Washington My Health My Data Act - Part 10: The Purchase of Medication

Washington State Flag

This is Part 10 in a series of blog posts about the Washington My Health My Data Act. Previous parts include:

This part discusses how the Act covers information about the consumers seeking, purchasing, or using medication – including non-prescription medication.

Last week, the Washington State Office of the Attorney General (OAG) updated its guidance on the Washington My Health My Data Act (MHMDA). Specifically, the OAG added an eighth question and answer addressing whether information about a consumer purchasing non-prescription medication would be considered “consumer health data” subject to the law. 

The OAG stated that such information about the purchase of over-the-counter medication would not be “consumer health data” unless an entity uses that information to infer information about the consumer’s health status.

But this new guidance does not tell the whole story.  In particular, the new FAQ #8 fails to acknowledge the numerous ways in which information about non-prescription medications can be within the scope of the law and it fails to address key ambiguities and inconsistencies in the relevant definitions. As such, it would be a mistake to conclude that information about the purchase or use of non-prescription medication is normally outside the scope of MHMDA or that processing such information carries no risk under the law.

This post explains the shortcomings of this new guidance. And in doing so, it takes a long overdue deep dive into how MHMDA treats personal information related to prescription and over-the-counter medications. It concludes that while this guidance may provide some comfort to entities regulated under MHMDA that process information about the purchase of non-prescription medications like aspirin or vitamins, it is only part of a bigger picture that should be considered along with the statutory text and other factors in determining an appropriately risk-based approach to complaince with this challenging law.

The Attorney General FAQs

As discussed in Part 9 of this blog series, the Washington State OAG previously published a list of seven FAQs addressing select issues under MHMDA. The recent update added the following additional FAQ:

8: Does the definition of consumer health data include the purchase of non-prescription medication?

MHMD defines consumer health data to include the “use and purchase of prescribed medication.” Non-prescription data is only considered consumer health data if the regulated entity draws an inference about a consumer’s health status from its purchase of non-prescription medication.

As noted in our previous blog post, while many of the FAQs provide some insight into how the OAG is interpreting the law, they generally fail to address or acknowledge the more challenging ambiguities of the law. And this new FAQ falls into that same pattern.

Further, the OAG has made it clear that these FAQs are non-binding. The FAQ page specifically states that the guidance is “for general educational purposes and is not provided for the purpose of giving legal advice of any kind.” It further cautions that “[r]eaders should not rely on information in this guide regarding specific applications of the law and instead should seek private legal counsel.”

Finally, this guidance reflects only how the OAG is interpreting the law. Because MHMDA has a private right of action, there is nothing preventing plaintiffs’ counsel from taking a different position, particularly where the language of the statute suggests a different meaning. And there is nothing stopping courts from reading the statute in a different way. That is particularly concerning where, as in this instance, the OAG’s FAQ seems to be contrary to the literal reading of the statute. 

Medication and the Definition of Consumer Health Data

As discussed in Part 2 of this blog series, MHMDA applies to a surprisingly broadly-defined set of “consumer health data.”  The definition of “consumer health data” includes an extensive and often vaguely-worded list of data categories. And the definition contains a number of separately-defined terms to require reference to further definitions to fully understand the scope.

Under the relevant definitions, information about consumers seeking, purchasing, or using medications is very clearly within the scope of “consumer health data.”  However, the extent to which the law captures information about the purchase of non-prescription medication has been a subject of debate going back to the legislative process (noted below) and continuing with the publication of this latest FAQ. 

Notably, in most cases, information about the purchase of prescription medication will be subject to the federal HIPAA Privacy Rule. Therefore, such information will not be subject to MHMDA because of the law’s exemption for data covered by the HIPAA. [A future blog post will discuss in more detail the comparison and interplay of HIPAA and MHMDA.] As a result, the questions about the law’s applicability to consumer information relating to non-prescription medication have been top of mind for many companies.

Under MHMDA, the definition of “consumer health data” captures this information about medication in (at least) six different ways – five of which can capture information about the purchase of non-prescription medication. Unfortunately, the new FAQ seems to reflect only two of those six.

First, part (b)(iv) of the definition of “consumer health data” directly and explicitly includes information about the “use or purchase of prescribed medication” (emphasis added). This is the part of the defintion quoted in the new FAQ and seems to be the basis of the OAG position.

Notably, the definition in the originally-introduced version of the bill included “use or purchase of medication” and the limiting word “prescribed” was added to the definition through an amendment only late in the legislative process. This addition of “prescribed” was added after concerns were raised that the broad scope would capture data about the use or purchase of relatively innocuous over-the-counter medications like aspirin, cold remedies, or vitamins. It presumably was intended to exclude such information from being covered by the Act. But, as described below, there are other ways in which non-prescription medication can be captured. 

Second, and most significantly, part (b)(xii) of the definition of “consumer health data” includes “data that identifies a consumer seeking health care services” (emphasis added). And “health care services,” in turn, is broadly defined as:

“any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health, including but not limited to … [u]se or purchase of medication.”

Note that this definition uses the “use or purchase of medication” phrasing from the original version of the bill. The above-referenced amendment, perhaps due to a drafting oversight, did not add “prescribed” to the parallel language in this definition. 

As a result, information about a consumer shopping for, purchasing, or using non-prescription medication almost certainly indicates that the consumer has sought “health care services.” Thus, a straightforward reading of these definitions leads to the conclusion that such information relating to non-prescription medication is “consumer health data” under MHMDA.  However, this conclusion is contrary to the position stated in the new addition to the Attorney General FAQs.

