Washington state's My Health My Data Act will enter into force 31 March, ushering in a new era of data privacy rights. Importantly, the MHMDA includes a broad private right of action that essentially authorizes individuals to sue a company for damages based on a violation of any of its provisions, and without any mitigating cure periods and minimal procedural thresholds. Plaintiffs could potentially recover actual damages, costs of the lawsuit, attorney's fees and certain treble damages. Consequently, there will likely be an explosion of privacy-related complaints and lawsuits related to MHMDA compliance, especially against nontraditional health care providers.

Companies that maintain adverse event reporting programs will likely be prime litigation targets. An AER program generally refers to how individuals report adverse reactions or physical injuries they suffer when using a product or equipment. For instance, personal care and consumer goods companies often monitor whether their products cause serious or unexpected injuries, such as rashes, burns, headaches or other illnesses. Similarly, manufacturers collect data on whether their equipment malfunctions and injures an operator or a bystander.

Collection of health data is often at the core of AER programs, and companies must now assess whether they are subject to the MHMDA. This new law will dramatically alter the risk profile of companies that maintain AER programs. To avoid costly litigation, regulatory action and reputational damage they should immediately implement compliance solutions.

The MHMDA: A primer

The MHMDA is meant to ensure a person's health data is afforded the utmost privacy, especially since federal health care privacy laws only apply to a narrow set of health care industries, such as hospitals and employer-sponsored health care plans. Although the law does not apply to entities regulated by federal health care law, or to individuals acting in an employment context, it still impacts a broad range of organizations that collect and process health data.

Specifically, the MHMDA applies to any other legal entity — called a "regulated entity" — that conducts business in Washington state or produces or provides products or services that are targeted to consumers in Washington, and alone or jointly with others, determines the purpose and means of collecting, processing, sharing or selling consumer health data. It also applies slightly less onerous obligations on "small businesses," which are essentially a subset of regulated entities with a minimal data processing footprint.

The term "consumer" has a sweepingly large definition under the MHMDA. It is defined as any Washington resident and any other individual located in Washington state who has their health data collected by a regulated entity or a small business.

The MHMDA defines "consumer health data" broadly and in a manner likely to implicate AER programs. It covers all personal information that is linked, or reasonably linkable, to a consumer and identifies the past, present or future physical or mental health status of a consumer. The law enumerates several categories of such health data, including an individual's health condition, diagnoses, diagnostic testing, treatment, medication and data that identifies an individual seeking health care services. This type of health data is often captured by consumer goods companies and manufacturers, among other businesses, who maintain AER programs.

Key requirements and compliance measures

The MHMDA grants individuals new health privacy rights and imposes affirmative obligations on companies with respect to their collection and processing of consumer health data. Specifically, regulated entities may not collect or share consumer health data, except with appropriate consent or to the extent necessary for them to provide a product or service requested by the consumer.

In addition, it is unlawful for any person, not just a regulated entity or small business, to sell consumer health data without first obtaining valid authorization from the consumer. The MHMDA defines "sell" as the exchange of consumer health data for monetary or other valuable consideration, and it could apply to the disclosure of health data derived from a regulated entity's website — chat features and online forms, for example — to third-party service providers, such as through the use of third-party cookies, pixels and tags. These types of data processing activities have served as a basis for many unlawful data processing lawsuits in recent years, and they will likely be the focal point for a new wave of claims brought under the MHMDA.

Accordingly, companies with AER programs should be prepared to address all requirements set forth in the MHMDA, especially the following key areas:

Privacy notices

The MHMDA states regulated entities must publish a "consumer health data privacy policy" on their websites, describing, among other things, the categories of health data they collect, the purpose for which it is used and to whom it is shared. This privacy policy must also inform consumers of how they can exercise their privacy rights under the law, such as the right to access their health data or have it deleted. According to the Washington Attorney General, this policy "must be a separate and distinct link on the regulated entity's homepage" and it may not include "additional information not required" under the law. It is essential that these health privacy policies align to the exact requirements of the MHMDA, as a mere technical violations may serve as the basis for a legal claim.

Limited channels of communication

Privacy advocates are anticipated to initiate legal claims under the MHMDA on the basis that companies use health data for purposes unrelated to their AER programs and without proper consent, especially regarding health data collected online. To mitigate this risk, regulated entities must limit how individuals can disclose health data to them. If practicable, companies should require individuals to submit AER-related health data in writing to a designated mailing address. This will avoid the risk that such data will be submitted electronically to a company through its website and inadvertently "sold" to a third party who gathers end-user data from the site, such as through online cookies, pixels and similar online tracking technology. Alternatively, companies could allow individuals to submit AER-related health data to designated email addresses, provided these email accounts are not integrated into marketing programs or other databases that use data for purposes unrelated to the AER program.

Contractual terms

Companies should ensure their contractual terms properly address health data processing in the AER context. These terms should require consumers to represent that they have the legal authority to furnish health data to the company, warrant that they will comply with any procedures on the disclosure of health data, acknowledge the company's consumer health data privacy policy, agree that any violation of these terms by the consumer is a material breach of contract, and agree to indemnify a company, and its affiliates and service providers, for damages they incur from a breach of the terms by the consumer. In addition, when appropriate, companies should require consumers to agree to mandatory arbitration to avoid class action-based claims arising from noncompliance with the MHMDA.

Security and incident responses

The MHMDA requires regulated entities to maintain technical, physical and administrative security controls to protect the confidentiality, integrity and accessibility of health data. In addition, Washington state's data breach notification law includes health data within its scope of protected personal information. Accordingly, companies need to reevaluate their information security programs to ensure they properly classify AER-related health data — and the systems used to transmit and retain such data — as "critical" or "sensitive." They also need to ensure their incident response plans account for responding to ransomware attacks, email compromises and other incidents that could impact this health data.

Vendor management

The MHMDA requires regulated entities to execute written contracts with their service providers, or data "processors." These contracts are also important as companies can rely on them to rebut allegations of improperly "sharing" health data because the term "sharing" includes an exception related to the disclosure of such data to a data processor. In turn, companies should evaluate contracts with third-party service providers who support their AER programs to ensure they properly address the MHMDA's requirements. In the event regulated entities are relying on a service provider's online platform to collect AER-related health data, it is important to ensure there are contractual guarantees that these platforms are not using online tracking technologies that are unrelated to an AER program, such as social media and advertising pixels.

Cyber insurance

In light of the private right of action in the MHMDA, companies must understand the scope of their insurance coverage, including whether their policies' expressly exempt coverage related to unlawful data collection or processing claims. Accordingly, policyholders should work with their cyber insurance broker to review their existing coverage and pose questions to their underwriters if it is unclear how the policy addresses these issues. In the event a company's insurance is not adequate, it should immediately seek to identify whether it can procure supplemental or replacement coverage to minimize the risk.

Implement compliance measures now

There are several reasons why a company may adopt an AER program, including for regulatory compliance, warranty administration, research and development, or consumer loyalty purposes. Regardless of why it has been created, the collection and retention of health data is at the core of any AER program. Therefore, the data collected in an AER program will likely be subject to the MHMDA and the significant legal risks therein for businesses conducting business in Washington or targeting its consumers. With little time remaining until the MHMDA enters into force, companies should act now to implement compliance measures to better avoid MHMDA-related privacy complaints and legal demands that will undoubtedly make their way to the courts.