By Mike Hintze
This article is the first in a sequence of blog posts exploring the now-ratified Washington My Health My Data Act. Part 1 of the series offers an initial overview, and subsequent posts investigate individual components and implications of the Act in greater depth.
The ongoing blog series will delve more deeply into individual aspects of the Act and the issues it raises, including the broad scope of “Consumer Health Data,” the wide spectrum of Regulated Entities and Consumers encompassed by the Act, the confusion around effective dates, mandatory and onerous consent requirements, consumer rights, the scope and treatment biometric data, the unusual notice obligations, a comparison between MHMDA and HIPAA, the prohibition in certain geofencing, and other topics.
It’s noteworthy that this blog series began prior to the Act’s formal enactment. Now enacted, the Washington My Health My Data Act stands as a milestone in privacy legislation for 2023. It is arguably the most impactful privacy legislation since the original California Consumer Privacy Act (CCPA) was passed in 2018.
Purportedly, the Act was aimed to protect health data not covered by HIPAA, the federal law preserving the privacy of health data managed by defined “covered entities.” However, the Act deviates significantly from HIPAA, presenting a broader scope of data and imposing rigorous obligations that go beyond what is required by HIPAA. This divergence manifests significant discrepancies in how personal data is to be managed between HIPAA-covered entities and other types of entities.
The Act’s extensive jurisdiction, formidable substantive duties, combined with its ambiguously defined terms, and a full private right of action pose a considerable challenge and risk for entities striving to conform to its regulations. The Washington My Health My Data Act, through its magnitude and complexity, is not merely filling gaps but is redefining the landscape of health data privacy.
