My Health My Data Act – What you need to know
In April 2023, Washington Governor Jay Inslee signed the My Health My Data Act into law. Being much broader in scope and having more comprehensive requirements, this act focuses on addressing health data concerns that the federal Health Information Portability and Accountability Act (HIPAA) does not cover.
Starting from 31st March 2024, businesses will be required to comply with the law. However, small businesses have time until the end of June 2024 to fall into compliance. However, some parts of the law may be effective much earlier. Here’s a link to an article that takes a deeper dive into when the law becomes effective here.
The My Health My Data Act (MHMDA) enforcing agency is Washington’s Office of the Attorney General and may enforce any violations through the state’s Consumer Protection Act. It is also enforceable through a private right of action.
Here are important takeaways for both businesses and consumers.
Scope of Data
Consumer Health Data – “Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.”
Consumer Consent – “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (same as GDPR)
Collection of Data - "buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner."
The Categories of data considered under the MHMDA definition of health data: -
General health data
Information about interventions
Health-related data
Gender-affirming care information and services - PI-related searches for "past, present, or future gender-affirming care services.” This includes the use of such products and services.
Reproductive or sexual health information - PI-related searches for "past, present, or future reproductive or sexual health services.” This includes the use of such products and services.
Biometric data - "Generated from the measurement or technological processing of an individual's physiological, biological, or behavioural characteristics. It can identify a consumer individually or in combination with other data.” - Does not expressly exclude photographs. - Does not require information to be used to identify an individual.
Genetic data - "concerns a consumer’s genetic characteristics."
Precise location information - Data that can "reasonably indicate a consumer's attempt to acquire or receive health services or supplies."
Important inclusions under the scope of MHMDA
Online behaviour relating to searching and browsing is considered under Consumer Health Data. In other words, any inferences or "data that identifies a consumer seeking health care services”.
Data derived from non-health data that can be used to identify consumers in the context of health data also falls under the scope of the MHMDA.
Data collected from fitness and health tracking applications and devices, such as bodily functions, vital signs, measurements, etc., may fall into the scope of the act.
Exclusions
Deidentified data and Publicly Available Information do not come under the scope of the act. However, biometric data collected without consent cannot be considered as publicly available information.
Employee data and Business-to-business data are excluded from the scope of MHMDA.
Research data that is conducted in - Public interest - Meets defined safeguards - It does not include PI "used to engage in public or peer-reviewed scientific, historical, or statistical research."
Scope of applicable Businesses
Health Care Services – “Any service provided to a person to assess, measure, improve, or learn about a person's health”.
The scope of MHMDA is broad and easy to grasp. The size of the business is not a factor that is considered. Instead, it applies to any legal entity that: -
Conducts business in the state of Washington (including non-Washington residents who interact with businesses based in the state)
Produces products targeted at consumers in Washington.
Provides services targeted at consumers in Washington.
Determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
However,
Government agencies (including contracted service providers working on their behalf) and tribal nations dealing with consumer health data are not considered in the scope of this act.
Small businesses are considered so if they: -
process consumer health data of fewer than 100,000 consumers during a calendar year or
Derive less than 50 percent of their revenue from processing consumer health data and process consumer health data of fewer than 25,000 consumers.
The definition of small businesses comes into play with the date of compliance. Small businesses have time until the 30th of June 2024 to comply with the act. Consumer rights
Under MHMDA, consumers have the following rights: -
Right to access their health data (including lists of third-party affiliates who receive data from the business in question, with contact information)
Right to withdraw consent to collection and sharing
Right to delete their data (extends to third parties)
It is important to note that MHMDA requires Opt-In consent for the collection and sharing of health data. With the consent, the following must be disclosed
- The categories of data collected or shared - The purpose of the same - The entities with which the data will be shared. - How consumers can exercise their right to withdraw consent from future collection or sharing.
Business Requirements
Maintain a comprehensive, easy-to-access, and navigate privacy policy.
Refrain from collecting, using, or sharing consumer health data for purposes that are not included in the privacy policy. This especially should be avoided without first obtaining affirmative and fully informed consent.
Refrain from collecting consumer health data without consent in the context of the purpose for collection.
Refrain from collecting consumer health data unless required to provide a particular product or service as required by the consumer.
Refrain from sharing such data without specific consent for the same.
Refrain from sharing such data unless required to provide a particular product or service as required by the consumer.
Restrict access to health data within the business to only those who require it to fulfill the requirements of the consumer.
Appropriate procedures should be in place to protect the health data collected.
Refrain from selling health data without signed consent from the consumer. This is separate from any consent previously obtained. (Providing the product or service must not be a condition for providing consent to sell). Consent to the sale must disclose the following - The data being sold - Buyer Information - Purpose of sale
Refrain from utilizing Geofencing to identify or track potential healthcare consumers.
Refrain from utilizing Geofencing to send healthcare promotional messages, ads, and such to consumers and potential consumers.
Comentarios