Join our mailing list to receive the latest updates and alerts Flag Subscribe

Main Takeaway (i.e., TLDR):

If you do business in Washington, collect or process consumer health information, and such information is not HIPAA-regulated PHI, the Washington My Health My Data Act may apply to you. In particular, retail businesses, as well as health and fitness apps, wearables, or Internet of Things (IoT) developers, should pay attention to this law. It comes into effect for most businesses on March 31, 2024 (for "small businesses,” as defined by the MHMDA, on June 30, 2024) and provides for a private right of action (meaning, it is expected to draw class action litigation claims from plaintiffs’ attorneys). Contact us (or continue reading below) to learn more about this law and its requirements.

Background

In 2021, the Federal Trade Commission (FTC) initiated a complaint against Flo Health, Inc. (Flo), the developer and operator of the Flo Period & Ovulation Tracker mobile application (Flo App). Even though it was “one of the most popular health and fitness apps available to consumers,” Flo was neither a “covered entity,” nor a “business associate” under the Health Insurance Portability and Accountability Act (HIPAA)—i.e., Flo was not subject to HIPAA, the law most consumers are familiar with when it comes to the handling of their health information. Yet, Flo collected reams of "health data" relating to its app users’ reproductive health.

In particular, according to the FTC’s complaint, Flo collected certain user “event” data that functionally amounted to information about a user’s menstruation, fertility or pregnancy (e.g., user actions that translated into snippets of information, such as “R_Pregnancy_Week_Chosen” or “P_Accept_Pushes_Period”). This event data was then conveyed to third-party marketing and analytics platforms, such as Facebook and Google.

One issue the FTC took with this conduct was that Flo represented in its consumer privacy policies that the information it shared with third parties excluded menstrual cycle and pregnancy information, and that any personal information shared with third parties could only be used by such third parties for the purposes of providing Flo services in connection with the Flo App. Flo also specifically stated in its privacy policies that Meta and Google would only receive “non-personally identifiable information.”

Even today, Meta’s terms (as posted on Nov. 12, 2023) provide that it “may correlate Event Data to people who use Meta Products . . . to determine the relevance of ads to people.” Meta will “use your Event Data” by “aggregating such Event Data with other data collected from other advertisers or otherwise collected on Meta Products” and “use Event Data to personalize the features and content (including ads and recommendations) that we show people on and off our Meta Products.” Meta may further use the data for its own “research and development purposes” and “to . . . improve the Meta Products.”

As a result, the FTC asserted that Flo’s conduct amounted to “false or misleading” statements constituting “unfair and deceptive acts or practices” in violation of the FTC Act. At the time, acting FTC Director, Andrew Smith was quoted as saying, “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”

Fast-forward two years and the FTC kept its word. The FTC filed a complaint on February 1, 2023, against GoodRX Holdings, Inc. (GoodRX), the operator of an online platform offering telehealth services and prescription discounts for consumers. The FTC raised the same kinds of concerns it took with Flo—in particular, that GoodRX “exploited” the health information it collected to target GoodRX users with advertisements on Facebook.

Notably, however, the FTC did not just claim violations of the FTC Act. The FTC further alleged that GoodRX violated the FTC Health Breach Notification Rule (HBNR), a set of rules promulgated in 2009 to regulate health technology not otherwise covered by HIPAA. The HBNR requires vendors of personal health records, who are not subject to HIPAA, to notify individuals and the FTC of any acquisition of an individual’s unsecured health information that is not authorized by that individual. The FTC asserted GoodRX violated the HBNR by failing to notify users (and the FTC) that the users’ health information had been disclosed to Facebook and Google without their authorization.

This allegation was a first-of-its-kind, but made clear to outside observers that the FTC was willing to leverage all available means to crack down on consumer health apps that were otherwise escaping the requirements and regulatory oversight of HIPAA.

It was only a matter of time, then, before this issue became the focus for consumer protection authorities and legislatures.

On April 27, 2023, Governor Jay Inslee of Washington signed the Washington My Health My Data Act into law. Coming into effect in 2024, the My Health My Data Act (MHMDA) is intended to “close the gap” by regulating the collection of health data by apps, websites and businesses not otherwise subject to HIPAA. It provides “heightened protections” for “the most personal and sensitive categories of data collected.”

It is also the leading state law in this area, with similar laws in Nevada and Connecticut either in effect (Connecticut’s SB3 went into effect July 1, 2023) or coming into effect in the next year (Nevada SB370 goes into effect March 31, 2024).

The MHMDA is notable, however, for two reasons: (1) it has the broadest definition of “consumer health data” (i.e., businesses not otherwise subject to the laws in Nevada and Connecticut could arguably be subject to the MHMDA); and (2) it provides for a private right of action (i.e., regulated entities face the risk of class action suits and claims).

How the MHMDA Applies

The MHMDA regulates the collection, use and disclosure of "consumer health data," which is defined as, any data or information that is “linked or reasonably linkable to a consumer” and that identifies the consumer’s “past, present, or future physical or mental health status.” Notably, consumer health data does not include the data of individuals acting in an employment context.

Consumer health data may include information about an individual’s health condition, treatment or diagnosis; use or purchase of prescribed medications; reproductive or sexual health information; or seeking of healthcare services. It also may be information that is “derived or extrapolated” from non-health information, such as by means of “algorithms or machine learning.”

