridges the gap between current industry practice & consumer knowledge and provides stronger privacy protections for the health data of Washington’s citizens. It requires all regulated entities and small businesses to provide more transparency to consumers about their health data, including the purpose of its collection, usage, sharing, etc. It provides Washingtonians greater control over their health data and gives them the right to get their data deleted, it further prohibits the sale of consumer health data without proper authorization and makes geofencing healthcare facilities unlawful.
According to Washington My Health My Data Act, regulated entities are organizations that conduct their business in the state of Washington or provide goods or services to residents of the state and collect their sensitive health information. It further extends the definition of health information to include info associated with a consumer’s bodily functions, biometric information, or location that could be used to track which healthcare service providers they visited.
Washington My Health My Data Act – All Sections
Section 1 & 2: The first section establishes the name of the law as Washington My Health My Data Act, and the second section defines its purpose and summary of the law. It describes privacy as a fundamental right of every individual, which is provided to them by the Constitution of Washington, and puts health information in the category of most personal and sensitive type of information. It states that Washington citizens' health data should be provided protection that is equivalent to what HIPAA provides, and it extends the coverage of MHMDA on the entities not covered by HIPAA.
Section 3: It provides the definition of various terms used within the law, like what constitutes health data, what is biometric data, or what the term collection means, etc. Key definitions include:
- Consumer Health Data: It extends the definition of health data beyond the consumer’s mental or physical health and adds reproductive, sexual & genetic health. It also includes gender-affirming care information. The definition considers precise location data that can be used to infer the health information of the citizen to be consumer health data.
- Health Care Services: These include services provided to any person for assessing, improving, or understanding their mental or physical health, including performing diagnosis and providing reproductive or gender-affirming services.
- Consent: An important term where businesses need to obtain clear and affirmative opt-in from consumers in a fair manner before collecting, sharing, processing, or selling their health data. The law outlines various scenarios for obtaining consent from consumers and specifies what does not qualify as valid consent.
Section 4: This section requires all regulated entities to have a consumer health data privacy policy link on their website home page that clearly and visibly informs consumers of the categories of health data that is collected, the purpose of its collection, and the way it will be used. The policy will also provide information about the third parties with whom this data will be shared and list clear instructions with which customers can withdraw their consent for data sharing.
The section further states that covered entities shall not collect any information that is not mentioned in the privacy policy nor process it for any purpose other than for which the consent was taken.
Section 5: This section states that regulated entities and small businesses must obtain explicit consent before collecting any consumer health information. They are required to collect only necessary information and must not share it with any third party unless they obtain separate and explicit consent specifically for data sharing. It prohibits businesses from discriminating against customers who exercise their right to withdraw their consent for data sharing or collection.
Section 6: This section provides consumers the right to confirm from businesses whether they are storing, sharing, or processing their information. With whom is the information being shared, and their contact details? This section provides the customer the right to have their data deleted from the businesses, their affiliates, and third parties’ records with whom the data was shared. This request must be honored without undue delay within 45 days. The business is also required to provide an online mechanism from where the customer can contact the Washington Attorney General’s office and lodge a complaint.
Section 7: This section requires businesses to employ access control and restrict access to sensitive data to only relevant employees, data processors, and contractors. Organizations must ensure that they employ adequate measures for the safety and security of the data to maintain its Confidentiality, Integrity, & Accessibility (CIA Triad for Information Security). This confidentiality must be maintained throughout the data lifecycle from its creation to the disposal stage. Ensuring the security of consumer health data once its intended purpose has been fulfilled, or its retention period has expired, or while disposing of data storage devices is critical for staying compliant with MHMDA. Tools like BitRaser help erase health data permanently from all types of drives & devices, helping businesses stay compliant not only with MHMDA but also with HIPAA. Read more about BitRaser, a HIPAA-compliant software, in the HIPAA journal. Refer to the table below to understand the key differences between HIPAA and MHMDA.
|
Parameters
|
My Health My Data Act (MHMDA)
|
HIPAA
|
|
Applicability
|
Broad - It is applicable to any organization that collects health-related data. Examples are wellness apps and fitness trackers.
|
Limited – To covered entities only. Examples are healthcare providers, health insurance providers, and healthcare clearinghouses.
|
|
Scope of Data Covered
|
Expansive – It extends the definition of health data to include reproductive, sexual, genetic, and gender-affirming care information, etc.
|
Focused – Covers Protected Health Information (PHI) held by covered entities. It includes medical history, mental health status, insurance records, laboratory results, etc.
|
|
Consent Requirements
|
Explicit – Requires opt-in consent for the collection, sharing, or sale of health data.
|
Does not require any consent from patients (consumers) for data usage in treatment, payment, and healthcare operations within covered entities.
|
|
Consumer Rights
|
It provides consumers the right to access, delete, and opt out of data sharing and sales.
|
Limited rights for patients to access and amend their medical records.
