The Matrix

Does MHMD apply to my entity?

MHMD applies companies and non-profits that control “consumer health data” and do not fall within the exceptions noted below.  “Consumer health data” is personal information that is linked or reasonably linkable to a Washington state resident or a person whose consumer health data is collected in Washington, and the personal information identifies the consumer’s past, present or future “physical or mental health status.”  “Physical or mental health status” is broadly defined and includes, but is not limited to:

• Individual health conditions, treatment or diagnosis;
• Social, psychological, behavioral, and medical interventions;
• Use or purchase of prescribed medications;
• “Bodily functions,” symptoms or measurements of health conditions;
• Biometric data, which is data that is generated from the measurement, or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data;
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and
• Data that identifies a consumer seeking health care services, which means any service provided to a person to access, measure, improve, or learn about a person’s mental or physical health.

A variety of information is exempt under MHMD.  The law does not apply to:

• Protected health information under HIPAA;
• Certain health information relating to existing Washington state laws related to health care and insurance;
• Certain approved peer-reviewed research; and
• Personal information governed by and collected, use or disclosed pursuant to:
  • Gramm-Leach-Bliley Act and implementing regulations;
  • The Fair Credit Reporting Act; and
  • The Federal Educational Right and Privacy Act.

The law also exempts the collection, use, or disclosure of consumer health data to:

• prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that it is illegal under Washington state law or federal law;
• preserve the integrity or security of systems; or
• investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.

The law also does not apply to employees and business to business data.  The law also does not apply to de-identified data or publicly available information, which is information that is lawfully made available through government records or widely distributed media.

Are entities required to post a “health data privacy policy”?

Yes, if the entity controls consumer health data.  The policy must disclose:  (a) the categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (b) the categories of sources from which the consumer health data is collected; (c) the categories of consumer health data that is shared; (d) a list of the categories of third parties and specific affiliates with whom the entities shares the consumer health data; and (e) how a consumer can exercise the rights discussed below.

What restrictions exist concerning processing consumer health data?

• Collecting Consumer Health Data: Entities cannot collect consumer health data except:  (a) with specific, informed consent from the consumer for such collection for a specified purpose prior to the collection, or (b) to the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested.
• Sharing Consumer Health Data: To share consumer health data, an entity needs separate, informed consent allowing such sharing prior to the sharing, or, again, if the sharing is necessary to provide a product or service the consumer has requested.

Notably, the above consent must clearly and conspicuously disclose the categories of consumer health data collected or shared, the purpose of the collection or sharing of the data, the categories of entities with whom the data is shared, and how the consumer can withdraw consent.

• Selling Consumer Health Data: Entities need separate and distinct written “valid authorization” from the consumer prior to selling or offering to sell consumer health data.  The valid authorization must contain: 
  • the specific consumer health data intended to be sold;
  • the name and contract information of the personal collecting and selling the consumer health data;
  • the name and contact information of the person purchasing the consumer health data,
  • a description of the purpose for the sale;
  • a statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
  • a statement that the consumer has a right to revoke the valid authorization at any time and a description of how to submit a revocation of the valid authorization;
  • a statement that the consumer health sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected;
  • an expiration data for the valid authorization that expires one year from when the consumer signs the valid authorization; and
  • the signature and date.

The seller and purchaser of consumer health data must retain a copy of all valid authorizations for sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later.

Does an entity processing consumer health data need to honor consumer rights?

If an entity collects, shares or sells consumer health data, a consumer may:

• Request access to consumer health data, including receiving a list of all third parties and affiliates with whom you have shared or sold the data and an active email address or other online mechanism to use to contact those entities;
• Withdraw consent for the collection and sharing of consumer health information; and
• Request that consumer health data be deleted, and the entity must delete the data from its records (including archived and backup systems, although that deletion may be delayed), notifying all affiliates, processors, contractors and other third parties with whom the entity has shared consumer health data of the deletion request.

Entities are supposed to establish a secure and reliable means for consumers to file the request and identify it in the health data privacy policy.  Entities must comply with the requests within 45 days of receipt, which may be extended once by 45 additional days when reasonably necessary provided that the entity informs the consumer within the original 45-day response period.  If the entity is unable to authenticate the request, it is not required to comply with the request and may request additional information reasonably necessary to authenticate the consumer and the request.  The entity also is required to establish a conspicuously available appeals process, and shall inform the consumer in writing of the action taken or not taken in response to the appeal within 45 days of receipt of the appeal.  If the appeal is denied, the entity must provide the consumer with an online mechanism or other method through which the consumer may contact the Washington Attorney General to submit a complaint.

What are processors of consumer health data required to do?

Entities that process consumer health data on behalf of data controllers must have a binding contract with the controller that sets forth the processing instructions and limits the actions the processor may take with respect to the data. The processor must act consistently with the binding instructions in the contract.  In addition, processors that receive notice of a consumer’s deletion request are required to honor the requests.

When does my entity need to comply with MHMD?

MHMD applies generally to entities on March 31, 2024.  If the entity processes the consumer health data or fewer than 100,000 consumers per calendar year, or derives less than 50% of its gross revenue from the processing of consumer health data, or shares consumer health data of fewer of 25,000 consumers (called a “small business” in MHMD), the entity must comply by June 30, 2024.

What are the consequences of non-compliance?

Like other state privacy laws, the law is enforceable by the state attorney general.  However, notably, MHMD also includes a private right of action allowing private plaintiffs to bring action under MHMD as unfair or deceptive acts under the Washington Consumer Protection Act (“WCPA”). MHMD does not provide for statutory damages. The WCPA allows a plaintiff to recover actual damages, including treble damages not to exceed $25,000, injunctive relief and attorneys’ fees. RCW 19.86.090.  Litigation undoubtedly will determine to what extent plaintiffs will need to allege specific harm to plead a viable claim under MHMD.