By Mike Hintze
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.
Read More
By Mike Hintze
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
Read More
By Mike Hintze
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
Read More
By Mike Hintze
The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Read More