The State of Washington passed the My Health My Data Act (MHMDA), which is a groundbreaking data privacy law focused on protecting personal health data. This Washington health law empowers residents by granting them control over their personal health information, ensuring transparency and accountability in its handling. It sets stringent standards for the collection, storage, and sharing of health data, requiring explicit consent from individuals for its use.  This legislation is unique in that it establishes regulations surrounding personal health data not covered under existing laws like the Health Insurance Portability and Accountability Act (HIPAA). 

The act was signed by Gov. Jay Inslee in April 2023 and it has been in full effect since March 30, 2024. This law applies to regulated entities located in or outside Washington that target products or services towards Washingtonians and collect, process, share, and sell their “consumer health data.” However, this law will be applied to small businesses starting June 30, 2024, and they must comply with the law’s requirements.

We mentioned the My Health My Data Act protects personal health data that falls outside of HIPAA. This includes data collected by wearables, sensitive location data linked with medical care or reproductive health, and certain retail purchases. There are more areas of information that fall under the content of health data, including, but not limited to:

  • Health conditions, treatments, and diagnoses unique to individuals
  • Insights into social, psychological, and behavioral health, alongside medical interventions
  • Surgical and procedural aspects related to health
  • Medication use or acquisition patterns
  • Vital signs, symptoms, or health measurements are covered by the Act
  • Diagnostic processes, treatment plans, and medications prescribed
  • Information regarding gender-affirming healthcare
  • Details on reproductive and sexual health
  • Biometric data relevant to the Act’s scope
  • Genetic information within the Act’s purview
  • Location data indicating health service seeking
  • Non-health data extrapolations from the listed categories

 The law requires companies to get clear and evident consent from customers before collecting health data. MHMDA is enforceable through a private right of action as it empowers customers with additional rights to protect their health information, including health data deletion, among others. The act includes requirements that a variety of entities, brands, advertisement companies, and data services companies should meet to serve Washingtonians and steer clear of steep penalties.

Getting Ready for MHMDA: Steps to Ensure Your Organization’s Compliance 

Privacy Notices

If your organization is subject to the law, maintaining a privacy policy will be required, as it will clearly disclose information related to:

  • What types of consumer health data are collected
  • Why the data is collected and how will it be used
  • Sources for data collection
  • List of third parties with whom the data is shared
  • And how a customer can exercise their rights under the act

You need to prominently display a link to your consumer health data privacy policy on the homepage of your organization’s website. It is important to note that this link should be standalone and should not contain additional information not required under the act.

Customer Consent

The most important aspect of MHMDA is the customer’s consent, because without it, organizations cannot legally collect, store, or process consumer health data for business purposes. Organizations need to clearly request consent from a customer and also disclose the categories of data they collect, the purpose of data collection, how they will use the data, and the categories of entities with whom the data will be shared.

Customer Rights

Under the new act, organizations are required to fulfill new consumer rights, such as a customer’s right to confirm processing, their right to withdraw consent, and their right to delete personal health data. The act specifies timeframes for responding to customer requests, mandating that entities under regulation must promptly process requests to erase any health data without unnecessary delay, ensuring completion within 30 calendar days upon verifying the deletion request. Furthermore, entities must promptly acknowledge consumer queries, ensuring a response within 45 days upon receipt, with the possibility of extending this timeframe by another 45 days in the case of intricate requests.

Avoiding Violations

Just like other data privacy acts, MHMDA also penalizes organizations that are involved in unfair or deceptive acts in business. Penalties are outlined in the Consumer Protection Act, Chapter 19.86 RCW, and consumers also have the right to take legal action against an organization in court. Consumers can recover the cost of the suit, damages sustained, and a reasonable amount of attorney’s fees.

Achieve Washington health law Compliance With Secuvy’s Data Privacy Platform 

We understand that it can be challenging to adhere to various regional and international data privacy laws and that you need a solution to easily navigate through their complex requirements. Secuvy’s unified data privacy compliance and data protection platform offers AI-powered data privacy features to automate sensitive Personal Information (PI) discovery, create real-time data inventory, and do much more. You can leverage these features to comply with MHMDA:

Automate data discovery and create a live data inventory – Discover and map all data across your data systems to apply appropriate governance rules. You need to identify which data falls under the definition of “consumer health data“ and how it is collected across your business to classify it as potential consumer health data and target branding campaigns. Once you map all your data, you can create a real-time data inventory on our platform to catalog sensitive data and improve PI management accuracy.

Fulfill data subject requests – As consumers have the right to request access and deletion of their personal health data, you can take advantage of Secuvy’s Data Subject Access Requests (DSAR) solution. Automate the entire process of fulfilling consumer data requests, get real-time updates for each request, and increase business efficiency.

Collect consent – MHMDA requires organizations to obtain explicit consent from consumers to collect, store, process, sell, or share their information for business purposes. Our Consent Management solution allows organizations to monitor and track valid consent statuses through a centralized dashboard.

Create privacy policies and notices – Organizations need to clearly disclose their privacy policies under MHMDA, and they can easily do that through Secuvy’s Policy Engine. You can customize a policy that aligns with Washington’s My Health My Data Act to disclose what type of data your organization collects and what the purposes of data collection are. With a centralized dashboard, you can publish, maintain, and update privacy policies and notices to give consumers more control over their data and privacy choices.

Get Started With Secuvy

We focus on data privacy compliance. The Secuvy Platform – the unified data security & privacy platform powered by self-learning AI  – fills the massive gap for a solution that can expand your reach into unstructured, semi-structured, structured, and SaaS data across any data store or type, providing unprecedented visibility and control of your sensitive enterprise data. Contact us today to schedule a demo to learn how our platform can help you comply with Washington’s My Health My Data Act.