MHMD imposes obligations on “regulated entities” and “small businesses.” Regulated entities are those that conduct business in Washington or produce or provide products or services that are targeted to consumers in Washington and that determine the purposes and means of processing consumer health data (similar to the concept of “controllers” under other privacy laws). Small businesses are regulated entities that meet certain statutory thresholds (based on total revenue and the number of consumers whose data the entity processes) and are given more time to come into compliance with the law. The law also imposes obligations on processors that process consumer health data on behalf of regulated entities and small businesses.

MHMD protects “consumers,” which is defined as natural persons who reside in Washington or whose consumer health data is collected in Washington. The definition of “consumers” is limited to individuals acting in an individual or household context and expressly excludes those acting in an employment context.

The law protects “consumer health data,” which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The law also provides a nonexhaustive list of examples of “physical or mental health status,” including:

• Individual health conditions, treatment, diseases, or diagnosis.
• Social, psychological, behavioral, and medical interventions.
• Health-related surgeries or procedures.
• Use or purchase of prescribed medication.
• Bodily functions, vital signs, symptoms, or measurements.
• Diagnoses or diagnostic testing, treatment, or medication.
• Gender-affirming care information and reproductive or sexual health information (both defined to include “efforts to research” such services).
• Biometric data (defined as data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics that identifies a consumer and specifically includes imagery of the face and voice recordings from which an identifier template can be extracted, among other things).
• Genetic data (defined as any data, regardless of its format, that concerns a consumer’s genetic characteristics).
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
• Data that identifies a consumer seeking “healthcare services,” which means any service provided to “assess, measure, improve, or learn about a person’s mental or physical health” and includes, among other things, use or purchase of medication).
• Any information that a regulated entity or small business, or their respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

The law carves out (1) information regulated under other sectoral privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Federal Education Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA), in addition to various Washington state laws; (2) information in public or peer-reviewed scientific, historical, or statistical research in the public interest; (3) publicly available information; and (4) de-identified data. It is important to note that the HIPAA exception is limited in scope and applies only to “protected health information” subject to that Act, rather than serving as a blanket exception from any data collection or processing activity on behalf of a HIPAA-covered entity. As the definition of “consumer health data” is so much broader than the definition of “protected health information,” this exception will be of limited use to companies or data elements that are outside the scope of HIPAA.

• Notice. Regulated entities and small businesses are required to maintain a consumer health data privacy policy that includes disclosures on topics similar to those required under omnibus privacy laws in other states but specific to consumer health data. The law sets forth a list of required elements for these notices.
• Consent. MHMD requires prior opt-in consent for the collection of consumer health data, except insofar as the processing is “necessary” to provide a product or service that the consumer requested. The law also mandates a separate consent before sharing (defined to include most disclosures other than to service providers) such data. These obligations will force companies to carefully consider whether their collection and sharing practices are necessary to provide a product or service and/or to adopt or update consents for such processing.
• Honoring consumer privacy rights. Similar to omnibus privacy laws in other states, MHMD grants a series of privacy rights to consumers, including the rights to access and delete their health data and to appeal an organization’s refusal to honor a rights request. The law also prohibits an organization fromdiscriminating against consumers for exercising their rights. The law reflects narrower exemptions than other state privacy laws for responding to these rights, potentially requiring organizations to update existing data subject rights request procedures.
• Security. MHMD requires regulated entities and small businesses to establish, implement and maintain administrative, technical, and physical data security practices. The law also requires the implementation of need-to-know access restrictions for consumer health data that are more stringent than security standards set out in omnibus privacy laws of other states.
• Data protection agreements. Processors can only process consumer health data pursuant to a binding contract with the regulated entity or small business that sets out processing instructions and limits the actions the processor may take with respect to the consumer health data.
• Authorization required for sales. Regulated entities and small businesses are required to obtain valid authorization from consumers prior to selling or offering to sell consumer health data. “Sale” is defined as the exchange of consumer health data for monetary or other valuable consideration. The law sets out specific requirements for the contents of this authorization, including the name and contact information of the purchaser of the data. Authorizations must be separate and distinct from any other consents provided by the consumer to collect or share consumer health data, and they expire after one year. The authorization requirements are so stringent that they potentially act as a bar to selling consumer health data.
• Geofencing restrictions. MHMD prohibits implementing a geofence of 2,000 feet from the perimeter of an entity that provides in-person healthcare services if the geofence is used to (1) identify or track consumers seeking healthcare services; (2) collect consumer health data; or (3) send notifications, messages, or advertisements to consumers about their consumer health data or healthcare services.

The majority of the obligations imposed by MHMD will take effect on March 31, 2024, although small businesses have until June 30, 2024, to comply. Restrictions related to geofencing take effect this year on July 23, 2023. Some provisions of the law are ambiguous in their effective date and can also be read to also take effect in July 2023 (e.g., the obligation to obtain consent prior to sharing consumer health data and the individual’s right to delete such data), though it appears that the statutory intent was for them to take effect beginning in March 2024.

Both the Washington attorney general and private plaintiffs may enforce the law through an action under the Washington Consumer Protection Act (WCPA). Private plaintiffs may recover actual damages (which may be trebled up to $25,000) and, if successful, their costs and reasonable attorneys’ fees, and may also seek to enjoin future violations. Due to the WCPA’s private right of action and availability of attorneys’ fees, there is significant risk of future class action activity. The attorney general’s office may seek civil penalties of up to $7,500 “per violation” (which may be enhanced for certain violations) and injunctive relief, and the prevailing party in any such suit may recover its costs and reasonable attorneys’ fees.