HIPAA Compliance in Washington State: Key State-Specific Requirements (UHCIA, My Health My Data Act)

Overview of HIPAA and UHCIA

How HIPAA sets the federal baseline

HIPAA establishes nationwide rules for safeguarding Protected Health Information, defining who is covered, how PHI may be used or disclosed, and the safeguards and patient rights that apply. It is the floor—not the ceiling—for privacy and security obligations.

Washington’s UHCIA as a state-level health information law

Washington’s Uniform Health Care Information Act (UHCIA) is a state-level health information law that predates HIPAA and remains fully operative. It focuses on “health care information” held by health care providers, facilities, and related organizations in Washington, with detailed consent, disclosure, and redisclosure limits that can be stricter than federal rules.

How the laws interact in practice

When HIPAA and UHCIA both apply, you must follow the stricter rule. HIPAA governs PHI held by covered entities and business associates; UHCIA adds Washington-specific consent and disclosure standards. The My Health My Data Act (MHMDA) extends beyond HIPAA’s scope to reach organizations that handle consumer health data outside traditional care settings.

Introduction to the My Health My Data Act

Purpose and reach

The My Health My Data Act fills gaps left by HIPAA by regulating consumer health data collected by websites, apps, retailers, ad tech, and telehealth platforms, even when they are not HIPAA-covered entities. It is designed to protect Washingtonians’ health privacy in digital and commercial contexts.

Legal Entity Applicability

MHMDA applies to any legal entity doing business in Washington or targeting Washington consumers and collecting, processing, sharing, or selling consumer health data. The statute distinguishes between “regulated entities” and “small businesses” for timing and certain obligations, but its duties can extend extraterritorially when Washington consumers are affected.

Definition and Scope of Consumer Health Data

What counts as consumer health data

Consumer health data includes any personal data that identifies or can be reasonably linked to a consumer and reveals the consumer’s physical or mental health status, care, or efforts to seek care. This covers information about reproductive and sexual health, gender-affirming care, chronic conditions, medication use, genetic and biometric identifiers, and precise location that indicates a health-related visit.

Inferences and digital traces

The scope also reaches inferences drawn from purchase histories, browsing behavior, or app telemetry that suggest a health condition or an intent to seek health services. Online tracking technologies, pixels, SDKs, and analytics that create such inferences can bring an organization within MHMDA’s reach.

De-identified Data Standards

De-identified data is excluded, but only if it cannot reasonably be linked to a consumer or a device and you commit not to attempt re-identification. You must maintain technical and organizational safeguards and ensure downstream recipients are contractually bound not to re-identify or disclose the data contrary to your commitments.

Exemptions under MHMDA

Data- and entity-based carve-outs

• Data regulated as Protected Health Information under HIPAA when handled by covered entities and business associates.
• Patient records subject to 42 CFR Part 2, and certain clinical research data governed by human-subjects protections.
• Education records under FERPA and financial data under GLBA, along with driver and motor vehicle data under DPPA.
• Public health reporting and other specified governmental functions.
• De-identified data that meets MHMDA’s De-identified Data Standards.

What is not exempt

Health-related browsing, app usage, or purchase data held by non-HIPAA businesses—such as fitness, wellness, and reproductive health apps, or retailers selling health products—often remains covered. If the data reveals health status or intent, assume MHMDA may apply unless a specific exemption fits.

Enforcement Mechanisms and Legal Implications

Washington Consumer Protection Act enforcement

MHMDA is enforceable under the Washington Consumer Protection Act. Consumers have a private right of action for unfair or deceptive practices related to consumer health data, with potential recovery of actual damages, attorneys’ fees, and up to treble damages (subject to statutory caps).

Attorney General actions and per-violation penalties

The Washington Attorney General may bring enforcement actions and seek civil penalties on a per-violation basis, along with injunctive relief. There is no universal cure period, so prompt remediation and documented compliance are critical to reduce exposure.

Operational and contractual risks

Violations can also trigger contract breaches with partners, require costly incident response, and lead to reputational harm. Companies should treat MHMDA compliance as an enterprise risk program, not a one-time paperwork exercise.