In short, consumer health data is an intentionally broad category of data. In its FAQ, the Washington Attorney General even affirmed that “any inferences drawn from purchases”—such as, “a retailer assigning shoppers a ‘pregnancy predication score’ based on the purchase of certain products”—is consumer health data.

The MHMDA also applies to any legal entity that:

  • Conducts business in Washington (or produces or provides products or services that are targeted to consumers in Washington); and
  • Determines the purpose and means of collecting, processing, sharing or selling consumer health data.

Certain types of personal information are excluded from the MHMDA’s coverage, such as information regulated by HIPAA, the Gramm-Leach-Bliley Act (GLBA), and the Family Educational Rights and Privacy Act (FERPA). But the only entity "types" that are exempted from the law are tribal nations or government agencies and their service providers. Nonprofits, for example, are not specifically exempted; neither are “covered entities” or “business associates,” as a rule (though, in practice, most covered entities and business associates will likely be exempt). Thus, any organization or business potentially handling Washington consumer health data needs to closely analyze their potential subjectivity to the law.

The MHMDA also provides a safe harbor for conduct that is meant to “prevent, detect, protect against, or respond to” security incidents, identity theft or fraud, “preserve” system security, or “investigate, report or prosecute” illegal actions. That said, there is no general "compliance with laws exemption," which many businesses rely on for retaining data under the California Consumer Privacy Act (CCPA). Nor is there a general exemption for exercising or defending legal claims.

What the MHMDA Requires

Organizations and businesses subject to the MHMDA (otherwise known as, "regulated entities") must take certain actions specific to the handling of consumer health data, including:

  1. Maintain a consumer health data privacy policy on its website. The policy must describe the categories and sources of consumer health data that is collected, the purposes for which such data is collected, and how the data will be used. The policy must also include a list of categories of third parties and specific affiliates with whom consumer health data is shared (as well as, the categories of consumer health data shared) and how a consumer can exercise their rights under the MHMDA.
  2. Unless the collection or sharing of consumer health data is necessary to provide a product or service the consumer has requested, obtain the consumer’s consent for collecting and sharing their health data. Notably, the MHMDA requires the regulated entity to separately evaluate its purpose for collecting consumer health data and sharing consumer health data. For example, if a regulated entity collects a consumer’s email address when the consumer purchases a product for the purposes of sending the consumer a receipt, but then shares the consumer’s email address with an outside marketing vendor who analyzes the regulated entity’s website traffic, the regulated entity may not need to obtain the consumer’s consent to initially collect the email address, but it may need the consumer’s consent to share the email address with its marketing vendor. This consent would need to be given up front and can always be withdrawn.
  3. Refrain from selling any consumer health data without first obtaining signed authorization from the consumer (this is in addition to the consent requirement discussed above). Businesses that are familiar with the requirements for “sales” under the CCPA will need to adjust their processes for the MHMDA. The consumer authorization required by the MHMDA is a document that is written in plain language and includes the signature of the consumer. It must also include certain detailed disclosures and statements required by the MHMDA. The authorization also expires one year from the date when it was signed by the consumer.
  4. Honor consumers’ rights to access, withdraw consent and delete their consumer health data. Consumers’ right of access includes the ability to confirm a regulated entity is collecting, sharing or selling the individual’s consumer health data and to access a list of third parties and affiliates with whom the regulated entity has shared or sold the data. This list must include a means (e.g., active email address) by which the consumer can contact such third parties.
  5. Restrict access and implement security controls. The MHMDA requires regulated entities to restrict access to consumer health data to those employees, processors or contractors for which access is necessary to fulfill the purpose for which the data was collected or shared. As a result, businesses who have not yet engaged in a full review of where their data resides will need to evaluate whether data mapping could be useful in this context to mitigate the risk of violating this provision of the MHMDA.
  6. Avoid health-services-related geofencing. The MHMDA prohibits constructing a geofence around any entity that provides in-person health care services for the purposes of identifying or tracking consumers seeking health care services, collecting consumer health data, or sending notifications, messages, or advertisements to consumers about their consumer health data or health care services.

The MHMDA comes into effect for most regulated entities on March 31, 2024; companies that qualify as a small business must comply with the MHMDA beginning on June 30, 2024.

Potential Consequences

As mentioned above, there are two similar laws in effect, or coming into effect, in Connecticut and Nevada. What distinguishes the MHMDA from these other laws, however, is the fact the MHMDA provides a private right of action. Plaintiffs can seek relief under the state’s Consumer Protection Act and, if successful, recover actual damages and attorneys’ fees. That said, courts are authorized, in their discretion, to award plaintiffs an amount up to three times the actual damages (with a prescribed cap). As a result, we expect plaintiffs’ attorneys to seize the opportunity afforded by the MHMDA to bring class action suits against companies in violation of the law.

Final Thoughts

If you do business in Washington, collect or process consumer health information, and such information is not HIPAA-regulated PHI, the MHMDA may apply to you. Retail businesses, e-commerce operators and mobile app developers, in particular, may need to invest time and resources into understanding how the law applies to them and what steps are needed to comply. If you have questions or wish to discuss how this law may apply to your business, please contact one of our attorneys to learn more.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.