LOGIN Request a call


May 2023: Washington State Enacts First Health Data Protection Law in US

17 May


Update Applicable to:

All businesses that collect consumer health data of citizens in the state of Washington.

What happened?

On April 27, 2023, Governor Inslee passed the “My Health My Data Act” (“MHMDA”) into law, which new restrictions on the collection and disclosure of “consumer health data” by companies in Washington or that is related to Washington residents.

What are the details?

Effective March 31, 2024, the MHMD Act applies to any entity that conducts business in Washington or that targets products or services to Washington consumers and makes decisions about the processing of Health Data. There is no minimum number of consumers whose data is processed or any revenue thresholds that trigger applicability; the scope includes small businesses and nonprofit organizations. “Consumer” includes both Washington residents whose Health Data is collected and any other individual whose Health Data is collected in Washington – but not individuals acting in an employment context.

The MHMD Act focuses on information not covered under the Health Insurance Portability and Accountability Act (HIPAA). Health Data under the MHMD Act means personal information that is “linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The MHMD Act specifies that this definition includes:

  • “Biometric data,” which itself is defined broadly and includes voice recordings if an identifier template could be extracted
  • “Social, psychological, behavioral, and medical interventions”
  • “Reproductive or sexual health information”
  • “Bodily functions, vital signs, symptoms, or measurements of” Health Data

Though the MHMD Act is thought to have been enacted to protect data related to reproductive health, the far-reaching applicability combined with broad definitions mean that the MHMD Act could apply in ways with little nexus to the law’s intent. Some examples of businesses potentially covered by the MHMD Act include:

  • A retailer that sells products such as over-the-counter medications, first aid items, feminine products or birth control – even if these sales are a small part of their business (such as hotel gift shops, the corner store, the grocery store)
  • A fitness studio that collects information about injuries experienced by participants in a class or tracks individuals’ fitness progress.
  • A business that collects any Health Data on its website and allows AdTech companies to embed pixels that track engagement for the ads.
  • A mobile app business that facilitates tasking third parties to shop for and deliver products from the above-mentioned retailer.
  • A business that sells a wearable fitness product (e.g., a watch or ring)

Below are several hyperlinks from one of our trusted sources, Holland & Knight, which provided more information on specific topics:

Requirements and Restrictions


Potential Impact

For more information, please see the links below:

“My Health My Data Act” (“MHMDA”)

Law Firm Links: Article 1 , Article 2, Article 3, Article 4, Article 5, Summary

What do employers need to do?

Employers should review the links provided above and should review their data collection policies to ensure they will be in compliance with the law by March 31, 2024.

Need help understanding how changes to employment laws will affect your business?

Learn more about how Vensure's Washington PEO services can help you navigate complex employment laws and keep your business compliant.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.


You're all set.

Thanks for subscribing. Be on the look out for the Legal HR updates in your email.

Celebrating PEOs!

VensureHR joins the nationwide celebration, reflecting on an industry of excellence in providing payroll, employee benefits, compliance assistance, and HR services to thousands of SMBs across North America.

Tracking Convertion image