No right to request deletion.
|
|
Data Selling
|
Explicitly prohibits the sale of health data without consumer consent.
|
Prohibits the sale of PHI without patient authorization.
|
|
Enforcement and Penalties
|
Enforced by the Washington State Attorney General under the provisions of the Consumer Protection Act (CPA), violations can result in civil penalties of up to $7,500 per violation.
|
Enforced by the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR), with tiered penalties ranging from $100 to $1.4 million per violation.
|
Section 8: The regulated entity must have a binding contract with the data processors with whom consumer health data is shared. The extent and manner of processing must be as per the contract, and if a data processor fails to adhere to the contractual terms and scope of processing, it shall be considered a regulated entity and subjected to the provisions of MHMDA.
Section 9: This section states that selling consumer health information is unlawful without consumer validation. Consent to sell must be distinct from the ones taken during data collection and sharing. The consent form, in plain language, informs the consumer of the information that will be sold, the name and contact information of the data collector, seller, and buyer, along with the purpose for selling and its intended usage. The consumer consent validation document must clearly state that the customer has the right to revoke the authorization. It should also contain the date of sale, the expiration date of the consent, and the consumer's name and signature.
Section 10: This section outlaws the geofencing of in-person healthcare facilities where it can be used for identification or to track consumers that visit these places for health care services. They are prohibited from advertising and sending notifications related to the consumer health data or health care services availed by them.
Section 11: This section discusses the legal basis of the law and states that this law and its various sections are in the public interest and any violation is considered as unfair or deceptive as per Revised Code of Washington Chapter 19.86 (Unfair business practices). It also states that any violation of MHMDA can harm consumers and may warrant legal action.
Section 12: In this section all the exemptions from the My Health My Data regulation are mentioned that do not fall under its purview. These include the type of health data already covered by regulations like HIPAA, health care data used for public health purposes, and data governed by other federal laws like Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), etc. It also provides exemptions for security reasons like for preventing fraud or theft.
Section 13: This section requires a joint committee to foresee administrative actions bought by the Attorney General and consumers in response to violations of the act. The report must include the number of actions enforced, settlement amount, details regarding the violation, frivolous civil actions, and amount of resources used for enforcement of the act. The joint committee can also recommend any changes to the enforcement of this act and must submit a report to the Governor and legislative committee by September 30, 2030. This section is only valid till June 30, 2031.
Note: The Washington My Health My Data Act (MHMDA) does not specify any direct penalties within the Act itself. Instead, it allows the Attorney General’s office to enforce the provisions of Washington's Consumer Protection Act (CPA) and can levy civil penalties of up to $7500 per violation. It also allows consumers the right to seek damages for violations of the law.
Sections 14 & 15: These sections cover the severability clause and the creation of new chapters in Washington’s legal code. Section 14 states that if any part of the act or its applicability to any person is found to be invalid, it shall not affect the rest of the act. Section 15 states that all sections from 1 to 12 will be added as new chapters in Chapter 19 of the Revised Code of Washington.
What Businesses Must Do to Protect Health Data and Stay Compliant with MHMDA?
The Washington My Health My Data Act is a groundbreaking state law that has been created to address the raising concerns around the privacy of consumer health data, especially in areas not covered by federal regulations like HIPAA. This law provides its citizens with stronger privacy protections and brings greater transparency.
Businesses that deal with WA consumer health information are required to take adequate data protection measures to secure this sensitive information throughout their lifecycle, from collection to disposal. BitRaser is a data disposal software that guarantees data erasure and helps meet the requirements of all data privacy and protection laws, including MHMDA. The detailed report and certificate of data destruction generated by the software come in handy during MHMDA compliance requirements with respect to data disposal.
+1-844-775-0101
