What you need to know about the My Health My Data Act

The My Health My Data Act (MHMDA) is a privacy law enacted by the state of Washington to improve protections for consumer's personal health data. According to the Washington State Attorney General, “The My Health My Data Act is the first privacy-focused law in the country to protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act, or HIPAA…The Act was developed to protect a consumer’s sensitive health data from being collected and shared without that consumer’s consent.” The MHMDA extends promotions to a broader range of businesses, including apps and websites that collect health related information but are not bound by HIPAA. 

The gaps MHMDA covers under HIPAA

1. The MHMDA covers a broader range of entities, including those not covered by HIPAA, such as health apps and wellness products.
2. It provides consumers with a "private right of action," allowing them to sue businesses directly for violations, unlike HIPAA which relies on government enforcement.
3. The MHMDA includes a right to delete consumer health data, which is not explicitly provided under HIPAA.
4. It applies stricter consent requirements for collecting and sharing consumer health data compared to HIPAA's more flexible authorization rules.
5. The MHMDA extends protections beyond traditional healthcare providers and their business associates by covering any entity processing consumer health data in Washington State.
   
   

The protections related to consent

The MHMDA places consent at the forefront of its privacy framework by requiring consent,k opt-in consent from customers before collecting or sharing their health data. The consent should be a clear affirmative act that is freely given and fully informed. MHMDA also prohibits obtaining consent through general terms of use agreements. As the MHMDA fills in gaps for but does not replace HIPAA, this consent lends itself towards establishing further consent guidelines while still promoting compliance through means like the use of HIPAA compliant email. 

How preemption impacts the enforcement of MHMDA

Preemption clauses in proposed federal privacy legislation generally aim to establish a uniform national standard, potentially overriding more stringent state privacy laws like the MHMDA. However, recent trends suggest that some federal bills include savings clauses that preserve certain state laws, particularly those related to health privacy. For example, the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA) have listed various types of state laws that would be exempt from preemption, including those protecting health information. This means that even if a comprehensive federal law is enacted with preemption provisions, specific aspects of MHMDA, such as its strict consent requirements for consumer health data, might still remain enforceable due to these exemptions.

FAQs

What is the primary purpose of HIPAA in healthcare?

HIPAA provides a legal framework for protecting the confidentiality, integrity, and availability of protected health information (PHI).

Can medical practitioners disclose patient information without consent?

Generally, no. Disclosure without consent is allowed only under specific circumstances such as a court order, legal requirement (e.g., public health threats), or with written consent from patients or their guardians.

What rights do patients have regarding their medical records under HIPAA?

Patients have the right to review and obtain copies of their PHI from covered entities' designated record sets.