Diving into the Washington My Health My Data Act
This is Part Six in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”) in which Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements
- Part Seven: Biometric Data
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers)
- Part Twelve: Washington AG Guidance
- The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
- The categories of sources from which the consumer health data is collected;
- The categories of consumer health data that is shared;
- A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
- A description of how a consumer can exercise the rights provided in WMHMDA (we will discuss this more in part eight of this series).
- A list of specific affiliates with whom consumer health data is shared. Note that WMHMDA requires listing specific affiliates, not merely the categories of affiliates, where “categories” is what we are used to seeing in other state comprehensive privacy laws (e.g., CCPA).
Notes from Quarles
Regulated entities must have consumer health data privacy policies posted by March 31, 2024 (June 30, 2024 for small businesses). Now is the time for regulated entities to consider appropriate methods to meaningfully convey the categories of consumer health data and purposes for collection, use, and sharing (without conflicting with existing website privacy policies or notices of privacy practices).
Eager to explore new ways to avoid the burn? Part Seven, we will look closer at biometric data collection under WMHMDA. We will also address the Washington Attorney General’s first set of FAQs (released June 30) in a forthcoming update. Until then…turn on your grill and reapply!