The states of Washington and Nevada have adopted a growing agenda to pass laws regulating data privacy: the Washington My Health My Data Act (“MHMDA”) and the Nevada Consumer Health Data Privacy Act (“CHDPL”). joins a group of states that continue to do so, both effective March 31, 2024. Both laws are extraterritorial, and companies should be prepared to quickly assess their data privacy compliance needs.
Washington State My Health My Data Law
The MHMDA applies to two types of entities. (1) “Regulated Entity”. Defined as an entity that does business in the state or that provides products or services to consumers in the state of Washington and determines the means of collection, processing, and sharing. or sell consumer health data. (2) “Small business” means “a small business that collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year, or that collects, processes, sells, or shares consumer health data of less than 50 percent of the total revenue derived from the collection, processing, or sale; is a regulated entity that engages in or sharing consumer health data, and managing, processing, selling or sharing consumer health data for fewer than 25,000 consumers. ”
Regulated companies must be fully compliant with the MHMDA starting March 31, 2024. Small businesses have until June 30, 2024 to comply.
MHMDA regulates “consumer health data.” This is broadly defined as “personal information associated with, or reasonably associated with, a consumer that identifies the consumer’s past, present, or future physical or mental health condition.” MHMDA provides many categories not already covered by other laws such as HIPAA, such as information about reproductive health services and gender-affirming care, “biometric data,” “information about bodily functions and vital signs,” and genetic data. was passed to cover information on , and data that could “reasonably indicate that the consumer is seeking to obtain or receive medical services or supplies.”
Although not technically a comprehensive data privacy law, the MHMDA provides additional protections, including the right to access a consumer’s health data and receive a list of all third parties and affiliates that receive personal data from a regulated entity. It gives consumers multiple rights. Consumers also have the right to withdraw consent from organizations that collect and share their health data and the right to delete that data. Violations of the provisions of the MHMDA constitute “unfair or deceptive practices and unfair competitive practices in trade or commerce” under the Washington State Consumer Protection Act, which is enforceable by the Washington State Attorney General. , it also provides individuals with the right to bring private actions for violations.
Regulated entities must maintain a consumer health data privacy policy and prominently publish a link to that policy on their website. MHMDA also prohibits regulated entities from collecting and using consumer health data or other data for purposes not disclosed in the health data privacy policy without first obtaining affirmative consent for the specific purpose of collection. , and may not be shared (with limited exceptions). Regulated entities will also be required to limit access to consumer health data to necessary employees, processors, and contractors. Establish, implement, and maintain reasonable data security practices, establish a consumer appeals process, and avoid retaliation for exercising consumer rights.
Employee data and business-to-business data are excluded from MHMDA coverage, as is data covered by the Gramm-Leach-Bliley Act, the Social Security Act, Title XI, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act. Excluded.
Nevada Consumer Health Data Privacy Act
The Nevada CHDPL is similar to the MHMDA and includes equivalent rights for consumers and responsibilities for covered businesses. CHDPL applies to “regulated entities.” This means that you (a) do business in Nevada or manufacture or provide products or services intended for Nevada consumers; How we process, share, and sell your data. CHDPL does not include an exception for small businesses.
Similar to the MHMDA, regulated entities are required to:
- Create and maintain a consumer health data privacy policy
- restricting access to consumer health data to necessary employees and processors;
- Establish, implement and maintain reasonable data security practices
- establish a consumer appeals process;
- Avoid discrimination against consumers who exercise their rights.
Regulated entities must obtain affirmative voluntary consent when collecting and sharing consumer health data, except to the extent necessary to provide the product or service that the consumer has requested from the business. there is.
Under the CHDPL, consumers have rights similar to those granted under the MHMDA. These include the right to find out whether covered companies are collecting, sharing, or selling your health data. The right to access a list of all third parties with which a business shares or sells a consumer’s health data. The right to ask a business to stop collecting, sharing, and selling your health data. and the right to have your health data deleted.
However, unlike the MHMDA, the CHDPL does not provide a private right of action. Instead, Nevada’s attorney general would have the authority to bring enforcement action.
Important points
In preparation for these two laws and the growing number of laws regulating data privacy, we recommend that you consider whether the data you own may be subject to these laws and how you can comply with their requirements. Masu. If applicable, companies must be prepared to publish consumer health data privacy policies by March 31, 2024 to comply with these two laws.
[View source.]
