Many companies may be quick to dismiss Washington’s “My Health, My Data” (MHMD) as a health data law that does not apply to them. But there are many reasons you should think twice before disregarding this law.
First, unlike the state privacy laws that have been passed so far, MHMD applies to all companies regardless of their revenues, how much personal data they process, or what percent of their annual revenue is generated from processing or selling personal data. Also, there is no nonprofit carve-out for MHMD. So even if you process a tiny bit of health data (and see below regarding the expansive definition of what constitutes “consumer health data”), MHMD may apply.
Second, in some respects it is beyond a businesses’ control whether they need to comply with MHMD. While MHMD applies to Washington resident and any “regulated entity” that “conducts business in Washington or that produces or provides products or services that are targeted to consumers in Washington,” MHMD also applies to all “natural person[s] whose consumer health data is collected in Washington.” Broadening the scope even further, “collect” is expansively defined to mean more than just the gathering of data in Washington. If you buy, rent, access, retain, receive, acquire, infer, derive, “or otherwise process” consumer health data in the state, then you must comply. Some of these verbs are extremely broad – such as “accessing,” “acquiring” and (perhaps broadest yet) “inferring” or “deriving” health data in Washington. Moreover, the catch-all “or otherwise process” should be enough to make every company scratch their head as to whether compliance is necessary. In other words, do you do anything with data that can be linked to the state of Washington in any way that could arguably be considered “consumer health data”?
Third, “consumer health data” is defined very broadly as “personal information that is linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status.” MHMD does not define “mental health” or “physical health”; however, one can be sure that this broad definition of “consumer health data” includes information that companies may not ordinarily think of as health data. For example, the Centers for Disease Control and Prevention website says that mental health “includes our emotional, psychological, and social well-being” and affects “how we think, feel, and act,” as well as “how we handle stress, relate to others, and make health choices.” Does this mean that MHMD applies to all data concerning one’s emotions, psychological well-being, social well-being, how one is thinking, how one is feeling, how one is acting, how one is dealing with stress, how one is relating to others, and health choices one is making? With respect to physical health, the National Institute of Health website talks about the following: what you put into your body, how much activity you get, your weight, how much you sleep, whether you smoke, and your stress levels. Does data regarding all of the above really constitute “consumer health data”? If so, any companies that come into contact with data concerning food or drinks, activities or any kind, anything related to one’s size/weight (such as clothing) and/or sleep may be subject to MHMD.
Indeed, just as the term “PII” was called into question in recent years because to a certain extent all data may be personally identifiable, the same may be true for WA’s expansively defined “consumer health data.” Indeed, rather than defining what is “consumer health data,” it may be easier to determine categories that are clearly outside of the definition. And because MHMD contains a private right of action, you can be sure that plaintiffs are going to assert very expansive definitions of “consumer health data” in litigations and threatened litigations.
Rothwell Figg remains committed to assisting its clients with all of their privacy, data protection, and IP needs, including litigations and threatened litigations; counselling on security breaches, data governance, AI, and IP; negotiating and drafting contracts; securing IP protection; and drafting privacy and AI policies.