The Washington My Health, My Data Act (WMHMDA) (HB 1155) was signed into law by Governor Jay Inslee on April 27, 2023, and was designed to fill gaps in the Health Insurance and Portability Accounting Act (HIPAA) and bring significant changes to health-related product providers. This article provides a brief overview of the WMHMDA, enumerating crucial steps for compliance, who it covers, the types of data covered, and compliance preparation.
Crucial Initial Steps
The WMHMDA requires businesses to take four essential steps:
- Accountability: Conduct a detailed data mapping exercise, create a comprehensive data inventory, and establish an MHMDA-compliant privacy policy, emphasizing transparency in processing “consumer health data.”
- Data Collection: Understand how your products collect consumer health data, including forms, mobile permissions, and APIs, laying the foundation for compliance.
- Data Sharing: Map data sharing within your organization to comply with WMHMDA’s strict regulations on sharing consumer health data.
- Consumer Rights: Prepare to uphold consumers’ rights over their data, adhering to WMHMDA’s robust consent standards, including the right to confirm data collection, access, withdraw consent, and request deletion.
Who Does WMHMDA Cover?
WMHMDA applies to businesses of all sizes in or targeting Washington, with small businesses getting a compliance deadline extension until June 30, 2024. Specific criteria define small businesses, and exceptions include government entities, tribal nations, and certain contractors. Data processed under existing regulations like HIPAA, GLBA, and Washington’s medical records law is excluded.
Types of Covered Data
WMHMDA focuses on “consumer health data,” encompassing a range of information related to a Washington resident’s health status, including personal identifiers, cookies, device IDs, and IP addresses. Exceptions exist for certain data covered by other regulations.
WMHMDA Requirements
Understanding the core requirements of WMHMDA is crucial for compliance:
- Data Collection and Sharing: Entities can only collect or share consumer health data with explicit consent or when necessary for a requested service, ensuring transparency and separation of consent requests.
- Selling Consumer Health Data: Selling data requires specific consent and transparent communication about the transaction.
- Obtaining Consent: WMHMDA defines clear criteria for consent, emphasizing transparency, specificity, and voluntariness.
- Sharing with Processors: Sharing data with processors is allowed, but contractual obligations and alignment with original purposes are mandatory.
- Consumer Rights: Consumers have rights to confirm data collection, access their data, withdraw consent, and request deletion. A detailed privacy policy and robust data security practices are imperative for compliance.
Preparing for Compliance
As the compliance deadline approaches, businesses can take proactive steps:
- Identification: Determine if your entity qualifies as a regulated entity or small business under WMHMDA.
- Data Processing Assessment: Evaluate how your organization processes consumer health data, focusing on collection methods, storage practices, data sharing, and potential sales.
- Transparency Measures: Prepare MHMDA-compliant privacy policies, consent notices, and mechanisms for handling consumer rights requests.
- Vendor Collaboration: Ensure vendor agreements align with WMHMDA requirements.
- Privacy Code Scanning: Utilize privacy code scanning tools to gain real-time visibility into data practices for compliance mapping.
Frequently Asked Questions (FAQs)
a. Who is covered by WMHMDA?
-
- Businesses of all sizes in or targeting Washington.
b. What are the first steps to comply?
-
- Identify and disclose data practices, understand data collection methods, map data sharing, and be ready to facilitate consumer rights.
c. What data does WMHMDA cover?
-
- “Consumer health data,” including information linked to a Washington resident’s health status.
d. What does WMHMDA require regarding data collection, sharing, and consent?
-
- Consent is necessary for collecting, sharing, or selling data, with exceptions for security and legal purposes.
e. What are consumer rights under WMHMDA?
-
- Rights include confirming data collection, access, withdrawal of consent, and deletion, with secure channels for submitting requests.
Wrapping Up
In summary, the Washington My Health, My Data Act (WMHMDA) is an essential legislative development to address gaps in health data regulation. Applicable to businesses in or targeting Washington, this act imposes crucial compliance requirements, with small businesses granted an extension until June 30, 2024. Proactive steps, such as accountability exercises, transparency in consumer health data handling, and compliance preparation, are essential as the deadline approaches. Staying informed and prepared is key to navigating the evolving regulatory landscape shaped by WMHMDA.
How Can GetTerms Help?
By leveraging GetTerms and adhering to best practices, businesses can ensure data protection, build trust with customers, and avoid legal pitfalls associated with privacy law non-compliance in the United States. Stay informed, update privacy policies, and prioritize data protection for success in the digital age.