The My Health, My Data Act applies to businesses that are “regulated entities,” "small businesses," and “processors.”
A “regulated entity” means a legal entity that meets two criteria: (a) it conducts business in Washington or offers products or services specifically aimed at Washington consumers, and (b) it independently or in collaboration with others determines the purpose and methods of collecting, processing, sharing, or selling consumer health data.
A "small business” means a regulated entity that meets one or both of the following criteria: (a) it collects, processes, sells, or shares consumer health data for fewer than 100,000 consumers in a calendar year, or (b) It earns less than 50% of its gross revenue from the collection, processing, selling, or sharing of consumer health data, and it controls, processes, sells, or shares consumer health data for fewer than 25,000 consumers.
The requirements on regulated entities and small businesses are generally the same under the Act, but the compliance date for small businesses is June 30, 2024, versus March 31, 2024, for other regulated entities.
The Act also applies to “processors” who engage in any operation or set of operations performed on consumer health data on behalf of a regulated entity or small business. For example, cloud service providers, IT support companies, payment processors, data analytics companies, marketing agencies, and document management companies could all be “processors” if they handle consumer health data on behalf of a regulated entity or small business.