(6) Purpose Limitations - Regulated entities may not collect, use, or share consumer health data, for purposes that are not disclosed in their health data privacy policy. Before making a change to way CHD is collected and processed, and before any new data processors gain access to CHD, the regulated entity must first disclose any additional purposes and obtain affirmative consent from the consumer.


(7) Do not sell consumer data without “valid authorization” from consumers - MHMD requires a form of consent called valid authorization for the “sale” of consumer health data. Similar to HIPAA authorizations, MHMD authorizations must specify the consumer health data to be sold, identify the buyer, and describe the purpose of the sale. MHMD authorizations are typically valid for one year and can be revoked at any time by consumers.


(8) Ban on Geofencing - MHMD prohibits geofencing around an entity that provides in-person healthcare services under certain conditions. The ban means that regulated entities cannot identify consumers, collect consumer health data, or send ads or notifications based a consumer’s proximity to in-person health care services facilities for certain purposes.


4. Effective Dates and Fines The MHMD Act has two effective dates: March 31, 2024 for larger organizations, and June 30, 2024 for organizations that qualify as a “small business” under the law.


Fines: The attorney general’s office may seek civil penalties of up to $7,500 “per violation”.


Private Right of Action: Individuals may recover damages up to $25,000, as well as costs and reasonable attorneys’ fees. MHMD’s private right of action makes it likely to become one of the nation’s most litigious privacy laws through both private actions and class action lawsuits.


Are You Ready for MHMD?


Below are steps you can take to make sure your business is ready to comply with the My Health My Data Act.


(1) Conduct a Privacy Readiness Assessment - conduct a risk assessment of what kinds of consumer health data you collect, and any sharing or “sale” of data that you may engage in.


(2) Know Your Data - identify what data you collect, which third parties have access to it, and what kind of processing you perform on consumer health data. You may want to generate a data inventory - a list or spreadsheet with all the data you collect, the kinds of processing performed on that data, and any third parties with access to your customer data.


(3) Update your health data privacy policy for MHMD - the goal here is to be transparent with your patients and customers about what data you collect about them and how that data is processed. Don’t forget to provide a link to your privacy policy on the homepage of your website.


(4) Execute MHMD compliant processor agreements - make sure you have written agreements with your third party data processors and software providers to ensure that consumer consent requests (like a deletion request) will flow through to their data systems.


(5) Operationalize your privacy program - select the tools you will need to implement MHMD obligations for consumers, such as implementing data subject access requests (DSARs). Common privacy tools include data mapping tools for tracking CHD collection and processing, Cookies Management Tools for tracking consumer preferences when browsing your website, and Consent Management Tools for automating DSARs, data mapping tools


Ple x us


F e b/Mar c h 202 4


13


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32