This pioneering legislation aims to safeguard personal information related to consumer health data and attempts to obtain healthcare services for Washington residents. Additionally, it covers other consumer health data processed within the state.
The significance of MHMDA lies in its targeting of entities not covered by the federal Health Insurance Portability and Accountability Act (HIPAA). While HIPAA protects “protected health information” collected by specific “covered entities” and “business associates,” MHMDA focuses on other businesses that handle consumer health data from Washington residents or process personal health data within the state.
These organizations may include:
- Mobile App Providers
- Wearable Device Manufacturers
- Website Providers
- Health and Wellness Trackers
- Wellness Industry Providers
House Bill 1155 Washington State
Companies considered “regulated entities” under MHMDA are subject to these new Washington privacy laws. A regulated entity is any legal organization conducting business in Washington or offering products or services targeted at consumers in the state that collect, process, share, or sell consumer health data.
Government agencies, tribal agencies, and contracted service providers processing consumer health data on behalf of government agencies are excluded from this definition. Notably, regulated entities can encompass not-for-profit organizations.
Under House Bill 1155, Washington state law defines a “consumer” as a natural person who is either a resident of Washington or whose consumer health data is collected or processed within the state.
Individuals acting in a household context are also considered consumers if they possess unique identifiers such as:
- Cookie IDs
- IP Addresses
- Device Identifiers
However, those operating in an employment setting are not included.