The My Health, My Data Act is designed to give consumers more control over their health data that is collected, shared, or used by regulated entities. Under the Act, consumers have the right to:
- Confirm: Confirm if a regulated entity is collecting, sharing, or selling their health data.
- Access: Access their health data, including access to a list of third parties and affiliates with whom their data has been shared and an active email address that the consumer may use to contact the third parties.
- Withdraw Consent: Withdraw consent for the collection and sharing of their health data and request its deletion. If a deletion request is made, the regulated entity must delete the data from their records and notify third parties who received the data.
- Appeal: Appeal a regulated entity’s refusal to take action on their deletion request, and the regulated entity must inform them of the decision and provide an explanation.
Consumers can exercise these rights by submitting a request to the regulated entity, and the entity may require additional information to authenticate the request. The regulated entity must provide the requested information free of charge up to twice a year, but if requests are unfounded, excessive, or repetitive, a reasonable fee may be charged.
The regulated entity must comply with the requests within 45 days of receipt of a consumer’s request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the regulated entity or the small business informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.