A Guide to Washington’s My Health My Data Act
The strict requirements and broad scope of Washington’s My Health My Data Act (MHMDA) will bring new compliance obligations to thousands of companies.
The MHMDA is arguably the most robust privacy law in the US and could completely change how some providers of health-related products operate. This article will explore who is covered by the MHMDA and provide some actionable first steps toward compliance.
Four Essential First Steps to Comply With Washington’s My Health My Data Act
Before we get into the details of the MHDMA, here are four essential compliance steps to introduce you to the law.
- Accountability: You must identify and disclose how your company processes “consumer health data”. This will require a data mapping exercise, a data inventory, and an MHMDA-compliant privacy policy.
- Data collection: Consumer health data can include information collected via forms, mobile permissions,, and APIs. You must understand how your products and websites collect data via these technologies.
- Data sharing: The MHDMA is particularly strict regarding sharing and selling consumer health data. Sharing data can happen through multiple technologies like pixels, cookies, tags, Javascripts, SDKs, APIs etc. This means you should map which companies receive different types of data from your organization.
- Consumer rights: The MHMDA provides a range of consumer rights and contains a very strong standard of consent. You must be prepared to facilitate people’s rights over their data.
As with many other privacy laws, complying with the MHMDA means integrating privacy into the core of your products.
Privacy code scanning lets you see how your product collects, uses, and shares different types of data in real time. This visibility is crucial to help you comply with the MHMDA.
On-Demand Webinar: My Health My Data Act
Watch our talk on the MHMD Act to understand the key provisions, compliance requirements, and the importance of privacy and consent in healthcare data management. Watch Now.
Who Is Covered By Washington’s My Health My Data Act?
Key takeaway: The MHMDA covers businesses of all sizes and types based in Washington or targeting Washington residents. Small businesses aren’t exempt—but they get two months longer to comply.
Regulated Entities
A business of any size—even a solo developer—can be covered by the MHDMA if:
- It conducts business in Washington or targets its products or services to Washington consumers, and
- It “determines the purpose and means” of collecting, processing, sharing, or selling consumer health data.
We’ll look at the definition of “consumer health data” later in the article.
“Processing” consumer health data means doing practically anything with it: Collecting, storing, sharing, deleting, or otherwise using consumer health data in any way.
“Determining the purposes and means” of processing consumer health data means deciding why and how to process it. For example:
- You run a website that offers personalized meal plans based on the user’s health conditions (this is your purpose).
- You decide to use a third-party questionnaire service to collect people’s health information (these are your means).
Note that, in this scenario, the third-party questionnaire service is not “determining the purposes and means”. Under the MDMHA, this company would be a “processor”—someone who processes consumer health data on your behalf. We’ll look at processors later in the article.
Small Businesses
Under the MHMDA, a “small business” is like a regulated entity, except that it:
- Annually collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers, or
- Both:
- Earns under 50 percent of gross revenue from collecting, processing, selling, or sharing consumer health data, and
- Controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.
We’ll define “consumer” below.
All the MHDMA’s rules apply to small businesses, but their compliance deadline is June 30, 2024—two months later than for the deadline for regulated entities (March 31, 2024).
Exceptions
The MHMDA doesn’t apply to government agencies, tribal nations, or certain government contractors.
There are other exceptions relating to different types of information, as we’ll explore later in the article.
What Types of Data Are Covered By Washington’s My Health My Data Act?
Key takeaway: The MHMDA protects “consumer health data”, which can be practically any information linked to a Washington resident’s health status—even cookies, device IDs, and IP addresses.
Consumer Health Data
One reason the MHMDA is so significant is its definition of “consumer health data”.
Some companies are likely processing consumer health data without realizing it.
Here’s the definition:
“Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.
Let’s break the definition down. Consumer health data meets three conditions:
- It is personal information.
- It is linked or reasonably linkable to a consumer.
- It identifies the consumer’s past, present, or future physical or mental health status.
Now let’s look at each point in more detail.
Personal Information
The MDMH takes a broad definition of “personal information”.
