Plexus - March/April 2024

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

What You Need to Know About Washington’s “My Health My Data” Act

David Ritter, CEO, Privacy Lock WSCA Corporate Partner

In April 2022, Washington state passed one of the nation’s most stringent health data privacy laws, known as the “My Health My Data Act” (MHMD). Many consider MHMD to be a game- changer for privacy, as a result of its expansive definition of consumer health data, the lack of exemptions for small businesses and non-profits, and the fact that it includes a private right of action. Below we provide an overview of what you need to know about MHMD so that you can assess your business’s compliance readiness for MHMD.

1. Broad Definition of Consumer Health Data MHMD has a very broad definition of consumer health data. MHMD regulates the collection, processing, sharing, and sale of consumer health data (CHD). MHMD defines consumer health data as any form of personal information that “identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.” The law also applies to non-health data that can be used to re-identify individuals and connect them to consumer health data.

2. Who Needs to Comply with MHMD? MHMD defines a “regulated entity” as a legal entity that does business in Washington and determines the “purpose and means of collecting, processing, sharing, or selling consumer health data.” Entities are considered “small businesses” if they (1) process consumer health data for less than 100,000 consumers in a calendar year, or (2) derive less than 50% of their revenue from processing consumer health data and process consumer health data of fewer than 25,000 consumers. MHMD has no revenue thresholds or minimum number of consumers, and generally no entity-level exemptions. This means that small businesses and non-profits will become regulated entities if they meet the other criteria of regulated entities.

3. Obligations for Regulated Entities

MHMD requires regulated entities to meet a number of compliance obligations. Here are some of the key compliance obligations:

12 www .c hir o healt h.or g

(1) Maintain a consumer health data privacy policy - privacy policies should be up to date and must disclose in detail the types of CHD collected, what types of processing are performed on the data, and which third party processors have access to that data. Regulated entities are required to place a link to their privacy policy on the homepage of their website.

(2) Consumer Rights and DSARs - MHMD provides consumers with the certain rights related to their data. Consumers have the right to exercise these rights by making data subject access requests (DSARs) to businesses that collect their health data. Under MHMD, consumer rights include the following:

• Right to Deletion • Right to Know (Access Information) • Right to Withdraw Consent for Collection/Sharing • Right to Appeal • Right to Not Be Denied Services

(3) Deletion requests and flow down requirements - Regulated entities are required to send deletion requests to affiliates, processors, and third parties that received health data on behalf of the consumer. The exceptions to deletion requests under MHMD are much more narrow than other state privacy laws. MHMD obligates regulated entities to flow down deletion requests to affiliates, processors and other third parties receiving shared CHD. This means the responsibility is on the regulated entity to ensure that consumer requests are implemented by their third party processors.

(4) Maintain reasonable data security measures - Ensure that CHD is collected, processed, stored, and shared with reasonable security protocols in place.

(5) Execute data processing agreements with processors - Processors may process consumer health data pursuant to a binding contract that sets forth processing instructions and limits the actions a processor may take with that data.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32