Washington My Health My Data Act: Key Requirements
Post Summary
The Washington My Health My Data Act (MHMDA) is a privacy law designed to protect consumer health data not covered by HIPAA. It applies to any business operating in or targeting Washington consumers, with strict rules on consent, data sharing, and security. Key compliance deadlines were March 31, 2024, for most businesses, and June 30, 2024, for small businesses. Notably, geofencing restrictions around healthcare facilities have been in effect since July 23, 2023.
Key Points:
- Who It Covers: Any business handling consumer health data in Washington, including apps, websites, and retailers. Many of these digital health innovators must now enhance their cybersecurity programs to meet these new standards.
- Consumer Rights: Access, deletion, and consent withdrawal for health data; businesses must respond to requests within 45 days.
- Privacy Policy: Requires a separate, detailed Consumer Health Data Privacy Policy with no marketing language.
- Consent Rules: Opt-in consent for data collection/sharing; written authorization required for data sales.
- Geofencing Ban: Prohibits location tracking near healthcare facilities within 2,000 feet.
- Penalties: Up to $7,500 per violation, plus potential lawsuits under the private right of action.
The law emphasizes transparency, accountability, and robust risk management and data protection measures, with steep penalties for non-compliance.
Breaking Down the Washington State My Health, My Data Act With Mike Hintze
sbb-itb-535baee
Privacy Policy Requirements
Washington MHMDA Privacy Policy Requirements and Compliance Checklist
Under the Washington My Health My Data Act (MHMDA), businesses must create a stand-alone Consumer Health Data Privacy Policy that includes only the information required by the Act. This policy must not contain any marketing language or be combined with other notices.
The Washington State Attorney General has emphasized:
"The CHD privacy policy 'may not contain additional information not required under the [MHMDA].'" [5]
This policy must be easily accessible. Place a distinct link to it on your homepage, mobile app download pages, and within the app itself.
What Must Be Included in Your Privacy Policy
The policy must provide clear details about the following seven elements:
- CHD Categories: Specify the types of health data collected, such as biometric data or reproductive health information.
- Sources: Identify where the data comes from - this could include direct consumer input, cookies, or third-party brokers.
- Purposes: Explain in detail how the data will be used, whether for providing services, conducting research, or performing analytics.
- Shared CHD: List the categories of consumer health data that are disclosed to external parties.
- Third-Party Categories: Describe the types of external entities receiving the data, such as analytics providers or cloud vs. on-premise healthcare risk management solutions.
-
Specific Affiliates: Unlike other privacy laws, the MHMDA requires that you name specific affiliates by their company names if they receive consumer health data. As Mike Hintze, Partner at Hintze Law, explains:
"While every other type of third party with which data may be shared should be listed at the category level, those entities that meet the 'affiliate' definition must be specifically listed." [6]
- Consumer Rights: Provide instructions for consumers to access their data, request deletion, withdraw consent, and include contact details or web forms for these requests.
| Required Element | What to Include |
|---|---|
| CHD Categories | Specific types of health data collected (e.g., biometric, reproductive health) |
| Sources | Where data originates (e.g., directly from consumers, cookies, third-party brokers) |
| Purposes | How data is used (e.g., service delivery, research, analytics) |
| Shared CHD | Categories of health data disclosed to external parties |
| Third-Party Categories | Types of external entities receiving data (e.g., analytics providers, cloud storage) |
| Specific Affiliates | Actual names of affiliated companies receiving data |
| Consumer Rights | Instructions for accessing data, deletion, and consent withdrawal |
It’s crucial to include all anticipated uses of the data in the policy. If new data categories are collected or new purposes arise, businesses must obtain new opt-in consent from consumers.
Next, we'll explore how clear consent and authorization rules are enforced under the MHMDA.
Consent and Authorization Rules
Consent and authorization rules play a key role in the Washington My Health My Data Act (MHMDA), ensuring strong protections for consumer health data. Under the Act, businesses must secure clear, opt-in consent before collecting or sharing such data. This consent must be explicit, affirmative, and provided separately for both collection and sharing activities [7][8].
How to Obtain Valid Consent
To meet the MHMDA's standards, consent cannot be buried in general terms of use or inferred from passive or unclear actions. The law also bans the use of deceptive designs to obtain consent [7][8]. While electronic consent is allowed, it must reflect a deliberate and informed decision by the consumer.
Consent is not required when data processing is necessary to fulfill a service explicitly requested by the consumer. However, any secondary activities - like analytics, marketing, or de-identification - still demand explicit consent.
