In just over a month, Washington state’s My Health My Data Act will go into effect. If you’re not a healthcare company, why should you care about the March 31st effective date? The Act itself uses general definitions, widening the scope to include non-traditional healthcare providers. Even more alarming, the scope may include companies not considered healthcare companies at all – and in a first for privacy regulations in the US, this has a private right of action, making it worth evaluating your position in MHMDA for almost any company.
“Consumer health data” under the MHMDA is broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” Consider what information could fall into that category. A fitness retail company could hold information on a consumer that relates to physical health such as height, weight, heart rate, and more. When we introduce the second element of biometric data, other companies that aren’t traditionally considered health companies could be in scope.
With a private right of action, stringent compliance requirements, and enforcement by the Washington Attorney General, companies in scope, whether traditional healthcare companies or not, will need to act with haste to achieve compliance next month. Let’s revisit the requirements of the My Health My Data Act.
Washington state’s My Health My Data Act is going into effect on March 31st, beginning a significant shift in data privacy rights. The Act introduces a broad private right of action, allowing individuals to sue companies for damages stemming from violations, without mitigation periods or procedural thresholds. With potential recoveries including actual damages, lawsuit costs, attorney fees, and treble damages, the act is poised to trigger a surge in privacy-related complaints, particularly against non-traditional healthcare providers.
In simple terms, the law applies to companies that handle health data and offer goods or services to people in Washington. It covers the collection or use of health data belonging to residents of Washington or anyone whose health data is processed within the state. Even service providers who handle consumer health data for other companies must follow certain rules outlined in their contracts. If they don’t, they could be treated as if they were subject to the law themselves. Unlike other state privacy laws, the MHMDA doesn’t set specific revenue or data subject thresholds, so organizations in all industries and all types, including nonprofits, have to abide by the MHMDA rules.
Under the My Health My Data Act, individuals gain new privacy rights, while companies face affirmative obligations regarding the collection and processing of consumer health data. Regulated entities must obtain appropriate consent before collecting or sharing health data, and selling such data without valid authorization is prohibited. The Act also mandates privacy notices, limiting communication channels, contractual terms, security measures, vendor management, and cyber insurance considerations.
Privacy advocates are expected to leverage the Act to challenge companies misusing health data or processing it without consent. Businesses in scope must ensure compliance with the Act’s requirements, especially regarding transparency via privacy notices, affirmative consent, limited communication channels, contractual terms, security measures, vendor management, and cyber insurance.
the MHMDA allows consumers to take legal action against companies if they believe the law has been broken. To win their case, consumers must show five things: that the company did something unfair or deceptive, that it happened in a business context, that it affected the public in some way, that the consumer was harmed, and that the company’s actions caused the harm. If consumers can prove all this, they can ask for a court order to stop the company from doing it again and claim damages, but the amount they can get is limited to $25,000.
The MHMDA will also be enforced by Washington’s Office of the Attorney General, which can issue fines of up to $7,500 per violation.
With the My Health My Data Act set to take effect soon, companies must act swiftly to implement compliance measures and mitigate the risks associated with non-compliance. Truyo has implemented compliance measures in our privacy tool, enabling companies in scope to confidently navigate the regulation. Reach out to hello@truyo.com to learn how we can help your organization comply today.