Washington's My Health My Data Act and Consumer Health Data Laws
HIPAA leaves a gap: a broad array of health data collected by mobile devices, apps, and wearables sits mostly outside HIPAA. Washington's My Health My Data Act (MHMDA), passed in 2023, regulates Consumer Health Data held by non-HIPAA entities and is notable for including a private right of action. Nevada (SB 370) and Connecticut (SB 3) passed similar laws, but only Washington has a private right of action - Nevada and Connecticut are AG-only.
HIPAA only reaches data held by covered entities and their business associates. A large category of health data - collected by mobile devices, apps, and wearables - stays mostly outside HIPAA. Washington's My Health My Data Act (MHMDA), passed in 2023, was designed to fill that gap.
MHMDA regulates Consumer Health Data held by entities not covered by HIPAA. It requires consent (or that the use be necessary) to collect, share, or sell consumer health data, mandates a separate consumer-health-data privacy policy, and imposes geofencing restrictions near health facilities.
MHMDA has a private right of action. Nevada (SB 370, the Nevada Consumer Health Data Privacy Law) and Connecticut (SB 3) passed laws modeled on Washington's, but Nevada and Connecticut do NOT have a private right of action, while Washington does. Otherwise enforcement is by the state attorney general.
| State | Law | Private right of action? |
|---|---|---|
| Washington | MHMDA (2023) | Yes |
| Nevada | SB 370 | No - AG only |
| Connecticut | SB 3 | No - AG only |