These rules establish the groundwork for additional regulations governing data sharing and location-based practices.
Rules for Sharing and Selling Data
sharing health data with third parties or affiliates requires a separate consent distinct from the one for collection [7][8]. When it comes to selling data - defined as exchanging it for money or other benefits - the Act enforces an even stricter standard: a signed written authorization from the consumer.
Mike Hintze, Partner at Hintze Law, highlights how stringent this requirement is:
"The authorization requirement is, in effect, a prohibition on data sales." [7]
A valid authorization must include detailed information, such as:
- The specific health data involved
- Names and contact details of both the seller and buyer
- The purpose of the sale
- An expiration date (valid for one year from signing)
Both parties must keep copies of the authorization for six years. Additionally, the document must inform consumers of their right to revoke the authorization at any time and warn that once the buyer re-discloses the data, it is no longer protected under the Act [7][8].
Geofencing Restrictions
The MHMDA enforces a strict ban on geofencing near healthcare facilities. Businesses are prohibited from using location-detection technology within 2,000 feet of any facility that provides in-person healthcare services [9]. This restriction covers activities like tracking users, collecting health data, or sending targeted ads based on proximity [2][9].
Goodwin underscores the inflexibility of this rule:
"This is an absolute prohibition and there is no exception for activity done with consumer consent." [2]
This geofencing ban has been in effect since July 23, 2023, well ahead of the general compliance deadlines. It applies broadly to any individual, not just regulated businesses [1]. The definition of healthcare services is expansive, covering not only hospitals but also wellness centers, fitness facilities, and nutrition providers [2]. This ensures that the prohibition extends to a wide range of health-related locations and services.
Consumer Rights and Response Deadlines
The Washington My Health My Data Act (MHMDA) gives consumers extensive control over their health data, surpassing the protections offered by most state privacy laws. This creates significant responsibilities for organizations that fall under its scope.
What Rights Consumers Have
Under the MHMDA, consumers can inquire about how their health data is collected, shared, or sold. They also have the right to access their specific health data and obtain a list of all third parties and affiliates who have received it, including full contact details for each recipient [10][11].
One of the most far-reaching rights is the right to deletion. Amy de La Lama, Partner and Chair of Global Data Privacy and Security Practice at BCLP, explains:
"The MHMDA provides consumers with the right to know/access consumer health data, the right to have such information deleted and the right to withdraw consent that had previously been granted." [10]
When consumers request deletion, organizations must remove the data from all records, archives, and backups within six months. Additionally, they must notify all affiliates, processors, and third parties to do the same - a process known as passthrough deletion [10][11]. Consumers can also withdraw consent at any time [10][2]. If a request is denied, they have the right to appeal. Should the appeal also be denied, the organization must provide a method for contacting the Washington Attorney General. Importantly, organizations are prohibited from discriminating against consumers for exercising these rights, and consumers can make up to two free requests annually [11].
These extensive rights come with strict deadlines for organizations, as outlined below.
How Quickly You Must Respond
To ensure consumers can exercise their rights effectively, the MHMDA enforces specific response timelines. Organizations must respond to consumer requests within 45 days. For complex cases, a single 45-day extension is allowed, provided the consumer is notified promptly [10][11]. Appeals, however, must be resolved within 45 days, and no extensions are permitted [10].
Failing to meet these deadlines can result in severe penalties. The Washington Attorney General can impose civil penalties of up to $7,500 per violation [12]. Additionally, the Act allows consumers to file lawsuits for violations, opening the door to costly class action cases. As noted by BCLP:
"The AG's office can impose a civil penalty of up to $7,500 per violation. In addition... the MHMDA provides consumers a private right of action to seek damages for violations of the law, creating the real and immediate risk of a costly class action lawsuit." [12]
To stay compliant, organizations need to implement secure authentication processes to verify consumer identity before releasing or deleting data. Keeping thorough records of all third-party data transfers and automating deletion workflows are also critical steps for adhering to these tight deadlines [10][11].
Data Security Requirements
The MHMDA goes beyond consumer privacy rights by imposing strict data security obligations. It requires organizations to implement robust protections for health data, applying these rules to all regulated entities and small businesses that handle consumer health data, regardless of their size or revenue.
