A business that is subject to the My Health, My Data Act should take the following steps by March 31, 2024 (or June 30, 2024, if the business is a “small business”):
- Privacy Policy: The business needs to draft and publish a Privacy Policy that discloses the ways in which the business collects, processes, or shares consumer health data. The Privacy Policy must include the following elements:
- The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
- The categories of sources from which the consumer health data is collected;
- The categories of consumer health data that is shared;
- A list of the categories of third parties and specific affiliates with whom the business shares the consumer health data; and
- How a consumer can exercise the rights provided in the Act.
- Consent Form: If the business collects, uses, or shares consumer health data for purposes other than providing a product or service that the consumer requested, the business must ensure that consumers sign a consent form that permits the business to collect, use, or share consumer health data in such a manner.
- Internal Policies: The business needs to draft internal policies for: (1) limiting access to consumer health data to an “as needed” basis, (2) establishing and maintaining data security practices that meet industry standards; and (3) handling consumer requests related to consumer health data.
- Processor Contracts: The business needs to enter into contracts with any individuals or entities that “process” consumer health data on behalf of the business.
- Authorization for Sale of Data: If the business sells consumer health data, the business needs to ensure that consumers sign a separate authorization permitting the sale of consumer health data.
Please contact Casey Moriarty or Maddie Haller of the Ogden Murphy Wallace health care team for more information about the My Health, My Data Act.