The Washington Attorney General (“WA AG”) recently updated its My Health, My Data Act (“MHMDA”) FAQs to clarify that consumer health data (“CHD”) does not include the purchase of non-prescription medication, but does include inferences about a consumer’s health based on that purchase.
Prior to this update, there was some ambiguity as to whether CHD included data about non-prescription medications. CHD is broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” This includes the “use or purchase of prescribed medication,” as well as “data that identifies a consumer seeking health care services”—and “health care services” includes the “use or purchase of medication,” not specifically “prescribed medication.” CHD also includes “individual health … treatment,” without defining whether “treatment” includes using or purchasing non-prescription medication.
In Question 8, the updated FAQ guidance asks whether “the purchase of non-prescription medication” is CHD, and states:
“MHMD defines consumer health data to include the ‘use and purchase of prescribed medication.’ Non-prescription data is only considered consumer health data if the regulated entity draws an inference about a consumer’s health status from its purchase of non-prescription medication.”
Notably, the guidance does not clarify how broadly this exclusion of “non-prescription data” extends. The WA AG’s choice to frame the answer within the context of the “use and purchase of prescribed medication” prong of the CHD definition may support a narrower reading. That is, it may be possible that the WA AG or a plaintiff bringing suit under the law’s private right of action could allege that the purchase of non-prescription medications qualifies as CHD under some other theory. But given that such purchases do not seem to fit in any other enumerated sub-category of CHD specified in the statute, a plain reading of the regulator’s answer—specifically the second sentence—indicates that the WA AG does not consider the mere fact that a consumer purchased non-prescription medication to be CHD. In sum, under the guidance, non-prescription medication purchase data is not CHD. But drawing inferences about a consumer’s past, present, or future physical or mental health status from that purchase would be CHD.
In light of this guidance, companies should carefully monitor whether they use data about non-prescription medication (e.g., purchases of such medication) related to consumers in Washington state in ways that a regulator or court could determine generate inferences about these consumers’ health conditions. This—in addition to the breadth of the statute, the sparse regulatory guidance, and the private right of action—means companies should work closely with legal counsel to evaluate their MHMDA exposure, including as it relates to non-prescription data.
Regulated entities should also regularly check the MHMDA FAQ page for changes. Updates to the FAQs are made with little fanfare, yet they may have major compliance implications.
