In 2023, Washington State enacted a first-of-its-kind health privacy law known as the Washington My Health My Data Act (WMHMDA). This sweeping new privacy-focused law seeks to protect data that falls outside of the ambit of the Health Insurance Portability and Accountability Act (HIPAA). Despite its name, the WMHMDA will regulate many types of data most people would not consider health related. Moreover, it will cover non-Washington entities and even non-Washington residents. Any entity with some nexus to Washington State that processes covered data may be affected.
Why Is This Important?
The WMHMDA is not actually “healthcare privacy” law at all, in practical terms. It is a privacy law of general applicability, and it is far reaching in scope and consequences. The covered entities and included data are much broader than HIPAA, and the requirements are much more onerous. The WMHMDA will require completely new privacy requirements that the existing high-water mark threshold (GDPR and CCPA) will not necessarily cover in every case.
Unlike many state and federal privacy laws, the WMHMDA allows for a private right of action, including class action lawsuits, because it is linked to Washington’s Consumer Protection Act. Both public and private litigants can seek injunctive relief, recover attorney’s fees and treble damages up to $25,000. The law will be enforced by the Washington Attorney General (who may also seek a $7,500 civil penalty per violation), and is anticipated to generate much litigation, including a proverbial tsunami of “gotcha” lawsuits (think of the Illinois’ Biometric Information Privacy Act (BIPA), which has resulted in steep damages in its own right). The WMHMDA goes into full effect for “regulated entities” March 31, 2024. Are you ready?
What Kind of Data Is Protected by the WMHMDA?
The WMHMDA regulates what it calls “consumer health data,” which it broadly and ambiguously defines as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” “Physical or mental health status” is further broadly defined to include (but not limited to) the following:
- Individual health conditions, treatment, diseases, or diagnosis.
- Social, psychological, behavioral, and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms, or measurements of anything deemed “consumer health data.”
- Diagnoses or diagnostic testing, treatment, or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data.
- “Precise location information,” further defined as data from any technology that identifies the location of an individual with precision and accuracy within a radius of 1,750 feet.
- Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer from non-health data.
- Data identifying a consumer who seeks healthcare services.
The broad term, “data that identifies a consumer seeking health care services,” is noteworthy. “Health care services” is further defined as “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.” This category of protected data includes information that would merely give an inference of health-care related information. In other words, not really health data as is commonly understood.
What is an Example of "Consumer Health Data”?
Consumer health data will likely bring into the regulatory fold whole new health-adjacent industries. For example, it is conceivable that if a grocery store targets consumers with advertisements for cold medicine or pregnancy-related products, the information derivative of that inference in targeting those ads to those consumers would be considered consumer health data, e.g., demographic data, shopping history, location tracking. The same could be said of any number of physical or mental health related products (think mindfulness apps, Medicare marketers, gym memberships, vitamins, even running shoes) because the information used to target those advertisements could be construed as “provided to a person to … improve a person’s … physical health.”
The WMHMDA defines “biometric data” as “data generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.” Biometric data includes, but is not limited to, the following:
- Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or
- Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.
This definition would go far beyond the scope of other biometric privacy laws that often exclude mere photographs, videos, and audio recordings, and make no mention of keystroke patterns or rhythms.
What Entities Must Comply with the WMHMDA¹
The WMHMDA covers what it broadly defines as “regulated entities.”² A regulated entity is “any legal entity that: conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington,” and that “alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
The first prong of “regulated entity,” which requires some nexus to Washington, is likely to be a hotly contested issue in the courts. We can imagine an extremely broad application indeed. Likely, a physical presence or direct contact with Washington consumers will definitely be deemed inclusive. The disjunctive in the first prong between conducting business in Washington or targeting Washington consumers suggests an even broader extraterritorial reach. The courts may decide that online, out-of-state companies could be deemed inclusive for “targeting” Washington consumers by virtue of availing themselves to those consumers through their apps and websites. Moreover, out-of-state companies involved in the manufacture or supply chain could also be implicated. According to the broad language of the WMHMDA, an entity that merely “produces” some product but does not necessarily offer the product directly to consumers in Washington themselves may nonetheless be covered if their product eventually “targets” those consumers.
