A Privacy Expert’s Guide to the Washington My Health My Data Act

• The Washington My Health My Data Act (MHMDA) was signed into law on April 27, 2023.

• Intended to safeguard the health data of Washington residents and going far beyond what's protected by HIPAA—the MHMDA covers everything from data collected by wearables to consumer locations in the pursuit of health care.

• To avoid enforcement actions and potential penalties, companies that handle consumer health data in Washington State should move quickly on MHMDA compliance initiatives.

• Let's dive into what this new health privacy law means for your organization!

Washington's My Health My Data Act sports one of the broadest scopes of any privacy law on the books today—applying to any entity operating in Washington or catering to Washington consumers, and covering a wide range of consumer health data.

Notably, there is no minimum number of data subjects or revenue threshold, meaning that SMBs (who can often sidestep privacy laws aimed at large enterprises) are likely required to comply. 

The act also takes a broad definition of health data, covering data such as vital signs, bodily functions, and symptoms, location information that could reveal a consumer’s attempt to obtain certain medical services, data that identifies a consumer in pursuit of health services, and more. 

You can find a full accounting of the MHMDA’s staggering scope here.

In short, if your organization handles consumer health data, even if you’re not providing traditional medical care or handling medical records, you may be subject to the requirements laid out under the MHMDA. 

We know that any Washington business handling health data must comply with the My Health My Data Act (MHMDA), but what constitutes health data in this context?

Under MHMDA, health data is broadly defined to include any information related to an individual's physical or mental health condition, the provision of health care to the individual, or payment for the provision of health care to the individual. This includes, but is not limited to, medical records, test results, prescription information, and health insurance details.

The act also includes "consumer health data," which covers personal data that can be linked to a specific consumer or device. This could include information like an individual's internet search history related to health conditions, purchase history of health-related products, or use of fitness tracking devices.

It's important to note that the MHMDA applies to any business that collects, processes, sells or shares such data about Washington residents, regardless of where the business is based. This represents a significant expansion of privacy protections beyond those offered by existing laws like HIPAA, which only applies to certain types of entities like health care providers and insurance companies.

First and foremost, your company must craft a robust consumer health data privacy policy that meets the MHMDA's stringent requirements. This policy must be easily accessible to consumers, prominently featured on your website, and meticulously drafted to explain the categories, purposes, sources, and more on any health data you collect.

It’s also critical your organization obtain explicit consent from consumers before collecting or sharing their health data, unless that data is necessary to provide a requested product or service. 

Additionally, if your company intends to sell such data to third parties, you must secure separate authorization from consumers.

The MHMDA also imposes restrictions on certain practices, such as geofencing around healthcare facilities for data collection purposes. Violations of these provisions carry significant penalties, including civil fines and the risk of class-action lawsuits.

To ensure compliance, companies should implement a modern, all-in-one privacy solution that operates on data at the code level—providing the technical depth necessary for effective compliance in 2024.

Navigating the complexities of the MHMDA can be challenging. However, Transcend’s comprehensive privacy solutions are designed to save privacy teams time and resources, while supporting robust compliance efforts.

One of the biggest challenges for organizations under MHMDA will be figuring out how to de-tangle covered health data from all the other personal data that's being collected. 

Imagine, as an example, you're a pharmacy where the marketing team collects shopping history and buyer propensity metrics. If a consumer purchases over the counter contraceptive products, suddenly that little chunk of data counts as covered health data, but their other non-health related purchases (chapstick and a bag of chips) do not. 

If companies want to do any sort of behavioral advertising, retargeting, or cart abandonment campaigns, they'll need a deep understanding of what data is being collected across the business and how to classify it as potential consumer health data.

Without the full visibility you gain from a real-time data inventory and automated data discovery, the rest of your privacy measures (collecting consent, providing notice, etc.) won’t be as effective and may fall short of true compliance.

Washington’s My Health My Data Act requires that organizations obtain explicit consent from individuals before collecting, using, or sharing their health data. Transcend Consent Management provides a streamlined way to fulfill this requirement. 

Plus, it’s the only consent management platform (CMP) on the market that governs both client-side and backend user consent, with custom consent experiences for any region, device, or domain.

Transcend's CMP also records consent preferences across your extended data ecosystem, propagating them downstream, to provide an auditable trail that proves when and how consent was obtained or withdrawn. This automated audit trail can be crucial for demonstrating compliance with the MHMDA.

Under the MHMDA, consumers have the right to request access and deletion of their personal health data. Transcend’s DSR Automation solution can help organizations fulfill their data subject request obligations under MHMDA by…

1. Automating request fulfillment by identifying and locating personal data across your company's data systems, and then automatically executing actions like deletion.

2. Documenting compliance through detailed logs and analytics, which can be useful in case of audits or inquiries.

3. Saving time and resources through robust automation. As a bonus, automation also helps reduce the risk of human error, while increasing efficiency across the board.

The MHMDA requires that companies provide clear disclosures in their privacy policies, including the categories of consumer health data being collected, the purposes for which the data is collected, including how it will be used, the categories of consumer health data being shared, how consumers can exercise their MHMD rights, and more.

With Transcend Privacy Center, your organization can:

1. Provide these disclosures in a fully customizable, easy to understand format. Plus, your privacy teams are fully empowered to make updates directly, never needing to wait on the web team again.

2. Give data subjects more control. Transcend's Privacy Center gives users secure, self-serve control over their data and privacy choices. This aligns with the MHMDA's requirement for consumers to have the right to access their health data and request deletion.

3. Increase transparency and trust with consumers. With Privacy Center, your teams can communicate their data practices clearly to consumers, supporting compliance and improving customer trust.

Under the MHMDA, businesses can only grant consumer health data access to those who need it to fulfill a specific action related to providing a good or service, or for which the consumer provided explicit consent. 

Organizations must also implement appropriate technical and physical security practices to ensure sensitive health data isn’t misused, breached, or otherwise abused. Providing this security is tantamount to compliance, which is why a zero-trust solution like Transcend is key. 

All of Transcend’s solution are built on the same robust security framework, providing numerous advanced access control mechanisms, including:

• End-to-end encryption with ES-256

• Integration through our proprietary security gateway Sombra

• Support for user authentication systems like OAuth 2, JWT Magic Links, and MFA

• SSO included on every plan

Handling health data requires extra care when it comes to security and access controls. And in the context of the MHMDA, it’s not only the ethical thing to do—it’s a clear legal requirement that can lead to enforcement action if violated.

Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2024.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.