Required Security Measures
Organizations must establish a thorough data security program that includes administrative, technical, and physical safeguards. These measures aim to maintain the confidentiality, integrity, and accessibility of consumer health data. As Celestine Bahr, Director Legal, Compliance & Data Privacy at Usercentrics GmbH, puts it:
"The standards for these practices should at minimum meet the reasonable standard of care within the industry to protect the confidentiality, integrity, and accessibility of consumer health data, taking into account the volume and nature of the consumer health data handled." [9]
The Act emphasizes that the "reasonable standard of care" varies by industry and depends on the type and amount of health data processed. For example, a large hospital system will have different requirements compared to a small wellness app, but both are expected to implement safeguards appropriate for their operations.
Access restrictions play a central role. Only individuals or entities with a verified need to perform a consumer-consented service may access consumer health data [9][14]. This "need-to-know" principle applies not just within the organization but also to third-party vendors and processors.
Websites handling health data must use SSL encryption and adopt strong hardening measures to prevent unauthorized access [13]. Implementing these security upgrades typically costs between $900 and $2,800 [13]. Additionally, organizations are required to conduct security audits at least once a year or whenever major updates are made to data collection systems [13]. These practices also extend to archived and backup data, ensuring that all records - including those managed by third-party processors - are fully removed when no longer needed [9][14].
These security measures work hand-in-hand with the consent, policy, and deletion protocols outlined in earlier sections, forming a comprehensive approach to safeguarding consumer health data.
Processor Contracts and Allowed Exceptions
Regulated entities must establish binding contracts with processors to formalize their relationships, often as part of a broader third-party risk management strategy. Under the Washington My Health My Data Act (MHMDA), processors can only handle consumer health data when operating under such agreements. Without a proper contract, any third party managing health data may be reclassified as a regulated entity and held to all MHMDA requirements [16][14].
What Processor Agreements Must Include
Processor contracts must clearly outline the processing instructions, specifying what the processor is allowed to do, the purpose behind it, and the required handling of consumer health data [16][14][2]. This clarity ensures processors remain within their authorized role.
These agreements should also require processors to implement technical and organizational safeguards that help fulfill consumer rights, particularly regarding data deletion. If a consumer requests deletion, the contract must ensure that the processor removes the data from active systems, archives, and backups [14][15]. Furthermore, contracts should limit data access to only those employees who need it to perform their duties [16][14].
If a processor violates these terms or processes data outside of the agreed instructions, they will be treated as a regulated entity under the law [16].
When Exceptions Apply
While contracts impose strict guidelines, the MHMDA allows certain exceptions in specific situations. These exceptions permit the collection, use, or disclosure of consumer health data without usual restrictions when addressing security incidents, identity theft, fraud, harassment, or illegal activities [14][2]. For instance, during a data breach investigation or fraud prevention effort, you can process health data as necessary and direct your processors to do the same.
However, the responsibility to prove that an exception applies lies with your organization. As noted by Stoel Rives LLP:
"The Entities bear the burden of demonstrating that such collection, usage, or disclosure qualifies for the exemption" [14].
This means you must document your reasoning to justify why certain data processing qualifies for an exemption, especially in cases involving security or fraud. Keeping detailed records of your decision-making process is critical.
Additional exceptions exist for corporate transactions like mergers or acquisitions. Transferring consumer health data in these scenarios is not considered "sharing" or "selling" as long as the receiving party takes control and adheres to MHMDA requirements [14][2]. Similarly, contracted service providers working on behalf of government agencies are excluded from being classified as "regulated entities" [14].
Using Censinet RiskOps™ for MHMDA Compliance
Staying compliant with MHMDA mandates requires meticulous oversight and third-party risk assessments of how processors handle data. Healthcare organizations must manage vendor contracts, enforce strict access controls, and uphold security standards that align with the law's "reasonable standard of care" requirements [9]. Censinet RiskOps™ simplifies these tasks through automation.
Automated Vendor Risk Assessments
Censinet RiskOps™ assigns credit-like risk scores (ranging from 300 to 850) to each vendor product, based on 11 healthcare-specific risk factors. These evaluations use seven AI Research Agents to analyze aspects like PHI interaction, EHR connectivity, and breach history [17]. This scoring system helps organizations quickly identify which processors require immediate attention to fulfill MHMDA’s binding contract requirements [4][2].
With a network of over 200 healthcare organizations and 55,000 vendors [17], the platform offers extensive visibility into vendor operations, tracking both technical and organizational measures to support consumer rights [4][2]. Beyond risk scoring, Censinet integrates tools to enhance data protection.
