On June 30, 2023, the Washington Lawyer Basic (AG) printed a sequence of Frequently Asked Questions (FAQs) associated to the My Health My Data Act (MHMDA). As we discussed previously, the MHMDA will impose new necessities on entities concerned in accumulating, processing, sharing, or promoting shopper well being information belonging to Washington residents starting as early as March 2024. That is the primary regulation handed in the USA that creates information processing necessities particularly for shopper well being information that falls exterior of the scope of the Well being Insurance coverage Portability and Accountability Act (HIPAA) (although it’s now not the one one, with Connecticut and Nevada passing copycat laws quickly after the Washington regulation was enacted).
The MHMDA might be enforced by each the Washington Lawyer Basic’s workplace and thru a non-public proper of motion beneath the Washington shopper safety statute. And, although the regulation particularly applies to “shopper well being information,” its potential utility and subsequent authorized publicity for corporations is broad, given its comparatively broad definitions and protection. Firms that beforehand fell exterior of the scope of HIPAA for the processing of well being information (akin to sure health-related cellular apps) now have further information processing obligations for which they have to account. That is along with state complete privateness legal guidelines which might be more and more regulating sure classes of well being information as “delicate” information and likewise including compliance obligations for most of these corporations.
In lieu of the described novelty, ambiguities, and potential authorized publicity, the AG has offered these FAQs upfront of the MHMDA taking impact. The MHMDA doesn’t grant the AG formal rulemaking authority (which implies that the FAQs listed here are casual and non-binding). Nonetheless, the FAQs present an essential perspective on how the AG will interpret the regulation. Regulated entities ought to familiarize themselves with the AG’s steerage to make sure compliance with the necessities imposed by the MHMDA, particularly within the areas highlighted by the AG. Moreover, although the FAQs don’t essentially bind how a courtroom would interpret the regulation, it’s doable that courts may also defer to the Washington AG’s numerous interpretations (which might make the FAQs additionally related for the regulation’s non-public proper of motion).
On this publish, we determine notable takeaways from the Washington Lawyer Basic’s FAQs on the My Well being My Knowledge Act. We’re completely happy to reply any questions you might have in regards to the MHMDA and its potential implications to your information privateness compliance program.
- Necessary Efficient Dates. The MHMDA employs completely different efficient dates for various provisions and classes of regulated entities. FAQ 1 of the AG’s steerage clarifies that there are three key dates related to regulated entities beneath the Act. (1) Part 10 of the Act– which prohibits geofencing by regulated entities – will go into impact on July 23, 2023. Sections 4 to 9 of the Act – which define new necessities, obligations, and shopper rights – will take impact (2) on March 31, 2024, for all regulated entities which aren’t small companies, and (3) on June 30, 2024, for small companies, as outlined by the Act.
- Broad Utility to Out-of-State Entities. FAQ 3 clarifies that the Act will solely apply to out-of-state entities that (a) conduct enterprise in Washington, or produce or present services or products which might be focused to customers in Washington, and (b) alone or collectively with others, decide the aim and technique of accumulating, processing, sharing, or promoting of shopper well being information. The Act won’t apply to entities that solely retailer information in Washington.
- Inferences Thought-about Shopper Well being Knowledge. FAQs 5 and 6 make clear that any inferences a few shopper’s well being standing that are drawn from nonhealth information fall beneath the scope of “shopper well being information” as outlined by the Act. For instance, the acquisition of bathroom paper and deodorant wouldn’t ordinarily be thought of shopper well being information, however an app that makes use of such info to trace a person’s digestion or perspiration is accumulating shopper well being information. Likewise, a being pregnant prediction rating assigned by a retailer to customers primarily based on the acquisition of sure merchandise is protected shopper well being information. This means that the AG interprets the Act as having an expansive definition of shopper well being information.
- Clarifying the Requirement to Retailer Shopper Authorizations. FAQ 7 resolves a possible battle between Sections 6 and 9 of the MHMDA – associated to the storage of shopper authorizations for the sale of information. Part 9 of the Act requires any particular person, not simply regulated entities, to acquire authorization from a shopper earlier than promoting or providing to promote their information. Each the vendor and purchaser of such information are required to retain a duplicate of the authorization – which can embody file of customers heath information – for six years. Beneath Part 6 of the Act, shopper well being information have to be deleted from a regulated entity’s community upon request by the buyer. If a shopper requests deletion beneath Part 6, authorizations saved on file beneath Part 9 have to be redacted to take away any details about the info offered.