Washington State’s New Health Privacy Law’sPrivate Right of Action Gives this Law Some Sharp Teeth
Washington passed a health privacy law called the My Health My Data Act (MHMD) in 2023 that is going into effect on March 31, 2024. This law is significant in several respects and we recommend that organizations with operations in Washington take certain actions to ensure they are in compliance. Below are our key takeaways from the law.
The MHMD authorizes a private right of action where a plaintiff can recover attorneys' fees and treble damages. Most data privacy laws can only be enforced by a regulator (like a state attorney general, OCR, FTC, etc.). In contrast, MHMD violations can be pursued by a private individual through the state's Consumer Protection Act. Since claimants may also recover attorneys' fees and treble damages under the state's Consumer Protection Act, we think the MHMD may become a favorite for the class action plaintiffs' bar.
The MHMD essentially applies to all entities that conduct business in Washington. There is no minimum revenue or other minimum threshold for application. There is no requirement that the entity is physically located in Washington.
The MHMD has specific requirements with respect to "consumer health data," which is broadly defined as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status." The law gives many examples of what falls within consumer health data. The requirements with respect to consumer health data are limited to Washington residents and individuals whose consumer health data is collected in Washington.
The MHMD is intended to be a gap filler for data not covered by other laws. Importantly, the MHMD exempts from its requirements any data that is PHI subject to HIPAA. In other words, PHI is not subject to MHMD requirements for consumer health data. This is an important point if the health care entity is HIPAA regulated.
The key substantive requirements from the MHMD are:
Consumer rights: (i) consumers have the right to know/access the consumer health data maintained and disclosed by a regulated entity; (ii) consumers have the right to have consumer health data deleted from the regulated entity and third parties to which the entity has shared consumer health data; and (iii) consumers have the right to appeal decisions the regulated entity has made with respect to consumer health data.
Consent: regulated entities must get opt-in consent (i.e., a clear affirmative act) from consumers before collecting or sharing their consumer health data. Regulated entities must get a separate authorization (similar to a HIPAA authorization) before selling an individual's consumer health data.
Privacy policy: regulated entities must maintain a “consumer health data privacy policy” on their websites that addresses the entity's use and disclosure of consumer health data.
Security and access controls: regulated entities must maintain privacy and security practices with respect to consumer health data and limit access to individuals who have a need to access it.
If a regulated entity must comply with the MHMD, then we recommend that the entity do the following:
Update online privacy policy to address consumer health data
Ensure consumers are affirmatively opting in to the consumer health data policy
Implement internal processes for MHMD security and consumer rights
Determine if entity is selling consumer health data and, if so, implement a consent process with certain required elements
Review vendor contracts if the vendor is processing consumer health data to ensure the contract flows through MHMD obligations (e.g., the law's right to deletion is very strict and applies to downstream entities)
It is worth noting that Nevada has a law going into effect at the same time on 3/31/2024 (the Nevada Consumer Data Health Privacy Law). The Nevada law is similar to the MHMD in many ways, and implementing compliance with the MHMD will address much of the Nevada law's requirements. However, it is a key distinction that the Nevada law does not authorize a private right of action like the MHMD.