Organizations subject to the Washington State My Health My Data Act (generally any organization with physical premises in Washington, and many organizations without it) are preparing for compliance by March 31, 2024. And should, in addition to the overall compliance requirements and immediate action items, be aware that the Washington Attorney General updated its guidance on the requirements for a consumer health privacy policy.
Section 4(1)(b) of the My Health My Data Act explicitly provides that “[a] regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage.” The Attorney General guidance now interprets this statutory requirement to mean that “the Consumer Health Privacy Policy must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under the My Health My Data Act” (emphasis added).
Outlook
So while the statue does not expressly require the consumer health data privacy policy to be standalone or to be specifically called “consumer health data privacy policy”, per the new guidance, regulated entities drafting disclosures to comply should consider staying close to the My Health My Data Act requirements and terminology and post a standalone link and consumer health privacy policy on each website where any personal information is collected. Adding another link to website footers may not be welcomed by organizations, but would be required to follow the Washington Attorney General guidance.
