0

Metaverse Law in Orange County Lawyer Magazine

AI & Algorithms, CCPA, Cybersecurity, GDPR, Health Data, State Privacy Laws , , , , , , ,
The January 2025 edition of Orange County Lawyer magazine features an article written by Metaverse Law’s Lily Li. Read “AI and Machine Learning in Drug Development and Clinical Trials” below or in Orange County Lawyer magazine.
[Originally published as a Feature Article: AI and Machine Learning in Drug Development and Clinical Trials, by Lily Li, in Orange County Lawyer Magazine, January 2025, Vol. 67 No.1, page 28.]   AI and Machine Learning in Drug Development and Clinical Trials by Lily Li   In 2013, sleep medication zolpidem (Ambien, Ambien CR, and Edluar) swept headlines. Marie Claire reported on an alarming and suspicious rise in users experiencing irrational eating, gambling, and even “sleep-driving” while in a hypnotic trance—waking with no memories of their actions.[1] In several cases, women arrested and convicted for driving under the influence contested their convictions, arguing that they were not liable for these undisclosed drug-related side effects. At the same time, several clinical studies suggested that women metabolized zolpidem differently from men. By reviewing existing literature, Japanese researchers out of Shimane University identified 40% higher concentrations of zolpidem in women than men following use, and higher rates of visual hallucinations and sensory distortions.[2] The FDA released a safety advisory, warning users of the risks of “next-morning impairment” for the use of Ambien and related drugs.[3] In addition, the FDA took the unusual step of recommending a 50% cut in the dosage for women. When asked about the change, an FDA director told ABCNews.com: “The changes are different in women and men . . .We don’t understand why yet, but women are more susceptible to next-morning impairment.”[4] Yet, a decade later, the evidence supporting different zolpidem dosages for women and men is unclear.[5] In part, this is due to the lack of research surrounding sex differences in drug impact and drug treatment, as well as substantial gaps in the inclusion of women in clinical studies. From 1977 to 1993, FDA policy recommended excluding women of childbearing potential from Phase 1 and early Phase II drug trials.[6] Even after this policy was removed in 1993, industry fears remained with respect to drug interactions with pregnancy. This episode with zolpidem raised several concerns in the drug development and clinical trial process:
  • How do we recruit representative candidates for drug trials?
  • How do we ensure the quality and availability of datasets for clinical research?
  • How do we measure potential impacts of drug dosing on different populations?
  • What are the legal implications for failing to address appropriate drug doses?
  AI and ML to the Rescue? Now that artificial intelligence is being used in research and development, one wonders: Can artificial intelligence (AI) and machine learning (ML) reduce bias and risks during drug development? Or will it create new legal risks due to bias, privacy intrusions, and lack of transparency? The FDA released a discussion paper on AI, Using Artificial Intelligence and Machine Learning in the Development of Drug and Biological Products, to discuss potential regulatory frameworks to address the use of AI and ML.[7] In this discussion paper, the FDA released a set of fascinating case studies into existing research and uses of AI in the clinical trial process. Several of these case studies are discussed below, as well as an analysis of their potential impact on the zolpidem example.
  1. Recruitment. According to the FDA, “AI/ML is being used to mine vast amounts of data, such as data from clinical trial databases, trial announcements, social media, medical literature, registries, and structured and unstructured data in EHRs [electronic health records], which can be used to match individuals to trials (Harrer, 219 Shah, Antony, & Hu, 2019).” In this manner, researchers can combine huge quantities of publicly available data and individual health data from prior research to identify participants with certain medical conditions (or lack of adverse conditions) for investigational treatments. For zolpidem, the use of AI/ML may have been able to identify a much broader list of participants for initial clinical testing, making it easier to assess and identify adverse reactions.
  2. Selection and Stratification of Trial Participants. In addition to initial recruitment, AI/ ML has the capability improve intake, selection, and classification of clinical trial participants. Based on baseline characteristics selected by the researchers, such as prior clinical data, and vitals/labs taken during intake, predictive algorithms can help identify high-risk participants.[8] These groups can then be randomized and then subject to more strict monitoring protocols. In the case of zolpidem, alcohol use is associated with sometimes severe adverse effects from the drug, and so it would be beneficial to screen out candidates with a history of alcoholism or, on the flip side, assess drug interactions for this high-risk group with additional support, monitoring, or counseling.
