Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityLegislationPrivacy

Washington My Health My Data Act FAQs: Data Subject Rights

By Amy de La Lama and Andrea Rastelli
April 01, 2024

On April 27, 2023, the Washington State governor signed into law the My Health My Data Act or the MHMDA. In spite of the onerous and at times confusing requirements of the MHMDA, the Washington Attorney General (AG) has only published a short set of Frequently Asked Questions to help address some of this uncertainty.

Like so many other features of the MHMDA, data subject rights are deceptively complicated and have the potential to create significant administrative hurdles to getting it right. As promised in our recent summary of the MHMDA ("MHMDA: Time to Comply"), we are examining in more detail these tricky issues in our MHMDA FAQs and have done a deep dive into data subject rights in this FAQ.

What Data Subject Rights Are Available Under the MHMDA?

The MHMDA provides consumers with the right to know/access consumer health data, the right to have such information deleted and the right to withdraw consent that had previously been granted. Organizations are also required to provide consumers with the right to appeal any denial of a request.

  • Right to Know/Access: A consumer has the right to confirm whether an organization is collecting, sharing (disclosing) or selling their consumer health data and to access such data. The information provided must include a list of all third parties and affiliates to which consumer health data has been shared or sold and an active email address or other online mechanism that the consumer may use to contact these parties. Note that this obligation does not cover service providers/processors.
  • Right to Withdraw Consent: A consumer has the right to withdraw consent to the relevant processing, sharing or sale of consumer health data.
  • Right to Delete Consumer Health Data: A consumer has the right to have consumer health data deleted from an organization's records, including archived or back-up systems. The organization must also push this request to all affiliates, processors, contractors and other third parties with whom the organization has shared the data.
  • Right to an Appeal: In addition to the primary rights described above, an organization must establish an appeals process by which a consumer can appeal the organization's decision not to grant a request (e.g., denial of an access or deletion request). If an organization subsequently denies the appeal, the response must provide a written explanation of the reasons for denying the appeal. Notably, the response also must provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Washington Attorney General to submit a complaint. The Washington AG has not yet published a dedicated mechanism for complaints, but may do so prior to the March 31, 2024 effective date. If not, an email address or phone number should be sufficient.

What Are the Timing Requirements?

  • Organizations are required to comply with the request within 45 days of receipt of the request. One 45-day extension can be applied depending on the complexity or number of the requests so long as a consumer is notified of the extension within the initial 45 day period.
  • Appeals must also be addressed within 45 days of receipt of the appeal from the consumer. No extensions are available for resolving the appeal.

Are There Exceptions?

No, there are no express exceptions to the data subject rights provided to consumers under the law. This is a significant issue that will hopefully be addressed via amendments or the regulations. There is a limited catch-all exception indicating that the obligations imposed by the law do not restrict an organization's ability to collect, use or disclose consumer health data to:

  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
  • preserve the integrity or security of systems; or
  • investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.

Organizations could point to these exceptions for requests for access or deletion to the extent necessary for one of the purposes listed above, but organizations that rely on this exception have the burden of demonstrating that the decision qualifies. In addition, this exception does not appear to extend to compliance with applicable law (e.g., retention requirements), a common exception in other data privacy laws. Therefore, if and until there is additional guidance provided by Washington regulators, organizations should generally work to honor data subject rights requests wherever possible or tailor any denial as narrowly as possible.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.