Third, part (b)(vi) of the definition of “consumer health data” includes “diagnoses or diagnostic testing, treatment, or medication.” Here too, the “prescribed” limitation is not applied to “medication.”  So, any information about the purchase or use of medication used for diagnostic purposes, even if over-the-counter, presumably would be captured by this part of the definition.

Fourth, part (b)(viii) of the definition of “consumer health data” includes “reproductive or sexual health information.” In turn, “reproductive or sexual health information" is defined as “personal information relating to seeking or obtaining past, present, or future reproductive or sexual health services” (emphasis added). And finally, “reproductive or sexual health services” is defined as “health services or products that support or relate to a consumer's reproductive system or sexual well-being, including but not limited to … Use or purchase of medication…” Again, there is no limitation to “prescribed” medication.

Fifth, part (b)(vii) of the definition of “consumer health data” likewise includes “gender-affirming care information.” And “gender-affirming care information" is defined as “personal information relating to seeking or obtaining past, present, or future gender-affirming care services” (emphasis added). “Gender-affirming care services” is defined as including “health services or products that support and affirm an individual's gender identity including, but not limited to, … medical … interventions.” It also includes any “treatments for gender dysphoria [and] gender-affirming hormone therapy.” So, while the term “medication” is not used in this cascading set of definitions, it is apparent that any medications used for gender affirming purposes could be covered, whether or not they are prescribed. 

Sixth, and finally, part (b)(xiii) of the definition of “consumer health data” explicitly includes any inferences of health status (i.e. any other element of the definition of consumer health data) from any non-health data.  Thus, for example, if a particular health condition is inferred from the purchase or use of non-prescription medication, then that inference would obviously be within the scope of consumer health data and covered by the law. 

This inclusion of inferences in the definition of “consumer health data” is the one scenario of non-prescription medications being covered that is recognized in the new FAQ #8. But as described above, there are many other ways in which non-prescription medications can fall within the scope of the broad “consumer health data” definition.

OK. If Non-Prescription Medication is in Scope, Now What?

Even if a literal reading of the statutory language indicates that information about the purchase of non-prescription medication is “consumer health data” – contrary to the position stated in the OAG’s guidance – the new FAQ #8 should nevertheless give some comfort.

At the very least, it is a strong indicator that the OAG is unlikely to take an enforcement action based on the processing of information about over-the-counter medication purchases -- at least not without other aggravating factor(s) present. 

Plaintiffs’ attorneys, on the other hand, are not bound by this FAQ. But to bring a valid claim under MHMDA, they must show some injury (as defined under the Washington Consumer Protection Act).  For alleged violations involving only purchase data regarding innocuous over-the-counter medication, it will likely be very difficult to demonstrate injury to the consumer – at least not without other aggregating factors present.

So, what could be the potential aggravating factors that could lead either the OAG or private plaintiffs to bring cases involving the purchase of non-prescribed medication?   Clearly, drawing inferences about health status from such purchase data – as called out in the FAQ – could lead to enforcement if the company fails to comply with MHMDA obligations with respect to such inferences.

Also, purchase data regarding non-prescription medications that are specific to, or largely associated with, reproductive health, sexual health, and gender-affirming care could be riskier.  Even without a company drawing any inferences, the processing of that data could nevertheless lead to the kinds of harms MHMDA was intended to address. 

All of this, again, points to the importance of a risk-based approach to MHMDA compliance.  In most cases, the collection and processing of information regarding the purchase of non-prescription medication will be low risk.  But there are several factors, such as the nature of medications or whether inferences are being drawn that could dramatically increase the risk of processing such data. 

While this is a more nuanced approach than is suggested in the new FAQ #8, that FAQ nevertheless provides some additional insight into OAG views that can help shape a company’s risk-based approach to this challenging law. 

 Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader in privacy and data protection law, policy, and strategy.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.

EDPB Adopts Opinion on the Validity of the “Consent or Pay” Model for Behavioral Advertisement

On April 17, 2024, The European Data Protection Board (‘EDPB’) issued an opinion on whether “consent or pay” models used by large online platform services are valid consent mechanisms under the GDPR. The EDPB stated, “In most cases, it will not be possible for large online platforms to comply with requirements for valid consent if they confront users only with a binary choice between consenting to the processing of personal data for behavioral advertising purposes and paying a fee.”  If adopted, this opinion would ultimately change how valid legitimate consent is obtained by large and possibly small businesses.

Read More

Assessing 'necessity' under state health privacy laws

Assessing 'necessity' under state health privacy laws

Washington state's My Health My Data Act and Nevada's Senate Bill 370 took effect 31 March, prompting entities that collect "consumer health data," as broadly defined by these laws, to assess their data collection, use and sharing through a novel lens. A unique requirement born out of these laws requires that entities analyze which elements of their health data collection, use and sharing are "necessary" to provide products or services requested by their consumers.

Read More

Adapting Privacy Programs for New Challenges: Your H1 2024 Roadmap

Adapting Privacy Programs for New Challenges: Your H1 2024 Roadmap

This past year has been a busy year for privacy leaders and professionals, and the pace of change underscores that reactive approaches to new laws, regulations, and enforcement actions are not effective ways to build or scale privacy programs.  Laws and risks will continue to evolve, and strategically planning and evolving existing privacy programs may be the best way to keep them effective. 

Read More

Draft California Automated Decisionmaking Technologies Regulations to Be Revised Before Formal Rulemaking

Draft California Automated Decisionmaking Technologies Regulations to Be Revised Before Formal Rulemaking

On December 8, 2023, the CPPA met to discuss these and other proposals they are considering for formal rulemaking in 2024. The December 8th meeting produced lively discussions and ultimately concluded with a motion (which passed) to provide CPPA staff more time to solicit individual feedback from Board members to revise the current draft of ADMT and risk assessment regulations.

Read More