Amidst the flurry of comprehensive state-level data privacy laws that has taken place this spring, Washington State has passed perhaps the most intriguing bill: the My Health My Data Act. The MHMDA mandates explicit user consent before health data can be collected, shared, or sold by corporations and allows individuals to withdraw consent and request data deletion anytime, standard data rights under the EU’s GDPR.

While the new law only covers health care data, meaning it has limited scope compared to laws like Tennessee’s TIPA and Iowa’s ICDPA, its passage is another reminder of the safeguards the public needs to protect data. 

This new regulation supplements one of the most widely-recognized data privacy laws in the U.S., the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, which passed in 1996, has started to show its age, as it doesn’t extend to many health apps and websites that routinely collect and sell health data to advertisers. 

That prompted Washington to step in with MHMDA, which obliges medical apps and websites to gain user consent for data collection transparently and communicate their intentions regarding data processing and collection, as well as barring medical providers from using geofencing for patient location data. Again, all of this are typical GDPR requirements, but it’s relieving to see them extended to America.

Growing concerns about the sharing of sensitive health information with advertisers, fueled by the rise of telehealth and recent developments in abortion rights, have become a major talking point for data privacy within the country over the past year.

The Federal Trade Commission has intensified its scrutiny of health apps and websites, leading to several penalties and admissions of unauthorized data sharing. Efforts at the national level to enhance privacy protections, with proposals such as the UPHOLD Privacy Act and the American Data Privacy and Protection Act, have even been trotted out (although unsuccessfully).

MYMHA doesn't interfere with data gathered or used according to federal and state laws, including HIPAA, UHCIA, and several others, but seeing anything passed to fill in some of the patchwork of data privacy in the U.S. is a victory.

This Act goes a bit further than existing health-privacy laws and covers all consumer health data, which is any info that can be linked to you and your past, present, or future physical or mental health status. But the state has excluded certain research data from this.

The Act becomes effective on two different dates. First, on July 23, 2023, certain uses of geofences (those invisible boundaries that notify someone when your phone enters the area) will be banned. The rest of the regulation kicks in by March 31, 2024 for most entities and by June 30, 2024 for small businesses. 

Of note, government agencies and tribal entities are exempt from the bill, as they are with over state-level data privacy regulations.

Regardless of exemptions or other areas where the law might be lacking, its introduction represents a significant development in data privacy legislation in the United States. Even as states have struggled to pass comprehensive regulations, digital health platforms have proliferated and technology has become an increasingly integral part of healthcare delivery, making safeguarding health data more crucial than ever. 

With MHMDA reinforcing the consent framework and demanding explicit permission from users before their health data can be gathered, shared, or sold, privacy professionals around the country are legitimately wondering how the bill will be enforced. Proper enforcement could signal a massive shift in how companies handle data privacy and compliance, even if the bill only covers healthcare data.

Of course, the most noteworthy aspect of the bill is its private right of action, which allows individuals to sue entities that have not complied with the regulation. As California’s amended CCPA is the only major data privacy regulation that also has private right of action, following how MHMDA plays out will be crucial to if other states begin including the right in their own bills, especially given data privacy’s bipartisan support among the public. 

Thanks to its sweeping scope and roping companies that traditionally didn’t need to comply with HIPAA into data compliance, MHMDA is a landmark law that will likely help progress the issue of data privacy in the U.S. more than even the comprehensive state-level laws currently passing.