Organizations of all types have important work ahead to comply with Washington state’s new My Health My Data Act, which pertains to any entity – inside or outside the state – that handles health data of consumers in the state, said Cat Kozlowski, attorney at law firm Polsinelli.
Gov. Jay Inslee on April 27 signed into law the MHMD Act, which regulates the collection, sharing and sale of consumer health data. Most of the provisions for larger regulated entities go into effect on March 31, 2024, while smaller businesses have until July 20, 2024. Provisions that prohibit the use of geofencing technology around facilities that provide healthcare services go into effect much sooner – on July 22, a mere three months after the governor affixed his signature.
“A big part of this new law is the geofencing rule,” which was in large part a response to the Supreme Court’s decision last year to overturn the nationwide right to abortion, Kozlowski said. “If you have your phone in your pocket and you’re walking around, the cell towers are picking up exactly where you are,” including when an individual is in proximity to a medical clinic, they said.
“What was happening is: As they would approach, advertisements would come to their phone via text message picking up where they are via geofencing to send targeted ads … to folks approaching abortion clinics to advise them to go elsewhere,” they said. “But geofencing is used in a lot of different respects, and this is going to impact that as well.”
Organizations that must comply with the law include “any entity that conducts business in Washington or an entity that produces or provides products or services targeted to consumers in Washington,” Kozlowski said.
“It protect residents of Washington – or someone passing through Washington. So, any national entity is going to be impacted by this law. And what they have to do is also pretty broad.”
That includes entities having to obtain consumers’ consent to share data and process data. “You have to actively get explicit consent,” they said. Individuals have the right to request that entities delete their consumer health data.
“Not only do you have to delete it, and whatever you’re actively using, you have to delete it in your backups, and you have to let anybody you’ve given this data to know about the requested deletion – and have the contract set up to make sure that happens.”
In the interview (see audio link below photo), Kozlowski also discusses:
- How the MHMD Act aims to strengthen privacy protections over sensitive health data;
- The types of information that falls under MHMD Act’s “very broad” definition of consumer health data;
- How the new MHMD compares with HIPAA and other states’ privacy laws.
Kozlowski is counsel at Polsinelli and a member of the law firm’s technology transactions and data privacy practice group. They have more than a decade of legal experience, with a current focus primarily on HIPAA, General Data Protection Regulation, and state privacy law compliance, and provide strategic counsel on issues related to operational and transactional matters in digital health entities.