Compliance Deadlines and Requirements

Key dates

• Geofencing restrictions: effective July 23, 2023 (applies to any person using geofences near health care facilities).
• Main obligations for regulated entities: effective March 31, 2024.
• Small business obligations: effective June 30, 2024.

Program requirements at a glance

• Publish and maintain a Health Data Privacy Policy describing categories of consumer health data collected, purposes, sharing/selling practices, and how consumers can exercise their rights.
• Implement data minimization: collect, use, and retain only what is necessary to provide the requested product or service, or obtain consent for anything beyond that necessity.
• Honor consumer rights: confirm whether you collect data, provide access and deletion, disclose third parties and affiliates receiving data, and offer a mechanism to withdraw consent.
• Secure the data: adopt administrative, technical, and physical safeguards proportionate to sensitivity and risk.

Vendors and processors

• Execute processor agreements that define processing instructions, confidentiality, security controls, subprocessor oversight, and assistance with consumer requests and deletion.
• Prohibit processors from re-identifying de-identified data or using consumer health data for independent purposes without the consumer’s consent.

Governance and recordkeeping

• Maintain consent and authorization logs, data maps for consumer health data, retention schedules, and deletion workflows.
• Train workforce members who handle consumer health data and monitor for dark patterns in consent or sale flows.

Transparency and Consent Obligations

Health Data Privacy Policy essentials

Your Health Data Privacy Policy must be accurate, prominent, and written in clear language. It should list the categories of consumer health data collected, purposes for each category, categories of sources, the types of third parties and affiliates with whom data is shared or sold, retention periods, and instructions for exercising access, deletion, and withdrawal rights.

Affirmative Consent Requirement for collection and sharing

MHMDA generally requires affirmative, opt-in consent before collecting consumer health data that is not strictly necessary to provide the product or service requested. Separate, specific consent is required before sharing consumer health data with third parties, and you must allow consumers to withdraw consent as easily as they gave it.

Sale authorization

Selling consumer health data requires a distinct, signed authorization that clearly identifies the data being sold, the purchaser, the purpose, and the consumer’s right to revoke. “Sale” is broadly defined and can include exchanges for monetary or other valuable consideration.

Consumer rights operations

Provide accessible methods for consumers to submit requests, authenticate identity, and receive responses within required timeframes. Do not use dark patterns, and ensure that withdrawal of consent or revocation of a sale authorization halts further processing for those purposes.

Conclusion

HIPAA compliance in Washington State now requires layering UHCIA’s stricter disclosure rules and MHMDA’s comprehensive consumer health data regime. Center your program on clear notices, affirmative consent, minimization, strong security, and disciplined vendor management to reduce legal, operational, and reputational risk.

FAQs

What is the Uniform Health Care Information Act?

The Uniform Health Care Information Act (UHCIA) is Washington’s state-level health information law governing how health care providers, facilities, and related entities handle “health care information.” It imposes detailed consent, disclosure, and redisclosure rules that can be stricter than HIPAA, and it operates alongside HIPAA rather than being displaced by it.

How does the My Health My Data Act expand HIPAA protections?

MHMDA protects consumer health data outside traditional clinical settings. It reaches websites, apps, retailers, and ad tech that collect or infer health information, requires affirmative consent for non-necessary collection and for sharing, mandates a Health Data Privacy Policy, grants robust consumer rights, restricts geofencing near health care facilities, and demands heightened guardrails for any sale of health data.

Who must comply with MHMDA in Washington?

Any legal entity that does business in Washington or targets Washington consumers and collects, processes, shares, or sells consumer health data must comply. The law applies broadly beyond HIPAA-covered entities and includes both “regulated entities” and “small businesses,” with staggered compliance timelines defined by the statute.

What are the penalties for violating Washington health data laws?

Violations of MHMDA are enforceable under the Washington Consumer Protection Act. Consumers can sue for actual damages and attorneys’ fees, with potential treble damages subject to statutory caps, and the Attorney General may seek civil penalties and injunctive relief. Noncompliance can also trigger contract breaches and reputational harm.