On April 27, 2023, the Washington State governor signed into law the My Health My Data Act or the MHMDA. In spite of the onerous and at times confusing requirements of the MHMDA, the Washington Attorney General (AG) has only published a short set of Frequently Asked Questions to help address some of this uncertainty.  Nevertheless, most of the law’s provisions take effect on March 31, 2024, meaning that, at this point, companies have a very short runway to meet their obligations and brace for the private right of action allowed for under the act.  Like so many other features of the MHMDA, data subject rights are deceptively complicated and have the potential to create significant administrative hurdles to getting it right.  As promised in our recent summary of the MHMDA (MHMDA: Time to Comply), we are examining in more detail these tricky issues in our MHMDA FAQs and have done a deep dive into data subject rights in this FAQ. 

On April 27, 2023, the Washington State governor signed into law the My Health My Data Act or the MHMDA. In spite of the onerous and at times confusing requirements of the MHMDA, the Washington Attorney General (AG) has only published a short set of Frequently Asked Questions to help address some of this uncertainty.  Nevertheless, most of the law’s provisions take effect on March 31, 2024, meaning that, at this point, companies have a very short runway to meet their obligations and brace for the private right of action allowed for under the act.   With this in mind, we have prepared this brief recap of the law and the steps companies should consider as they gear up for compliance. Our more detailed summary of the MHMDA is available in our original insight, and we will also be releasing a series of short FAQs over the coming weeks to help companies prepare.

With the onslaught of new privacy legislation and cyber threats coupled with upticks in enforcement, running a well-functioning and flexible privacy program is now, more than ever, a critical component of an organization’s overall risk compliance strategy. As part of this process, companies must pressure-test their privacy programs regularly to make sure they appropriately address existing and emerging risks while maximizing business gains.  A comprehensive review is not always possible, but it is important to keep in mind that the last several years have seen a wave of new state privacy laws as well as activity at the federal level that promises to challenge even the most well-developed privacy team.  To help companies develop a strategy tailored to 2024, we have highlighted a few key issues below that will be particularly relevant over the coming year.