Washington’s My Health, My Data Act: Bridging the HIPAA GAP

On April 27, 2023, Gov. Jay Inslee signed the My Health, My Data Act (MHMD) into law. Washington State’s health data law is the first-of-its-kind in the nation. The MHMD Act requires companies to get unambiguous consent before they collect health data, which includes everything from health conditions to location information associated with health services.

The law establishes safeguards for consumer health data collected by companies from telehealth platforms to period-tracking apps, as well as location records that could reveal visits to clinics and health-care facilities, effectively closing gaps between HIPAA and data privacy laws.

What are current HIPAA protections for consumers?

According to the regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), individuals have the right to easy access of their health information, empowering them to be more in control of decisions regarding their health and well-being. Access to health information makes for better tracking and monitoring of chronic disease and conditions, adherence to treatment plans, finding and fixing errors in health records, and contribution to health research.

The law applies to health plans, healthcare clearinghouses, and healthcare providers who conduct certain financial and administrative transactions electronically.

Some of the key HIPAA protections for consumers include:

• Right to Access: Individuals have the right to access their own health information, including medical records and billing records, in a timely manner, either in paper or electronic format.
• Privacy Notice: Covered entities must provide individuals with a notice of their privacy practices, which outlines how their personal health information may be used and disclosed.
• Consent: Covered entities must obtain written consent from individuals before using or disclosing their personal health information, except in certain circumstances, such as for treatment, payment, or healthcare operations.
• Minimum Necessary Standard: Covered entities must limit the use and disclosure of personal health information to the minimum necessary for the intended purpose.
• Safeguards: Covered entities must implement administrative, physical, and technical safeguards to protect personal health information from unauthorized access, use, or disclosure.
• Breach Notification: Covered entities must notify individuals in the event of a breach of their personal health information.

Telehealth apps and smart devices have made tracking and monitoring health easier than ever. However, HIPAA doesn’t regulate all aspects of apps and websites that consumers quickly adopted to monitor fertility, fitness, sleep patterns or treatments for their chronic conditions. For example, HIPAA doesn’t cover the security of data transmitted over the internet, which is subject to other laws and regulations such as the Federal Trade Commission Act and state data breach notification laws (and now Washington’s MHMD Act).

How are Washingtonians protected under the MHMD Act?

• The right to withdraw consent and request data deletion.
• Restricts geo-fencing around health care facilities.
• Prohibits collection and sharing of health data without consent.
• Requires companies to provide policy disclosing use of data.

What businesses are required to comply with the MHMD Act?

The MHMD Act has a very broad extraterritorial scope. It applies to companies in and outside of Washington state. The law applies primarily to “regulated entities,” which means any legal entity that:

• conducts business in Washington, or produces or provides products or services targeted to consumers in Washington;
• alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

As indicated above, the law also applies to “small businesses,” which means a regulated entity that satisfies at least one or both of the following thresholds:

• collects, processes, sells, or shares the consumer health data of fewer than 100,000 consumers during a calendar year; or
• derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares the consumer health data of fewer than 25,000 consumers.

The manner in which “consumer” is defined adds to the breadth of the extraterritorial application. In particular, consumer is broadly defined as:

• a natural person who is a Washington resident; or
• a natural person whose consumer health data is collected in Washington.

The definition further states that consumer “means a natural person who acts only in an individual or household context, however identified, including by any unique identifier” but that the definition “does not include an individual acting in an employment context.”

The MHMD Act adds another layer to protect Health Data

Washington State residents have another layer to protect the use of their health data. Many organizations still have exemptions under HIPPA, Washington’s Uniform Health Care Information Act (UHCIA), the Gramm-Leach-Bliley Act, and legal entities. However, the MHMD Act gives regulators more investigation powers into possible misuses of health data. Organizations and their DPOs should have increased awareness and visibility of how data is being collected, used, shared, and with whom.

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations. Implementing automated data mapping with Clarip’s patented auto-tagging and categorization technologies, organizations can take the guess work out of the data minimization scenarios. Clarip takes data privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust!

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Content:

Making the Case for Data Minimization
Automated Data Mapping
Data Discovery
Looking for Product Data Sheets?