The second prong circumscribes the consumer health data activity that a regulated entity would be engaged in to be covered by the WMHMDA. It uses limiting language somewhat familiar to the GDPR, where the regulated entity “determines the purpose and means” of how consumer health data is collected, processed, shared, or sold (like GDPR’s distinction between a data “Controller” and otherwise). The WMHMDA defines collection, processing, sharing, and selling in somewhat common-sense but broad ways. Noteworthy, the WMHMDA provides that a “processor” can be deemed to be a “regulated entity” and therefore independently covered by the WMHMDA when it fails to adhere to the regulated entity's instructions or goes beyond the scope of its contract with the regulated entity with respect to the manner that it processes consumer health data.
What Are the Key Requirements of the WMHMDA?
1. Notice and Required Disclosures.
The WMHMDA requires regulated entities to disclose a Consumer Health Data Privacy Policy, which must provide:
- The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used
- The categories of sources from which the consumer health data is collected
- The categories of consumer health data that is shared
- A list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumers health data
- How the consumer can exercise the rights of access, deletion, and withdrawing consent
The components of the WMHMDA’s policy disclosure requirements seem redundant to anyone familiar with drafting privacy policies (CCPA and GDPR address nearly all of or substantially similar to the above components). However, there are notable differences. The Attorney General has since published guidance advising that the Consumer Health Data Privacy Policy must be “separate and distinct” and published entirely by itself from any other information not required by the WMHMDA. See FAQ 4 at this Link.
First, given the broad and complex definitions of covered data and their respective categories, regulated entities will need to go back to the drawing board with respect to more general “medical” or “health” data categories under existing privacy regimes.
Second, the inclusion of “specific affiliates” is a unique and noteworthy expansion what of is commonly noticed to consumers in privacy policies. The WMHMDA defines as “a legal entity that shares common branding with another legal entity and controls, is controlled by, or is under common control with another legal entity.” The WMHMDA further defines “control” under a set of typical corporate management arrangements.
Third, the WMHMDA requires a regulated entity publish a prominent link to its Consumer Health Data Privacy Policy on its “homepage.” Homepage is defined much broader by the WMHMDA than common parlance, to include not only the “introductory page of an internet website” but also “any internet webpage where personal information is collected.” The inclusion of any page where “personal information is collected” could be construed so broadly as to include every single page a consumer visits, because websites generally collect user IP addresses and other device identifiers.
2. Consumer Data Rights.
The WMHMDA empowers consumers with many data subject rights, including:
- Access rights. A consumer has the right to confirm whether the regulated entity collects, shares, or sells their data, and to access such data, including obtaining a list of all third parties and affiliates with whom the consumer’s data was shared or sold and their contact information.
- Withdrawal of consent. A consumer has practically unlimited rights to withdraw consent at any time.
- Right to delete. A consumer has a right to deletion of all covered data, including from archived or backup systems. A regulated entity is responsible for passing on a request to delete to all third parties and affiliates.
- Discrimination. A consumer has a right against “unlawful discrimination” for exercising any rights under the WMHMDA.
Of note here is the expansiveness of the right to delete. A consumer’s right to delete under the WMHMDA is limited by very few exceptions, unlike other privacy laws. Thus, regulated entities may be required to implement completely new deletion mechanisms and may face colliding new retention dilemmas.
3. Consent.
The WMHMDA requires that a regulated entity first obtain affirmative, opt-in consent before collecting or using consumer health data and only for a specified purpose. A regulated entity must separately and distinctly obtain consent for sharing such data.
