On April 27, 2023, Washington’s Governor signed Washington’s My Health, My Data Act (“WMHMDA” or “Act”). Beginning March 31, 2024, most entities subject to the Act will have certain obligations towards consumer health data,[1] including providing consumers with the right to access their information, withdraw their consent to certain processing, and request the deletion of their information. While the Act was promoted as a measure to help protect reproductive and gender affirming care, its scope goes beyond those discreet issues.*
The WMHMDA purports to regulate any entity that conducts business in Washington state, or produces or provides products or services targeted at consumers in Washington, and “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
While some assume that “consumer health data” refers to health-related information collected by medical practitioners, the Act uses the term to refer to non-HIPAA regulated information that is linked (or linkable) to an individual and that identifies their “past, present, or future physical or mental health status.”[2]
The Act provides as an example of consumer health data, information that might “identify” a consumer seeking a service to “improve, or learn about a person’s mental or physical health.”[3] As a result, organizations that traditionally don’t consider themselves to be collecting health data, such as grocery stores, newspapers, dietary supplements providers, and even fitness clubs, are uncertain whether the Act may be interpreted to apply to them to the extent that someone seeks out such companies either for information about health, or to improve their health.
While the scope of the Act is broad and may encompass a multitude of business activities, the Act also identifies 33 exemptions from its coverage. The following table explains and summarizes each exemption:
