Summary
Organizations that fall under the jurisdiction of the Washington State My Health My Data Act (including those with physical locations in Washington and some without) must prepare for compliance by March 31, 2024. In addition to meeting overall compliance requirements and addressing immediate action items, organizations should be mindful that the Washington Attorney General has updated its guidance on consumer health privacy policy requirements.
Section 4(1)(b) of the My Health My Data Act explicitly states that “[a] regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage.” The new guidance from the Attorney General interprets this to mean that the consumer health privacy policy must be a separate link on the homepage and should not contain any additional information beyond what is required by the Act (emphasis added).
While the Act does not explicitly mandate the policy to be standalone or to be specifically named “consumer health data privacy policy,” the latest guidance suggests that regulated entities should align their disclosures closely with the Act’s requirements and terminology. This includes posting a separate link and consumer health privacy policy on each website where personal information is collected. This additional link in website footers could be unwelcome for organizations, but is necessary to follow the Washington Attorney General’s guidance.