“Personal information” means information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer…
The act also lists some types of personal information:
- A cookie ID
- An IP address
- A device identifier
- Any other form of persistent unique identifier
Under the MHMDA, “personal information” does not include:
- Deidentified data
- Publicly-available information
Consumer
A “consumer” means a “natural person” (living individual) that is either:
- A Washington resident, or
- A non-Washington resident, if you collect their consumer health data in Washington.
Consumers can be your customers, but they can also include visitors to your website, newsletter subscribers, or any other people that interact with your company (but not if they are acting as your company’s employees).
Physical or Mental Health Status
“Physical or mental health status” can mean practically anything related to a consumer’s health.
The MHDMA lists thirteen examples, ranging from diagnoses and treatments to precise location data linked to healthcare settings.
- Individual health conditions, treatment, diseases, or diagnosis.
- Social, psychological, behavioral, and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms, or measurements of health conditions.
- Diagnoses or diagnostic testing, treatment, or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data.
- Genetic data.
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies.
- Data that identifies a consumer seeking health care services
- Any information derived from non-health information (for example, via AI) that associates or identifies a consumer with one of the health conditions above.
Note that consumer health data is “not limited to” these examples.
To put this in context, the following data points could all be “consumer health data”:
- A username associated with a consumer’s account on a therapy booking app.
- An IP address or cookie linked to a consumer’s visit to a health-related website.
- Location data indicating that a consumer has visited an abortion clinic or hospital.
Exceptions
While “consumer health data” covers many types of information, the MHMDA specifically excludes certain types of information, including data processed under:
- The Health Insurance Portability and Accountability Act (HIPAA).
- The Gramm-Leach Bliley Act (GLBA)
- Washington’s medical records law (Ch 70.02 RCW).
- Various research-related laws and regulations.
Information processed by hospitals, healthcare facilities, and other healthcare services is also exempt.
What Does the Washington My Health My Data Act Require?
Now let’s look at some of the MHMDA’s main requirements around data collection, data sharing, consumer rights, transparency, and security.
Collecting, Sharing, and Selling Consumer Health Data
Key takeaway: Under the MHMDA, you can only collect, share, or sell consumer health data with the consumer’s consent or as necessary to provide a service requested by the consumer. Some exceptions apply for security and legal purposes.
Collecting and Sharing Consumer Health Data
You may only collect or share consumer health data if:
- You have the consumer’s consent, or
- You need to collect or share the data to provide a service requested by the consumer.
You must make requests to share data separately from requests to collect data. We’ll look more closely at what “consent” means below.
When requesting consent to collect or share consumer health data, you must tell consumers:
- What types of consumer health data you want to collect share.
- Why you want the data.
- How you’ll use the data.
- What types of organizations will receive the data (if relevant).
- How the consumer can withdraw consent.
There are some limited exceptions to the rules above, mostly related to crime, abuse, and security.
The definitions of “sharing” or “selling” don’t include disclosing data to a processor as long as you meet the law’s processor requirements. We’ll come back to this topic later in the article.
Selling Consumer Health Data
You must get consent to sell or “offer to sell” consumer health data. Again, you must make this request separately from any requests to collect or share consumer health data.
“Selling” means “the exchange of consumer health data for monetary or other valuable consideration”. This definition is very broad—”valuable consideration” can mean practically anything that benefits you.
For example, if you disclose data to an analytics company in order to improve your ad-targeting capabilities, this could constitute a “sale”.
Section 9 of the MHDMA sets strict rules about selling consumer health data. For example, you must tell the consumer who you are, who’s buying the data, and why you’re selling the data. You must also ensure that the buyer won’t resell the data.
Obtaining Consent
The MHDMA provides a very strong definition of “consent”. Consent is only valid if it is:
- Given via a clear affirmative act
- Given freely
- Specific
- Informed
- Opt-in
- Voluntary
- Unambiguous
The following actions don’t count as consent:
- Accepting “general or broad” terms and conditions.
- Hovering over, muting, pausing, or closing a given piece of content.
- Providing agreement via deceptive designs (or “dark patterns”).
Broadly speaking, you must request consent in a fair and transparent way.
Sharing Consumer Health Data With Processors
A “processor” is a service provider that processes consumer health data on your behalf. For example, an analytics, customer services, or email marketing provider.
The rules on sharing and selling don’t apply when disclosing consumer health data to a processor. However, a company is only a “processor” if:
- The company provides products or services that are consistent with the purposes for which you collected the consumer health data.
