Compllance Health Data — Continued from page

Compliance

the MHMDA.

The regulated entity may not collect, use, or share consumer health data other than as its privacy policy indicates until it has obtained the consumer’s affirmative consent.

The regulated entity must obtain consumer consent to collect or share consumer health data, unless the collection or sharing of the data is necessary to provide a product or service that the consumer has requested.

The MHMDA also gives a consumer the right to know what consumer health data a regulated entity collects, for what purposes, and with whom the entity shares the data.

The consumer may withdraw his or her consent to the collection, use, and sharing of consumer health data or request that the entity delete the data.

The MHMDA requires an entity to restrict access to consumer health data and to require compliance with the MHMDA in its contracts with data processors.

Additionally, the MHMDA requires a consumer to give affirmative consent before an entity sells his or her consumer health data.

And the entity may not require the consumer to give that consent as a condition of providing a good or service.

The MHMDA applies to a regulated entity. The MHMDA defines the term “regulated entity” to mean any legal entity that:

• conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington; and

• alone, or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

10

The term does not include government entities, tribal nations, or data processors acting on behalf of government entities.

A regulated entity that satisfies either of the following criteria is a “small business” under the MHMDA:

• the entity collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or

• the entity derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Most provisions of the MHMDA will apply to regulated entities other than small businesses beginning March 31, 2024, and to small businesses beginning June 30, 2024.

A provision prohibiting the implementation of a “geofence” around an entity that provides in-person health care services to track consumers takes effect on July 23, 2023. Dealers and creditors that offer GPS monitoring and tracking on vehicles sold and financed should review this new law to see whether and how they might have to update their information privacy policies and notices.

*Eric D. Mulligan is a senior associate in the Maryland office of Hudson Cook, LLP. Webb McArthur is a partner in the Washington, D.C., office of Hudson Cook, LLP.