The State of Washington’s My Health My Data Act (MHMD) was signed into law on April 27, 2023. The new law is part of an effort to regulate consumer apps, services, and devices that collect health-related data from users. These products are usually not subject to the data privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) because the companies that produce them are not health care providers. The MHMD Act is an attempt to address that gap.
Though it’s a state law, MHMD is the first law of its kind in the US and is worth paying attention to due to its potential implications for the regulatory landscape. Four main aspects of the law are particularly notable:
- The law applies to all apps that collect health data irrespective of how many users they have or how much revenue they generate. This stands in contrast to general data privacy laws like the California Consumer Privacy Act (CCPA) which exempt businesses that process fewer than a minimum number of customer records or whose revenue falls below a certain threshold.
- The law defines “consumer health data” very broadly: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.” This definition could easily be read to include data collected by other types of apps that do not necessarily have a health-related focus.
- The law includes a private right of action for consumers to sue companies for violations. Such lawsuits would be brought under the Washington Consumer Protection Act. To prevail on such an action, a plaintiff must establish five elements: (1) an unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) impacting the public interest; (4) injuring a plaintiff in his or her business or property; and (5) a causal link between the unfair or deceptive act complained of and the injury suffered.
- Perhaps most significantly, the law defines “consumer” as any “natural person whose consumer health data is collected in Washington.” That definition includes non-Washington residents as well. This is surely an intentional move by Washington legislators to give the law a national reach by flexing the state’s muscle as home to Amazon and Microsoft, the two biggest cloud providers in the world. Based on a literal reading of the law, users of any app that uses Amazon’s AWS or Microsoft’s Azure could potentially have recourse under the law even if they have no ties to the State of Washington.
For businesses in the fitness and health tech sectors, the enactment of the MHMD Act is a development to keep an eye on, as it’s not inconceivable that other states, federal agencies, or even Congress would follow suit.