- You have a binding contract with the company that limits how it processes the consumer health data.
Processors must help you facilitate consumer rights if required.
Consumer Rights
Consumers have rights over their consumer health data, including:
- To confirm whether you are collecting, sharing, or selling their consumer health data.
- To obtain a list of any third parties or affiliates that received their data, plus their online contact details.
- To access their data.
- To withdraw consent.
- To delete consumer health data, including where it is stored on backup systems or is held by a third party.
You’ll need to provide a “secure and reliable” way for consumers to submit a request. You must respond to valid requests up to twice per year, free of charge, and normally within 45 days.
If a consumer is not happy with your response, they can appeal. You must consider the appeal and let the consumer know the outcome within 45 days. You must also tell the consumer that they can complain to Washington’s Attorney General if they remain unhappy
Privacy Policy
You must publish a privacy policy that explains:
- What types of consumer health data you collect, why you collect it, how you use it.
- The types of sources from which you collect consumer health data.
- The types of consumer health data you share.
- The types of third parties and affiliates with which you share consumer health data.
- How consumers can exercise their rights.
Unless you have a consumer’s specific consent, you must not collect, use, or share consumer health data in a way that is inconsistent with your privacy policy.
You must prominently display a link to your privacy policy on your website’s homepage.
Data Security
You must apply a reasonable level of security to protect consumer health data, including by:
- Only permitting employees, contractors, and processors to access consumer health data if they need it for MHMDA-compliant purposes.
- Establishing, implementing, and maintaining reasonable security practices, considering your industry’s standards and the volume and nature of the consumer health data.
Preparing for Washington’s My Health My Data Act
If you’re covered by Washington’s MHMDA, you have until March 31, 2024 (or June 30, 2024 if you’re a “small business”) to comply with the law.
Identify if you are a regulated entity or small business under the MHDMA.
- Are your company’s products or services available to consumers in Washington, or is your business based there?
- Do you process “consumer health data” but fall outside HIPAA or medical research laws?
- Do you fit the definition of a “small business”?
Figure out how you process consumer health data.
- How does your app collect consumer health data?
- Do you store consumer health data securely?
- Do you share consumer health data with third parties?
- Do you sell consumer health data?
Meet the MHMDA’s transparency obligations.
- Prepare an MHMDA-compliant privacy policy.
- Create MHMDA-compliant notices for requesting consent.
Prepare to receive consumer rights requests.
- Set up an online portal to enable consumers to exercise their rights.
- Ensure you can efficiently provide access to or delete consumer health data on request.
- Set up consent request mechanisms that trigger before you collect, share, or sell consumer health data.
- Consider which of your vendors are “processors” under the MHMDA and ask them to agree to appropriate contracts.
By using Privado’s privacy code scanning tools, you gain visibility over how your products collect and use data. This enables you to map your company’s data flows and identify the types of data you collect.
FAQs
1. Who is covered by Washington's My Health My Data Act (MHMDA)?
The MHMDA covers businesses of all sizes and types based in Washington or targeting Washington residents. Small businesses are not exempt but have a compliance deadline two months later.
2. What are the essential first steps to comply with the MHMDA?
The four essential compliance steps are: identifying and disclosing how your company processes consumer health data, understanding how your products collect data via various technologies, mapping which companies receive different types of data from your organization, and being prepared to facilitate people's rights over their data.
3. What types of data are covered by the MHMDA?
The MHMDA protects "consumer health data," which includes any information linked to a Washington resident's health status, including cookies, device IDs, and IP addresses.
4. What does the MHMDA require regarding data collection, sharing, and consent?
Under the MHMDA, you can only collect, share, or sell consumer health data with the consumer's consent or as necessary to provide a service requested by the consumer. Consent must be obtained through clear affirmative acts and meet specific criteria. There are exceptions for security and legal purposes.
5. What are the consumer rights under the MHMDA?
Consumers have rights over their consumer health data, including the right to confirm data collection, access their data, withdraw consent, and request deletion. Businesses must provide a secure and reliable way for consumers to submit requests and respond within specific timelines. A privacy policy explaining data practices must be published, and data security measures must be implemented.
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.