  3. Dose/Dosing Regimen Optimization. AI/ML can be used to predict drug exposure for different populations based on factors such as weight, height, sex, and other characteristics that might impact drug metabolism. Based on prior drug exposure and response profiles for similar drugs and similar populations, AI/ML can help to narrow the dose/dosing regimen selected for a study. As noted by the FDA’s discussion paper, this can help optimize drug dosing “in special populations where there may be limited data (e.g., rare disease studies, pediatric and pregnant populations).” Based on this research, we can imagine future scenarios where AI/ML could have avoided zolpidem dosing concerns, where graduated and limited dosing was tested and applied to different sex, age, and metabolism categories to determine ideal dosing.
  4. Data Analysis. On a more intriguing level, the FDA AI discussion paper discussed the concept of creating “digital twins” of patients for clinical trials. Essentially, an AI version of the clinical participant is created, using the existing candidate’s electronic health records, vital signs, labs and other records. Researchers can assess how the digital twin would react under normal conditions using AI/ML modeling based on data gathered from similar individuals. This digital twin would then act as a substitute for a placebo candidate in a clinical trial, and act as a benchmark against the actual patient undergoing investigational treatment. For zolpidem, this could be used to assess candidates that already have underlying medical conditions such as anxiety, depression, or other confounding factors, to see whether an adverse effect from a trial is due to the investigational treatment or something that is likely to occur to the same individual from anxiety alone.
  5. Postmarketing Safety Surveillance. Finally, AI/ML can help detect and assess adverse events once the drug enters the market. This is not just limited to individual case safety reports (ICSR), required by regulators, but can include adverse events reported publicly on social media and the wider internet. This type of postmarketing safety surveillance could assist researchers and drug companies in identifying potential drug risks, prior to landing on primetime news.
  Quality and Reliability Risks While AI/ML can help to address the costs and efficiency of clinical trials, this relies substantially on the underlying data used to train AI. The quality and reliability of any AI/ML model requires similar quality controls for underlying training data. Given the safety risks of inappropriate drug dosing, or recruiting candidates with severe medical conditions, AI developers cannot rely solely on self-reported healthcare data with no external medical testing or validation. Developers should be equally wary of training on third-party data sets that do not provide documentation on the collection of data and data validation. Within an existing healthcare organization, if the organization is big enough, aggregate and de-identified data may be obtained from existing electronic health care records and prior clinical trials. Yet, even within these large datasets, errors may surface during training. Medical providers may code the same procedure, and similar symptoms, a dozen different ways. Even drug names can be misspelled and coded incorrectly within existing records. While many of these errors may end up being statistically insignificant with enough data, there is the risk of missing one or two major adverse events, or “black swan” events, that would otherwise change the entire risk profile of a drug. In addition to quality and reliability, the underlying dataset needs to be representative of the population that will be studied for the clinical trial. If the underlying dataset is only trained on a handful of individuals with a certain medical predisposition, age, sex, weight, etc., it will be difficult for the AI model to make predictions for that group. As an example, if the training data only contains the medical information for two individuals over the age of sixty, and shows no adverse effects from a particular drug dose, this information is not enough to generalize that the drug at that dosage is appropriate for all individuals over the age of sixty. For all we know, these two candidates could be a former Olympic diver and a nutrition coach, two outliers that completely skew the data. Consequently, the underlying training data for any AI model should also be assessed for bias and representativeness as it applies to the proposed clinical trial.   Data Privacy, Cybersecurity, and AI Risks The data privacy and cybersecurity risks associated with the foregoing uses of AI/ML cannot be underestimated. The quality and representativeness of any AI system in this field will rely heavily on large swathes of healthcare data, fine-tuned and, at times, personalized in the case of digital twins. This is sensitive or special category data at its finest, triggering heightened scrutiny under the EU’s data privacy law, the GDPR, and U.S. data privacy and data breach laws. To date, most healthcare organizations have sidestepped data privacy concerns by relying on HIPAA’s de-identification standard to remove personal information and other identifiers from healthcare data, making it difficult to associate with an individual. While the FDA requires Institutional Review Board (IRB) review of most biomedical research involving human subjects, this generally does not apply to de-identified personal information that cannot be linked to an individual. Simply de-identifying data and then running with it is not enough, however. Under the California Consumer Privacy Act and similar state laws, for example, recipients of de-identified data need to affirm that they will not attempt to reidentify the data (except to test their de-identification methods). The GDPR has a much higher “anonymization” standard, which looks at the re-identifiability of personal information, given all the different datasets that an organization may have access to. AI/ML itself is making the de-identification process harder. As it is capable of slicing and dicing data by age, race, sex, and medical condition, and combining multiple large datasets, it is easy to run the risk of re-identifying data. While several thousand people might have the same configuration of eye color, age, gender, and weight, only one or two may have participated in a clinical trial at a particular location, or have specific allergies or side effects to certain types of medication. As a result, in circumstances where healthcare data is not de-identified, or the risk of reidentification is heightened, then it behooves clinical organizations and their AI developers to implement written information security programs and associated privacy and security controls.   Legal Liability and Drug Dosing In several notable cases, defendants on zolpidem were able to contest or overturn DWI or even vehicular manslaughter cases. Essentially, these defendants argued that they were not aware of the potential dangers of zolpidem, and so could not be liable for their actions while “sleep driving.” This raises the question: If AI gets good enough, and can tell you exactly the right dose to take of a drug, will you (or your doctor) be liable if you deviate from the AI’s recommendations? Will the AI’s recommendations be discoverable in court (and surfaced via AI-enhanced search)? Only time will tell what this brave new world will bring.   ENDNOTES [1] Kai Falkenberg, While You Were Sleeping (September 27, 2012), Marie Claire, https://www.marieclaire.com/culture/news/a7302/while-you-were-sleeping/.   [2] Takuji Inagaki, Tsuyoshi Miyaoka, Seiichi Tsuji, Yasushi Inami, Akira Nishida, and Jun Horiguchi, Adverse Reactions to Zolpidem: Case Reports and a Review of the Literature, 12 Prim Care Companion J Clin Psychiatry 6 (2010), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3067983/.   [3] U.S. FDA, Drug Safety Communication: FDA approves new label changes and dosing for zolpidem products and a recommendation to avoid driving the day after using Ambien CR (May 14, 2013), https://www.fda.gov/drugs/drug-safety-and-availability/fda-drug-safety-communication-fda-approves-new-label-changes-and-dosing-zolpidem-products-and.   [4] FDA: Cut Ambien Dosage for Women, ABC News (January 10, 2013, 6:03AM), https://abcnews.go.com/Health/fda-recommends-slashing-sleeping-pill-dosage-half-women/story?id=18182165.   [5] David J Greenblatt, Jerold S Harmatz, & Thomas Roth, Zolpidem and Gender: Are Women Really At Risk?, 39(3) J. Clinical Psychopharmacol. 189 (May/Jun 2019), https://pubmed.ncbi.nlm.nih.gov/30939589/.   [6] NIH Inclusion Outreach Toolkit: How to Engage, Recruit, and Retain Women in Clinical Research, last accessed September 16, 2024: https://orwh.od.nih.gov/toolkit/recruitment/history.   [7] FDA, Using Artificial Intelligence and Machine Learning in the Development of Drug and Biological Products (May 10, 2023), https://www.fda.gov/media/167973/download; see also Using Artificial Intelligence and Machine Learning in the Development of Drug and Biological Products; Availability, 88 FR 30313 (May 11, 2023), https://www.federalregister.gov/documents/2023/05/11/2023-09985/using-artificial-intelligence-and-machine-learning-in-the-development-of-drug-and-biological.   [8] Thi Tuyet Van Tran, Hilal Tayara, and Kil To Chong, Artificial Intelligence in Drug Metabolism and Excretion Prediction: Recent Advances, Challenges, and Future Perspectives, 15 Pharmaceutics. 1260 (Apr 17, 2023), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10143484/.   Lily Li is an AI, data privacy, and cybersecurity lawyer and founder of Metaverse Law. She is a certified information privacy professional for the United States and Europe and is a GIAC Certified Forensic Analyst for advanced incident response and computer forensics. She can be reached at info@metaverselaw.com.
0

HHS releases proposed rule to modify HIPAA Security Rule requirements

Health Data, United States , ,
On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), announced a proposed rule that would modify the security requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The proposed rule, if adopted, would modify the HIPAA Security Rule to require covered entities and their business associates to implement more stringent cybersecurity safeguards and measures to protect electronic protected health information (ePHI). These new requirements would include, among other things:
  • Requiring written documentation of all HIPAA Security Rule policies, procedures, plans, and analyses.
  • Adding specific compliance periods for existing HIPAA Security Rule requirements.
  • Requiring the creation of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic systems and, at least every 12 months, reviewing the asset inventory and network map.
  • Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain systems is changed or terminated.
  • Requiring regulated entities to conduct a compliance audit at least once every 12 months.
  • Requiring business associates verify at least once every 12 months for covered entities that they have deployed technical safeguards required by the Security Rule to protect ePHI.
  • Requiring covered entities to test the effectiveness of their security measures at least once every 12 months.
  • Requiring network segmentation.
  • Requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Requiring greater specificity for conducting a risk analysis.
These changes come in response to what the OCR sees as a “substantial increase in reports of large breach reports over the last five years.” According to the OCR, between 2018 and 2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by ten times that, at 1002 percent. The proposed rule changes seek to improve the cybersecurity of critical health infrastructure by updating the Security Rule’s standards to better address the increase in cybersecurity threats in the health care sector. The proposed rule can be viewed in the Federal Register, where it is scheduled for publication on January 6, 2025. Stakeholders within the health care sector, including patients and covered entities, are welcome to submit comments on the proposed rule through regulations.gov for 60 days after its publication. While the proposed rule goes through the rulemaking process, the current Security Rule remains in effect. We will continue monitoring for developments.
0

Metaverse Law to speak at OCBA Health Care Law Section Meeting

AI & Algorithms, California, Health Data , , ,

Healthcare Data, Trackers, & Artificial Intelligence: Are You Giving Away Sensitive Healthcare Information?

  Metaverse Law’s Lily Li will be speaking on this topic at this month’s OCBA Health Care Law Section Meeting. When? Thursday, March 14, 2024 12:30 PM – 1:30 PM Where? OCBA Offices 4101 Westerly Place Newport Beach, CA 92660 Click here for more information and to register for the event. *Advance registration required. No Walk-Ins.*
0
Close-up photograph of a fingerprint.

An overview of biometrics laws in the U.S.

Biometrics, Health Data, Resource, State Privacy Laws, United States
[Updated: September 27, 2023] In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and enforceable biometric laws, and to reach out if concerned that one such law may apply. We will continue monitoring the biometric legislation landscape and will update this resource accordingly.

ILLINOIS

Law: Biometric Information Privacy Act (“BIPA”) Applies to: Any individual, partnership, corporation, limited liability company, association, or other group, however organized, that possesses, collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents. Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry; or
  • Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual biometric identifier and used to identify an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per collection, possession, etc., in violation of the law.

MARYLAND

Law: Labor and Employment Code § 3-717 Applies to: Maryland employers that use facial recognition services for purposes of creating a facial template during an applicant’s interview for employment. Covers:
  • Facial template: Machine-interpretable pattern of facial features that is extracted from one or more images of an individual by technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images.
Enforcement: Maryland Department of Labor.

MONTANA

Law: Facial Recognition for Government Use Act Applies to: Third-party vendors contracting with Montana state or local government agencies for the provision of facial recognition services. Covers:
  • Facial biometric data: Data derived from a measurement, pattern, contour, or other characteristic of an individual’s face, either directly or from an image.
Enforcement: Montana Attorney General can bring enforcement actions, with damages starting at $10,000. The law provides individuals with a private right of action, and violations can amount to $1,000 per violation.

NEW YORK

Law: N.Y. LAB. LAW § 201-aA Applies to: New York employers that fingerprint employees as a condition of securing employment or of continuing employment. Covers:
  • Fingerprints: The law does not define what constitutes a fingerprint, but New York State Department of Labor RO-10-0024 states: “instruments that measure the geometry of the hand are permissible under the Labor Law so long as they do not scan the surface details of the hand and fingers in a manner similar or comparable to the scanning of a fingerprint.”
Enforcement: New York State Department of Labor.
Law: NYC Admin Code §§ 22-1201-1205 Applies to: Places of entertainment, retail stores, or food or drink establishments in New York City that collect biometric identifier information from customers. Covers:
  • Biometric identifier information: Physiological or biological characteristics that are used by or on behalf of a place of entertainment, a retail store, or a food or drink establishment, singly or in combination, to identify, or assist in identifying, an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per violation.

OREGON

Law: Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050 Applies to: Any individuals and non-government entities in the city of Portland, prohibiting them from using face recognition technologies in any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation, or otherwise. Covers:
  • Face recognition: Automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository.
Enforcement: The law provides individuals with a private right of action , and violations can amount to $1,000 per day for each day of violation.

STATE COMPREHENSIVE PRIVACY LAWS

Laws: Applies to: Each state comprehensive privacy law features various thresholds of applicability. Please see our overview of state comprehensive privacy laws for more information on those thresholds. Covers:
  • Biometric data: Generally means an individual’s physiological, biological, or behavioral characteristics that is used or is intended to be used to establish or authenticate an individual’s identity.
Enforcement: Most state comprehensive privacy laws are enforced by the state’s respective attorney general, but California also authorizes the California Privacy Protection Agency to enforce California’s state comprehensive privacy law.

TEXAS

Law: Capture or Use of Biometric Identifier (“CUBI”) Applies to: Any individuals and non-government entities capturing biometric identifiers of Texas individuals for a commercial purpose. (The law does not define what constitutes a “commercial purpose,” but the Texas Attorney General has argued that capturing biometric identifiers to improve or develop products or services constitutes a commercial purpose.) Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, or records of hand or face geometry.
Enforcement: Texas Attorney General, which can seek fines of up to $25,000 per violation.

WASHINGTON

Law: Biometric Identifiers Law (“BIL”) Applies to: All individuals and non-government entities that collect, use, and retain biometric identifiers from Washington residents. Covers:
  • Biometric identifiers: Data generated by automatic measurements of an individual’s
    • biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or
    • other unique biological patterns or characteristics that is used to identify a specific individual.
Enforcement:  Washington Attorney General under the state’s consumer protection act.
Law: My Health, My Data Act (“MHMDA”) Applies to: All legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to individuals in Washington, and alone or jointly collects, processes, shares, or sells consumer health information. Covers:
  • Consumer health information: Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
Enforcement: Washington Attorney General can bring enforcement actions under the state’s consumer protection act. In addition, the law provides individuals with a private right of action.
0
The flag of Washington state, depicting an image of George Washington's face in a yellow circle, with a green background.

An Overview of Washington’s “My Health, My Data” Act

Health Data, State Privacy Laws, United States
On April 27, 2023, Governor Jay Inslee of Washington signed into law HB 1155, the “My Health, My Data” Act (MHMD Act). The MHMD Act claims to address the lack of protections for health data collected by entities not covered by HIPAA, the federal law that regulates how hospitals, health care providers, and other covered entities can handle health data. To achieve that goal, the MHMD Act was drafted in such a way as to provide sweeping protections that go beyond what most would consider to be protected “consumer health data.” For example, the scope of the definition, as we detail below, may include athletic equipment, footwear, or even groceries such as ginger. In addition, the MHMD Act introduces consumer rights, privacy policy obligations, contractual requirements, and more. To ensure the MHMD Act is adhered to, the legislature included a private right of action, thereby opening the door to plaintiff litigation to enforce the Act. Taking this all into consideration, the Washington “My Health, My Data” Act may be the most consequential US privacy legislation enacted in this decade.
Washington My Health, My Data Act  Scope & Applicability.
  • Covered Entities. The MHMD Act imposes restrictions and obligations on two types of entities, regulated entities and small businesses. The impact of being qualified as a small business rather than a regulated entity is only a three-month delay of the effective date. See Effective Dates, below.
 
    • Regulated Entity. A regulated entity is one that:
      • Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
      • Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Sec. 3(23).
 
    • Small Business. A small business is a regulated entity that satisfies one or both of the following thresholds:
      • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
      • Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers. Sec. 3(28).
 
  • Protected Consumers. A consumer under the MHMD Act is either:
    • a natural person who is a Washington resident; or
    • a natural person whose consumer health data is collected in Washington.
  • “Consumer” does not include individuals acting in an employment context, nor does it include B2B relationships. Sec. 3(7).
 
  • Protected Data. The MHMD Act regulates “consumer health data,” which is defined as information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer and that identifies the consumer’s past, present, or future physical or mental health status. Sec. 3(8)(a); Sec. 3(18)(a). Physical or mental health status includes:
    1. Individual health conditions, treatment, diseases, or diagnosis.
    2. Social, psychological, behavioral, and medical interventions.
    3. Health-related surgeries or procedures.
    4. Use or purchase of prescribed medication,
    5. Bodily functions, vital signs, symptoms, or measurements of any information in this list.
    6. Diagnoses or diagnostic testing, treatment, or medication.
    7. Gender-affirming care information.
    8. Reproductive or sexual health information.
    9. Biometric data.
    10. Genetic data.
    11. Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
    12. Data that identifies a consumer seeking health care services.
    13. Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). Sec 3(8)(b)(i)-(xiii).
 
    • Health Care Services. The most notable among the above list is number 12, data that identifies a consumer seeking health care services. The MHMD Act defines “health care services” to mean any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health. Sec. 3(15). Recognizing that this broad definition could apply to numerous everyday items, Senate members introduced an amendment to expressly exclude such items as athletic equipment, footwear, perfumes, jewelry, toys, cleaning products, recreational cannabis, groceries, and more. However, the amendment was ultimately defeated.
 
    • Biometric Data. It is worth noting that the MHMD Act states that biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted. Sec. 3(4)(a).
  Substantive Provisions
  • Security Standards. A regulated entity or small business must establish and maintain data security practices that, at a minimum, satisfy the reasonable standard of care within the regulated entity’s or small business’s industry to protect the confidentiality, integrity, and accessibility of consumer health data. Sec. 7(1)(b).
 
  • Geofencing Restrictions. It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to identify or track consumers seeking health care services, collect consumer health data from consumers, or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. Sec. 10.
 
  • Privacy Policy. Regulated entities and small businesses must maintain a privacy policy that discloses:
    • The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used.
    • The categories of sources from which the consumer health data is collected.
    • The categories of consumer health data that is shared.
    • The list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data.
    • How a consumer can exercise the rights provided under the MHMD. Sec. 4(1)(a).
 
  • Restricted Data Collection. A regulated entity or small business cannot collect any consumer health data except (i) with consent from the consumer for such collection for a specified purpose or (ii) to the extent necessary to provide a product or service that the consumer has requested from such regulated entity or small business. Sec. 5(1)(a). Consent under the MHMD Act means a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement. Sec. 3(6)(a). Notably, consent cannot be obtained by acceptance of a general or broad terms of use agreement or similar document. Sec. 3(6)(b)(i).
 
  • No Sales without Valid Authorization. A “sale” under the MHMD Act means the exchange of consumer health data for monetary or other valuable consideration. Sec. 3(26)(a). It is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorized signed by the consumer. Valid authorization is a document containing:
    • The specific consumer health data concerning the consumer that the person intends to sell;
    • The name and contact information of the person collecting and selling the consumer health data;
    • The name and contact information of the person purchasing the consumer health data;
    • A description of the purpose of the sale, including how the consumer health data will be gathered and how it will be used by the purchaser;
    • A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
    • A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to do so;
    • A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
    • An expiration date for the valid authorization that expires one year from when the consumer signs it; and
    • The signature of the consumer and date of signature. Sec. 9(2).
 
  • Data Processor Agreements. The MHMD Act defines a “processor” as any person that processes consumer health data on behalf of a regulated entity or small business. Sect. 3(20). A processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data. Sec. 8(1)(a)(i).
  Consumer Rights The MHMD Act provides consumers with several privacy rights, including:
  • Right to Know. A consumer has the right to confirm whether a regulated entity or small business is collecting, sharing, or selling consumer health data concerning the consumer. Sec. 6(1)(a).
  • Right to Access.  A consumer has the right to access data concerning the consumer, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact the third parties. Sec. 6(1)(a).
  • Right to Withdraw Consent. A consumer has the right to withdraw consent from the regulated entity’s or the small business’s collection and sharing of consumer health data concerning the consumer. Sec. 6(1)(b).
  • Right to Delete. A consumer has the right to have their consumer health data deleted. Sec. 6(1)(c).
  • Right to Appeal. A consumer has the right to appeal the regulated entity’s or small business’s refusal to take action on a request. Sec. 6(1)(g).
  Exemptions The MHMD Act exempts information subject to HIPAA, GLBA, FCRA, and FERPA. Sec. 12.   Enforcement. Violations of the MHMD Act are enforceable under the Washington Consumer Protection Act (WCPA) as an unfair or deceptive act in trade or commerce and an unfair method of competition. Sec. 11; RCW 19.86.020.
  • State AG Enforcement. The WCPA is enforced by the Washington Attorney General. RCW 19.86.080.
 
  • Private Right of Action. The WCPA includes a private right of action for alleged unfair or deceptive acts or practices. RCW 19.86.093. Civil penalties under the WCPA can rise to $7,500 per violation, RCW 19.86.140, and can include treble damages up to $25,000. RCW 19.86.090.
  Effective Dates
  • For regulated entities, MHMD’s provisions go into effect on March 31, 2024.
  • For small businesses, MHMD’s provisions go into effect on June 30, 2024.