A Deep Dive into Washington State’s My Health My Data Act & New York’s Senate Bill S929

Protecting sensitive consumer information has become a major focus for many US state regulators and the health industry is grappling with the complexities of new data privacy compliance regulations. Two noteworthy regulations have come to light in this area: Washington State’s My Health My Data Act (MHMDA) and New York’s Senate Bill S929, also known as the New York Health Information Privacy Act (New York HIPA). These two laws go beyond federal frameworks like the Health Insurance Portability and Accountability Act (HIPAA).

Washington State’s My Health My Data Act

At this point, the Washington MHMDA is one of the most comprehensive health data privacy laws in the nation. It was enacted in 2023 and targets both traditional healthcare providers and a wide range of other entities that handle health-related data, including mobile apps and wellness services.

Broad Scope of Regulated Data

MHMDA defines “consumer health data” expansively to include:

• Data relating to physical or mental health conditions
• Wellness information
• Biometric data
• Information collected via wearable devices or health-related apps

Unlike traditional federal health privacy laws, MHMDA also applies to businesses outside the healthcare industry, such as fitness trackers and wellness applications. However, it exempts research data, public data, and financial information governed under other laws like the Gramm-Leach-Bliley Act.

Consent Requirements and Consumer Rights

One hallmark of MHMDA is its stringent consent requirements. Businesses must:

• Obtain explicit consumer consent before collecting or processing health data
• Provide clear notices outlining how the data will be used
• Enable consumers to withdraw consent easily and at any time

The law also grants Washington residents a private right of action. This allows individuals to sue entities for non-compliance. This provision increases legal exposure for businesses operating in the state.

Enforcement and Penalties

The Washington Attorney General enforces the act, with penalties of up to $7,500 per violation. While this amount is significant, it is lower than the fines outlined in New York’s S929.

New York’s Senate Bill S929

Passed on January 21, 2025, New York S929 establishes the New York Health Information Privacy Act (HIPA). New York HIPA aims to safeguard consumer health data by imposing one of the strictest requirements on entities that collect, process, and share such information. The bill is currently pending Governor Kathy Hochul’s signature.

Broad Definitions of Regulated Health Information and Entities

New York HIPA expands the definition of “regulated health information” to encompass:

• Wellness habits
• Purchase histories
• Payment data linked to physical or mental health
• Inferred health data reasonably linkable to individuals

Unlike the Washington MHMDA, New York HIPA does not exempt public data, research data, or information covered under the Gramm-Leach-Bliley Act. Its scope is similarly broad for entities, applying to any organization that processes health-related data of New York residents or individuals physically present in the state, regardless of the entity’s size or location.

“Strict Necessity” Standard for Data Processing

Regulated entities may only process health information when it is “strictly necessary” for purposes such as providing requested services, detecting security incidents, or complying with legal obligations. Marketing, advertising, and research activities fall outside this scope unless consumers provide explicit, revocable authorization through a detailed, standalone consent form.

Onerous Consent and Revocation Requirements

To process health information not deemed “strictly necessary,” entities must obtain prior authorization via a comprehensive form. Key stipulations include:

• Forms must be separate from other transactions and cannot be presented within the first 24 hours of service usage.
• Authorizations must allow granular consent for each processing activity and automatically expire after one year.
• Consumers must have access to an easy-to-use mechanism for revoking consent, which entities must honor immediately.

Enforcement and Penalties

Violations may result in penalties of up to $15,000 per infraction or 20% of revenue derived from New York consumers, whichever is greater. The New York Attorney General’s office is empowered to investigate and enforce compliance, making this law one of the most stringent in the nation.

The Path Ahead

As businesses navigate the implementation of these laws, they must prepare to adapt to a future where health data privacy is a priority. Washington’s MHMDA and New York’s S929 are likely to serve as templates for other states considering similar legislation. Companies should proactively monitor legislative developments and implement scalable privacy programs to navigate this increasingly complex regulatory environment.

By staying ahead of these changes, businesses can not only mitigate legal risks but also build consumer trust in an era where data privacy is paramount.

A Paradigm Shift in Health Data and Consumer Privacy

Washington’s MHMDA and New York’s S929 signal a massive shift in health data privacy law, emphasizing stringent consent requirements, broadened data definitions, and high penalties for non-compliance. As more states potentially adopt similar regulations, organizations should invest in adaptable compliance strategies to address evolving consumer expectations and legal obligations. Prioritizing transparency, security, and accountability will not only help businesses meet these stringent standards but also foster greater trust with their consumers in a rapidly changing privacy landscape.