Updated MHMDA Guidance Elaborates on Consumer Health Data Privacy Policy Requirements

Published: Feb. 06, 2024

On March 31, 2024, most of Washington’s My Health, My Data Act (“MHMDA”) will go into effect for all in-scope business other than small businesses. As we’ve previously blogged, the geofencing provision went into effect last July. Notably, the Washington State Attorney General released FAQs on the law, which clarified requirements for consumer health data (“CHD”) privacy policies: (1) an entity subject to the law (“regulated entity”) must include a separate and distinct link to its CHD privacy policy on its homepage, and (2) the CHD privacy policy must not contain information other than that required by the MHMDA.

  1. Link to CHD Privacy Policy. The MHMDA requires a regulated entity to “prominently publish a link to its [CHD] privacy policy on its homepage.” Updated guidance makes clear that this link “must be a separate and distinct link on the regulated entity’s homepage.” This comes in addition to links required by other state privacy laws, such as a Notice at Collection link (under the CCPA) and a link to opt out of the “sale,” “share,” and targeted ad mechanism (under various state consumer privacy laws).
  2. CHD Privacy Policy Contents. The MHMDA lists the specific information that must be included in a CHD privacy policy. The updated guidance indicates the CHD privacy policy “may not contain additional information not required under the [MHMDA].” The CHD privacy policy should thus only contain: the categories of CHD collected and the categories of sources from which it is collected, the purpose for which the CHD is collected (including how it will be used), the categories of CHD that are disclosed, the categories of third parties and “specific affiliates” to whom CHD is disclosed, and how consumers can exercise their rights under the MHMDA. 

The updated guidance does not expressly state whether a CHD privacy policy must be a standalone policy (e.g., a separate URL) or whether it may be a section of a regulated entity’s general privacy policy. The Washington State Legislature rejected a proposed amendment to the MHMDA that would have clarified this point by allowing regulated entities to include the required information in a “privacy policy” rather than a “CHD privacy policy.” Notably, the legislature did not add language expressly requiring a CHD privacy policy be a standalone policy, which it—or the AG in the FAQs—could have done if it wanted to require regulated entities to approach CHD privacy policies in this way. It is thus unclear if the Washington AG or a court would find that the CHD privacy policy must be a standalone policy or instead find that companies simply cannot scatter the required information throughout their general privacy policies. It is clear, however, that the information required for the CHD privacy policy must be all together without any ancillary information.

As the effective date nears, companies should ensure they have a compliance plan ready. The MHMDA’s broad definition of CHD may sweep in businesses that typically avoid health-related regulations, and the private right of action—in addition to AG enforcement—makes the MHMDA a risky law to ignore.