Washington My Health My Data Act FAQs: Data Subject Rights
Like so many other features of the MHMDA, data subject rights are deceptively complicated and have the potential to create significant administrative hurdles to getting it right. In this article, we examine the tricky issues in our MHMDA FAQs and take a deep dive into data subject rights.
April 17, 2024 at 02:41 PM
7 minute read
Privacy
What You Need to Know
- The MHMDA provides consumers with the right to know/access consumer health data, the right to have such information deleted and the right to withdraw consent that had previously been granted.
- In spite of the onerous and at times confusing requirements of the MHMDA, the Washington AG has only published a short set of FAQs to help address some of this uncertainty.
On April 27, 2023, the Washington State governor signed into law the My Health My Data Act or the MHMDA. In spite of the onerous and at times confusing requirements of the MHMDA, the Washington Attorney General (AG) has only published a short set of Frequently Asked Questions to help address some of this uncertainty.
Like so many other features of the MHMDA, data subject rights are deceptively complicated and have the potential to create significant administrative hurdles to getting it right. As promised in our recent summary of the MHMDA ("MHMDA: Time to Comply"), we are examining in more detail these tricky issues in our MHMDA FAQs and have done a deep dive into data subject rights in this FAQ.
|What Data Subject Rights Are Available Under the MHMDA?
The MHMDA provides consumers with the right to know/access consumer health data, the right to have such information deleted and the right to withdraw consent that had previously been granted. Organizations are also required to provide consumers with the right to appeal any denial of a request.
|- Right to Know/Access: A consumer has the right to confirm whether an organization is collecting, sharing (disclosing) or selling their consumer health data and to access such data. The information provided must include a list of all third parties and affiliates to which consumer health data has been shared or sold and an active email address or other online mechanism that the consumer may use to contact these parties. Note that this obligation does not cover service providers/processors.
- Right to Withdraw Consent: A consumer has the right to withdraw consent to the relevant processing, sharing or sale of consumer health data.
- Right to Delete Consumer Health Data: A consumer has the right to have consumer health data deleted from an organization's records, including archived or back-up systems. The organization must also push this request to all affiliates, processors, contractors and other third parties with whom the organization has shared the data.
- Right to an Appeal: In addition to the primary rights described above, an organization must establish an appeals process by which a consumer can appeal the organization's decision not to grant a request (e.g., denial of an access or deletion request). If an organization subsequently denies the appeal, the response must provide a written explanation of the reasons for denying the appeal. Notably, the response also must provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Washington Attorney General to submit a complaint. The Washington AG has not yet published a dedicated mechanism for complaints, but may do so prior to the March 31, 2024 effective date. If not, an email address or phone number should be sufficient.
What Are the Timing Requirements?
|- Organizations are required to comply with the request within 45 days of receipt of the request. One 45-day extension can be applied depending on the complexity or number of the requests so long as a consumer is notified of the extension within the initial 45 day period.
- Appeals must also be addressed within 45 days of receipt of the appeal from the consumer. No extensions are available for resolving the appeal.
Are There Exceptions?
No, there are no express exceptions to the data subject rights provided to consumers under the law. This is a significant issue that will hopefully be addressed via amendments or the regulations. There is a limited catch-all exception indicating that the obligations imposed by the law do not restrict an organization's ability to collect, use or disclose consumer health data to:
|- prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
- preserve the integrity or security of systems; or
- investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
Organizations could point to these exceptions for requests for access or deletion to the extent necessary for one of the purposes listed above, but organizations that rely on this exception have the burden of demonstrating that the decision qualifies. In addition, this exception does not appear to extend to compliance with applicable law (e.g., retention requirements), a common exception in other data privacy laws. Therefore, if and until there is additional guidance provided by Washington regulators, organizations should generally work to honor data subject rights requests wherever possible or tailor any denial as narrowly as possible.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Companies' Dirty Little Secret: Those Privacy Opt-Out Requests Usually Aren't Honored
'Innovation Over Regulation': Tech Litigators and Experts Share Insights on the Future of AI, Data Privacy and Cybersecurity Under Trump
Old Laws, New Tricks: Lawyers Using Patchwork of Creative Legal Theories to Target New Tech
Law Firms Mentioned
Trending Stories
- 1Quinn Emanuel Has Thrived in China. Will Trump Help Boost Its Fortunes?
- 2Manufacturer Must Provide Details Surrounding Expert’s Livestreamed Inspection, Fed Court Rules
- 3Waterbury Jury Awards $2 Million Verdict Against Eversource
- 4Walter Taggart, Villanova Law Professor, Dies at 81
- 5$2.7M Verdict for Whistleblower Exposes Employer to $300M Claim
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
