On April 27, 2023, Washington state passed the My Health My Data Act, a privacy law that could have a significant impact on how businesses across the United States handle consumer data. The law is written very broadly to apply to a broad array of data and companies with minimal connections to the state and, unique among US consumer privacy laws, has a private right of action allowing individual consumers to sue companies for alleged violations. All of this means companies need to take the Washington My Health My Data Act seriously.

Businesses will also need to act fast to be ready to comply with the MHMDA: the law takes effect in less than a year, on March 31, 2024. However, small businesses, such as those with less than 100,000 consumers’ health data, will have an extra three months before they have to comply on June 30, 2024. Either way, the compliance deadline is not far away.

What is “consumer health data”?

The Washington My Health My Data Act applies to personal data that is related to an individual’s health, so its scope is not quite as broad as comprehensive consumer privacy laws like the California Consumer Privacy Act. However, despite this immediate focus on “health data,” Washington’s law reaches beyond the healthcare industry, and, due to several vague and broad definitions, its reach could extend almost as far as any other consumer privacy law passed in the United States to date.

The Act defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.” This definition is broad and vague. The law does provide some guidance by setting out 12 categories of information as examples of what qualifies as consumer health data, but makes clear that it is not an exhaustive list. Certain categories of core health data are called out for particular protection, including “gender-affirming care information,” “reproductive or sexual health information,” and “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”

Beyond the clear categories of personal health data, the definition of “consumer health data” also includes data that can be used to infer details of an individual’s past, present, or future health even if the data itself does not contain any directly health-related information. The law therefore encompasses more than data that is obviously health-related. In addition to details of medical conditions an individual has, or the treatment they receive, the law reaches further to cover any information that could arguably be used to predict what an individual’s health is or could be in the future.

As an illustration of just how broad this definition could be, consider that the nutrition an individual receives is generally a good predictor of their health insofar as individuals who receive proper nutrition are generally healthier than those who do not. This means that certain information related to the food someone eats could be considered “consumer health data” under this law, including details of which grocery stores an individual shops at, the restaurants they visit, whether they order gluten-free food, and even whether or not they have a garden at home for growing vegetables.

With this in mind, the law encompasses a wide swath of information that does not intuitively seem to be “health data,” and, because it includes anything that could be used to infer such information, it is difficult to say with certainty what information would fall outside the law’s scope.

That being said, there are several types of data that are expressly exempt. The exemptions primarily apply to information that is separately regulated by other state or federal laws, including protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as data that is subject to the Gramm–Leach–Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), Title XI of the Social Security Act, the Family Education and Privacy Rights Act (FERPA), Washington’s Health Benefit Exchange, or the privacy rules adopted by Washington’s Office of the Insurance Commissioner.

De-identified data is also exempt, as is publicly available information and any “personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research,” so long as that research is conducted in accordance with “all other applicable ethics and privacy laws.”

Whose data is covered under the MHMD Act?

The My Health My Data Act regulates the health data of individuals who qualify as “consumers” under a two-part definition contained in the statute itself. “Consumers” are either (1) residents of the state of Washington, or (2) individuals who have their consumer health data collected in the state of Washington. The first prong of this definition is straightforward and largely in line with the consumer privacy laws currently in effect in other US states. The second prong, however, is unique and broadens the reach of Washington’s law beyond what we have seen.

As written, the law could encompass personal information from individuals anywhere in the world, so long as that information was “collected” in the state of Washington. Considering that Washington is home to some of the largest cloud service providers in the world, many of which operate data centers in the state, it is likely that a sizable amount of data from non-Washington residents is collected in the state and would be subject to the new law.

However, there is one limitation that significantly restricts the universe of “consumers.” The law is clear that that term only encompasses people acting in their capacity as individuals, not as employees, job applicants, contractors, or in any other employment context. This means that data businesses collect from individuals in the course of their employment with the business is generally exempt from the law’s scope.

SixFifty can help

SixFifty’s All-US Privacy helps organizations comply with every privacy law in the United States. Businesses can easily and effectively generate customized legal documents written by top legal experts for a fraction of the cost of hiring a lawyer to write them.

All-US Privacy currently covers the privacy laws in California, Virginia, Colorado, Connecticut, and Utah, with Washington being added soon. As new laws pass, we update our tools to include them so your documents are always up to date. If you’d like to see SixFifty’s platform in action, schedule a demo with SixFifty today.