Better Benefits, Compliance Confidence
Complying with Washington State’s My Health My Data Act
Complying with Washington State’s My Health My Data Act
The My Health, My Data Act, which took effect on March 31, 2024, provides state-level protection for personal health information that is not covered by HIPAA.
In 2023, Washington state passed the “My Health, My Data” Act which went into effect on March 31, 2024. The Act was crafted to protect personal health data that falls outside of the protections found in the Health Insurance Portability and Accountability Act (HIPAA). The Act also prevents consumer’s sensitive health data from being shared without their consent. The law applies to all “regulated entities,” defined as people and business that conduct business in or provide services or products to people in Washington. The law does not apply to data obtained in the course of the employment relationship.
What is consumer health data?
The Act defines consumer health data as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, of future physical or mental health status. Companies subject to the law must provide a notice disclosing a list of third-party partners and affiliates that receive consumer health data. The notice must also explain how consumers can access and delete their consumer health data. Covered companies must also receive consent to collect, share, or sell consumer health data. Consent may be revoked at any time.
Regulated entities must publish and maintain a Consumer Health Data Privacy Policy on their homepage that contains:
- The categories of consumer health data it collects.
- Why it collects the data and how it is used.
- The sources that are used for collection.
- What data may be shared.
- The entities data may be shared with.
- The consumer’s rights under the Act.
Consumers may request access to their own consumer health data at least twice annually free of charge. Access must be granted within 45 days of the request.
If they haven’t already, regulated entities in Washington state are encouraged to act now to comply with the Act. Specifically, regulated entities should review what consumer health data they collect and develop or review their opt-in practices, consent notices, and privacy policies.