A request for consent must clearly and conspicuously disclose:
- The categories of consumer health data collected or shared
- The purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used
- The categories of entities with whom the consumer health data is shared
- How the consumer can withdraw consent from future collection or sharing of the consumer’s health data
The WMHMDA defines consent as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement.” The Act requires specific, dedicated and stand-alone disclosure for proper consent, forbidding the use of “general or broad terms of use agreement” or similar documents containing unrelated information. The WMHMDA also forbids affirmative consent from a consumer, “hovering over, muting, pausing, or closing a given piece of content” or through “deceptive designs.” The WMHMDA describes “deceptive designs” as a form of dark patterns, which it defines as “user interface designed or manipulated with the effect of subverting or impairing user autonomy, decision making, or choice.”
The WMHDA also provides that regulated entities alternatively may collect, use, or share consumer health data "to the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested.” How courts will interpret “necessary” is yet to be known. This could offer some exception to additional opt-in consent in some circumstances, but is unlikely to offer a general exception for initial opt-in consent when the product or service is initially requested.
4. Geofencing Restrictions.
The MHMDA makes it unlawful to implement a geofence around an entity that provides in-person health care when the geofence is used to identity or track consumers seeking health care services; to collect consumer health data from consumers; or to send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. “Geofence” is defined to cover any form of spatial or location detection technology used to establish a virtual boundary around a physical location, including GPS, cell tower location data, radio frequency data, and Wi-Fi data. The boundary covers a distance of 2 kilometers from the perimeter of the physical location.
5. Information Security and Data Protection.
The WMHMDA requires that regulated entities make big investments in protecting consumer data.
First, the WMHMDA requires regulated entities maintain a principle of least privilege access. Under common information security practices, the principle of least privilege access means a user has access to protected data only when it is necessary to complete a specific, required task. In the Act’s words, regulated entities must restrict access only to “employees, processors, and contractors for which access is necessary to further the purpose for which the consumer provided consent” or only where “necessary” to provide a requested product or service. The principle of least privilege access is a very strict data segregation policy that very few companies regularly implement outside the most extremely regulated industries.
Second, the WMHMDA requires that regulated entities maintain an information security program that meets the industry standard of care. In the WMHMDA’s words, the regulated entities must “at a minimum, satisfy reasonable standard of care within the regulated industry of the entity or the small business to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.”
This language mirrors HIPAA. See 45 CFR §164.306(a)(1). In information security practitioner circles, confidentiality, integrity, and accessibility/availability is known as the "CIA security triad,” and each component is a unique pillar of risk that security teams must use to assess and mitigate data security issues. In short summary, “confidentiality” means protecting certain data from unauthorized access; “integrity” means maintaining the accuracy, consistency, completeness and reliability of the protected data; and, “accessibility” or “availability” means a user’s ability to access their protected data, including during and following system failures and disasters. Regulators and courts are likely to rely on an existing information security framework such as NIST SP-800 or HIPAA industry standards to evaluate whether regulated entities meet this requirement. In some cases, this requirement could dramatically raise the bar for companies not currently following such a framework on a voluntary basis.
How can I prepare for the WMHMDA?
Kronenberger Rosenfeld, LLP assists clients in a broad range of privacy and advertising law matters, relating to laws of many states including Washington State. We have experienced attorneys ready to advise you on compliance, enforcement, or litigation issues. We would be happy to discuss any issues you have with the WMHMDA. Feel free to call us at (415) 955-1155, ext. 120, or contact us through our website form here.
Footnotes:
¹ The WMHDMA identifies discrete exemptions from its coverage, including:
entities and data covered by HIPAA, data covered by the
Gramm-Leach-Bliley Act (15 U.S.C. 6801) and implementing regulations,
data covered by the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.),
and data related to prevention, detection, response, investigation,
reporting, or prosecution of malicious activity (security incidents,
fraud, identity theft, and others).
² The Act also defines “small business” entities as a narrowed subset of regulated entities, for which the Act has a different effective date.