Data Protection Tools
Censinet aligns with the Health Sector Coordinating Council's SMART framework, which was developed over 16 months with input from more than 80 healthcare organizations [17]. The platform automatically maps vendor products to 17 critical healthcare functions, such as claims processing, pharmacy operations, and lab services, ensuring that vendor access aligns with sensitive clinical workflows.
Erik Decker, Vice President and CISO at Intermountain Health, highlighted the platform's value:
"The challenge has always been operationalizing that insight - moving from understanding the risk conceptually to actually mapping, scoring, and managing it across thousands of vendor products" [17].
Censinet also offers vendor concentration analysis, identifying cases where a single vendor poses a convergence risk across multiple critical functions. These insights allow organizations to limit access to consumer health data, ensuring processors only access data necessary for the services they provide [9].
These capabilities directly address key MHMDA requirements, as shown below.
MHMDA Requirements vs. Censinet Features
The table below outlines how Censinet RiskOps™ aligns with MHMDA mandates:
| MHMDA Requirement | Censinet RiskOps™ Feature | Benefit |
|---|---|---|
| Processor Contracts | Automated Vendor Risk Assessments | Ensures processors are bound by contracts limiting data use and providing clear instructions. |
| Data Security Obligations | Inherent Risk Scoring (300-850) | Analyzes key factors like PHI interaction and cloud hosting to meet "reasonable" security standards. |
| Access Controls | Critical Function Mapping | Monitors and restricts vendor access to sensitive clinical and business workflows. |
| Vendor Management | Concentration Risk Visibility | Identifies risks where a single vendor failure could jeopardize sensitive health data. |
| Regulatory Readiness | Systemic Risk Dashboard | Offers board-ready reports to meet HHS and state-level scrutiny requirements. |
Censinet’s AI-driven classification also identifies "emergent" data types, such as biometric data or precise location information derived from algorithms, which fall under MHMDA’s expansive definition of consumer health data [16]. This ensures no processor handling sensitive or non-traditional data types is overlooked during risk assessments.
Conclusion
The Washington My Health My Data Act introduces stringent data privacy and protection standards that extend well beyond HIPAA. Healthcare organizations and their vendors are now required to manage consent for collecting, sharing, and selling consumer health data - including biometric information, location data, and even inferred health conditions [3]. With the Act's private right of action, violations can result in steep penalties of up to $7,500 per incident, along with potential treble damages reaching $25,000 [4].
Complying with these requirements is no small task. Organizations face operational hurdles like managing vendor contracts, enforcing data deletion protocols, and adhering to geofencing restrictions [2]. To stay compliant, they must secure binding processor agreements, implement separate consent mechanisms, and provide transparency about affiliate access through dedicated privacy policies.
Censinet RiskOps™ offers a solution to these challenges with its automated vendor risk scoring and advanced risk assessment tools. Its AI-driven classification system ensures identification of all processors handling sensitive data, directly addressing the compliance complexities outlined in the Act.
Legal professionals warn:
"The biggest risk is that, unlike most U.S. state privacy laws, violations of MHMDA can be enforced through a private right of action... we anticipate that the plaintiffs' bar will be very active, if not aggressive, in suing companies" [4].
Organizations that fail to act swiftly risk severe legal and financial consequences. By leveraging tools like Censinet RiskOps™, healthcare providers can streamline compliance efforts, protect sensitive consumer data, and reduce exposure to potential lawsuits and penalties. This proactive approach not only ensures regulatory compliance but also safeguards against the evolving risks tied to consumer privacy obligations.
FAQs
How can I tell if the MHMDA applies to my app or vendor product?
The MHMDA applies to all legal entities operating in Washington that process consumer health data. This includes businesses, vendors, and apps that collect or manage health-related information within Washington or data that passes through the state - regardless of the company's size or revenue.
What is considered 'consumer health data' under the MHMDA?
The My Health My Data Act (MHMDA) takes a broad approach to defining consumer health data. Essentially, it covers any personal information that can be linked - or reasonably connected - to an individual and identifies them. This includes both direct and indirect information that could reveal details about a person's health.
What’s the simplest way to operationalize 45-day rights requests and passthrough deletion?
To meet the requirements of the Washington My Health My Data Act, it's essential to automate the 45-day rights request process and ensure seamless passthrough deletion. Create workflows that can log incoming requests, send timely reminders, and securely handle data access or deletion tasks. Tools like Censinet RiskOps™ can simplify this process by tracking compliance, monitoring deadlines, and securely disposing of Protected Health Information (PHI), minimizing the risk of errors. Make sure to integrate these workflows into your current systems and conduct regular audits to stay compliant with the 45-day timeline.
