United States: My Health My Data - Exceptions and exemptions examined

In brief

With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization (for an overview of the law, see here). 

As a reminder, the definition of consumer health data is broad: "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status" (the definition includes as an enumerated example any information that is derived from non-health information). But "consumer" excludes individuals acting in an employment context. Outside of the broad exclusion of employment context data, the My Health My Data Act's list of exceptions and exemptions is long but is focused mainly on specific medical and health care contexts where health data is more narrowly defined or otherwise another specific law applying to processing of the data.


Data Level

Certain information that would satisfy the definition of consumer health data is not protected because processing of such information is regulated under another law. The My Health My Data Act does not apply to information that meets the definition of:

  • Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations
  • Health care information collected, used, or disclosed in accordance with chapter 70.02 RCW;  (Chapter 70.02 RCW “Medical Records—Health Care Information Access and Disclosure” establishes a number of safeguards to protect the privacy of medical records)
  • Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2 (42 CFR Part 2 “Confidentiality of Substance Use Disorder Patient Records” regulates the conditions under which individuals can access their own substance use disorder patient records, as well as the conditions under which substance use disorder patient records can be disclosed to third parties)
  • Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in Sec. 12 (1) (a) (iv) of the act (this bullet point) (45 C.F.R. Part 46 regulates the protection of human subjects in research to provide basic protections to human subjects involved in both biomedical and behavioral research conducted or supported by the Department of Health & Human Services)
  • Information and documents created specifically for, and collected and maintained by:
    • A quality improvement committee for purposes of RCW 43.70.510, 70.230.080, or 70.41.200 (RCW 43.70.510 “Health Care Services Coordinated Quality Improvement Program—Rules” is designed to improve the quality of health care services in Washington by promoting cooperation and collaboration among healthcare providers; RCW 70.230.080 regulates the coordinated quality improvement program for ambulatory surgical facilities; RCW 70.41.200 regulates the quality improvement and medical malpractice prevention program for hospitals in Washington)

    • A peer review committee for purposes of RCW 4.24.250 (RCW 4.24.250 regulates the immunity of health care providers who file charges or present evidence to a professional review committee)

    • A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390 (RCW 74.42.640 and RCW 18.20.390 regulate the creation and operation of quality assurance committees in nursing homes and assisted living facilities in Washington)

    • A hospital, as defined in RCW 43.70.056, for reporting of health care-associated infections for purposes of RCW 43.70.056, a notification of an incident for purposes of RCW 70.56.040(5), or reports regarding adverse events for purposes of RCW 70.56.020(2)(b) (RCW 43.70.056 regulates the reporting of healthcare-associated infections by acute care hospitals; RCW 70.56.040(5) regulates the notification of incidents by medical facilities and health care workers to an independent entity; and RCW 70.56.020(2)(b) regulates the reporting of adverse events by medical facilities to the Department of Health)

    • A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o) (in Food and Drug Administration Department of Health and Human Services Subchapter H - Medical Devices), when collected, used, or disclosed for purposes specified in chapter 70.02 RCW.

  • Information and documents created for purposes of the federal health care quality improvement act of 1986, and related regulations

  • Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26; (42 C.F.R. Part 3 regulates the confidentiality and privilege protections of patient safety work product)

  • Information that is (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and (B) derived from any of the health care-related information listed in Sec. 12 (1) (a) (viii) of the act (this bullet point) (45 C.F.R. Part 164 regulates the privacy and security of protected health information held by covered entities and their business associates)

  • Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514

  • Identifiable data collected, used, or disclosed in accordance with chapter 43.371 RCW or RCW 69.43.165. (43.371 RCW regulates the establishment and operation of a statewide all-payer health care claims database; RCW 69.43.165 regulates the use of an electronic sales tracking system to monitor the sale of ephedrine, pseudoephedrine, and phenylpropanolamine).

And the following consumer health data is not protected if it is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or acts:

  • The Gramm-Leach-Bliley act (15 U.S.C. 6801 et seq.) and implementing regulations (The Gramm-Leach-Bliley act governs the treatment of nonpublic personal information about consumers by financial institutions
  • Part C of Title XI of the social security act (42 U.S.C. 1320d et seq.)
  • The fair credit reporting act (15 U.S.C. 1681 et seq.) (The Fair Credit Reporting Act governs access to consumer credit report records and the privacy of personal information assembled by Credit Reporting Agencies)
  • The family educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title 34, C.F.R.) (FERPA protects students with respect to their education records)
  • The Washington health benefit exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter 43.71 RCW

  • Privacy rules adopted by the office of the insurance commissioner pursuant to chapter 48.02 or 48.43 RCW.

Entity Level 

Certain information is not protected because it originates from, and is intermingled to be indistinguishable with, information subject to certain data level exemptions or exceptions that is maintained by:

  • A covered entity or business associate as defined by the health insurance portability and accountability act of 1996 and related regulations
  • A health care facility or health care provider as defined in RCW 70.02.010
  • A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2.

Security and Compliance

Beyond the data and entity level exceptions and exemptions above, the obligations imposed on regulated entities (including small businesses) and processors do not restrict such entities' ability to collect, use, or disclose consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law. Those seeking to rely on the security and compliance exemption bears the burden of demonstrating that such processing qualifies for the exemption. 


Consumer health data is broadly defined. Outside of the employment and security and compliance context, exceptions and exemptions only apply if (i) another specific law applies or (ii) if data is mixed with data subject to another law and processed by particular types of regulated entities. Taken together, for a majority of businesses that are not subject to the specific laws enumerated above, the applicability of the My Health My Data Act therefore will likely be determined by what personal information they collect about persons in Washington. Applicability will be determined by just how broadly consumer health data will be understood. With the act's prescriptive requirements and private right of action, businesses should assess applicability now and keep in mind the requirements related to consumer health data in the already operative amendments to Connecticut law (summary here) and the requirements in the Nevada consumer health law (summary here). 

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.