InfoBytes Blog
Washington releases FAQs for My Health My Data Act
On June 20, the Washington attorney general published a series of Frequently Asked Questions (FAQs) related to the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data (covered by InfoBytes here). The FAQs include information on the law’s effective dates and applicability. According to the AG, “all persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.” Additionally, the FAQs clarify that a business that is covered by the Act must provide a link to its consumer health data privacy policy on its homepage.
The FAQs also address a potential conflict between Sections 6 and 9 of the Act regarding the right to delete and consumers’ authorizations to sell data, respectively. Section 9 mandates that any person, not just regulated entities, must obtain consumer authorization before selling or offering to sell their data. Both the seller and purchaser are required to retain a copy of the authorization, which may contain consumer health data for six years. However, Section 6 stipulates that consumer health data should be deleted from a regulated entity’s network upon the consumer’s request. The FAQs advise that in cases where a consumer requests deletion under Section 6, any authorizations stored under Section 9 must be redacted to eliminate any information related to the data that was sold.