In a groundbreaking move, Washington State has introduced comprehensive privacy laws to protect its residents’ health data. The My Health My Data Act (MHMDA) was enacted on April 27, 2023, in response to the Supreme Court’s Dobbs decision, which overturned Roe v. Wade.
This pioneering legislation aims to safeguard personal information related to consumer health data and attempts to obtain healthcare services for Washington residents. Additionally, it covers other consumer health data processed within the state.
The significance of MHMDA lies in its targeting of entities not covered by the federal Health Insurance Portability and Accountability Act (HIPAA). While HIPAA protects “protected health information” collected by specific “covered entities” and “business associates,” MHMDA focuses on other businesses that handle consumer health data from Washington residents or process personal health data within the state.
These organizations may include:
- Advertisers
- Mobile App Providers
- Wearable Device Manufacturers
- Website Providers
- Health and Wellness Trackers
- Wellness Industry Providers
House Bill 1155 Washington State
Companies considered “regulated entities” under MHMDA are subject to these new Washington privacy laws. A regulated entity is any legal organization conducting business in Washington or offering products or services targeted at consumers in the state that collect, process, share, or sell consumer health data.
Government agencies, tribal agencies, and contracted service providers processing consumer health data on behalf of government agencies are excluded from this definition. Notably, regulated entities can encompass not-for-profit organizations.
Under House Bill 1155, Washington state law defines a “consumer” as a natural person who is either a resident of Washington or whose consumer health data is collected or processed within the state.
Individuals acting in a household context are also considered consumers if they possess unique identifiers such as:
- Cookie IDs
- IP Addresses
- Device Identifiers
However, those operating in an employment setting are not included.
Washington State Privacy Law & HIPAA
HIPAA is a federal law that primarily serves to safeguard the privacy of individuals’ medical records and other health-related information.
It sets strict standards that govern how electronic protected health information (ePHI) is handled among various entities such as:
- Healthcare Providers
- Insurers
- Business Associates
Additionally, HIPAA demands that healthcare organizations implement administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of ePHI. Noncompliance with HIPAA can lead to severe consequences, including civil penalties or criminal charges.
One way in which the Washington State Privacy Law complements HIPAA is its broader definition of “covered entities.” While HIPAA exclusively focuses on organizations directly handling medical records, the Washington State Privacy Law expands its reach beyond those groups. Thus, even non-healthcare sectors that deal with the personal information of Washington residents are obligated to comply with these rules. This comprehensive approach ensures a more robust protection framework for individuals’ sensitive data, regardless of which industry they interact with.
Despite the differences in scope and application between HIPAA and the Washington State Privacy Law, both legislations share a common goal: protecting an individual’s privacy. Both laws require organizations to implement appropriate policies, procedures, and safeguards to protect sensitive data from unauthorized access or disclosure to achieve this aim. In addition, covered entities must notify affected individuals in case of a data breach within specified time frames. These measures help create a secure environment where people can trust that their private information is being handled appropriately.
