Washington Healthcare Privacy Laws Explained (2024): HIPAA, the My Health My Data Act, and Compliance Essentials

Overview of HIPAA Privacy Protections

HIPAA’s Privacy Rule protects Protected Health Information (PHI) held by covered entities—health plans, most healthcare providers, and clearinghouses—and their business associates. It permits use and disclosure for treatment, payment, and healthcare operations without prior authorization while applying the “minimum necessary” standard to limit extra sharing.

You must provide patients core rights: access to their records, an accounting of certain disclosures, the ability to request restrictions and confidential communications, and a right to request amendments. A Notice of Privacy Practices sets expectations, and the Security Rule plus breach-notification requirements add technical and incident-response safeguards.

What HIPAA Covers—and What It Doesn’t

HIPAA attaches to PHI in the hands of covered entities and business associates—not to all health-related data everywhere. Wellness apps, retail websites, adtech platforms, and search tools may fall outside HIPAA even when they handle sensitive health-related signals. Washington’s My Health My Data Act (MHMDA) fills much of that gap.

Key Provisions of the My Health My Data Act

MHMDA regulates Consumer Health Data about Washington consumers, broadly defined to include physical and mental health information, precise location revealing a health visit, and inferences drawn from browsing or purchase activity. It applies extraterritorially to organizations that conduct business in Washington or target Washington consumers.

The law requires informed consent before collecting Consumer Health Data and separate, additional consent before sharing it, with easy methods to withdraw consent at any time. A clear, publicly available Data Privacy Policy must describe categories of data collected, purposes, sources, sharing, retention, and how you honor consumer rights.

MHMDA imposes strict Data Sharing Restrictions and bans geofencing to identify, track, or target people near healthcare facilities. It also establishes Healthcare Data Selling Regulations: you may not sell Consumer Health Data without a valid, signed authorization that is specific, separate from other consents, and revocable.

Compliance Requirements for Regulated Entities

Start with a data inventory that maps what Consumer Health Data you collect, where it resides, who accesses it, and why. Minimize collection and retention to what is reasonably necessary for stated purposes, and document those purposes in your Data Privacy Policy.

Build consent flows that are opt-in, granular, and easy to understand. Present separate prompts for collection and for sharing; avoid bundling consent with unrelated terms. Provide simple, always-on ways for people to revoke consent and stop processing that is not required to deliver a requested service.

Operationalize Data Subject Access Requests (DSARs) with a verifiable intake process, documented timelines, and trained staff. Secure data with administrative, technical, and physical safeguards, including role-based access, encryption in transit and at rest, and logging. Maintain incident response playbooks and retention/disposal schedules aligned to business need and legal obligations.

Prohibit secondary uses and data enrichment that you have not clearly disclosed and obtained consent for. If you engage in any data selling, use a dedicated authorization workflow that captures required content and retains proof for audits.

Consumer Rights and Data Access

Under MHMDA, Washington consumers can access, obtain a copy of, and delete Consumer Health Data you hold about them. They may withdraw consent and limit sharing to what is necessary to provide a requested product or service. Your DSAR program should verify identity, fulfill requests within statutory timelines, explain denials, and honor appeals.

HIPAA offers overlapping but different rights. Patients can access and obtain copies of their PHI and request amendments to inaccurate or incomplete information. Unlike HIPAA, MHMDA includes a right to deletion and enhanced controls over sharing and selling, so you must be prepared to apply the correct rule to the correct dataset.

Obligations for Vendor Agreements

With HIPAA, you must execute Business Associate Agreements that limit uses of PHI, require appropriate safeguards, mandate breach reporting, and flow obligations down to subcontractors. Review vendors regularly and document due diligence.

Under MHMDA, processors may handle Consumer Health Data only on documented instructions. Your contracts should describe processing purposes, require confidentiality, specify security controls, restrict subprocessor onboarding without notice and approval, and obligate deletion or return of data at the end of the engagement. Align vendor monitoring with your DSAR, consent, and data minimization practices.

Small Business Compliance Deadlines

MHMDA’s geofencing ban took effect on July 23, 2023. Most regulated entities were required to comply with the rest of the Act beginning March 31, 2024. Small businesses had additional runway and were required to comply by June 30, 2024.

If your operations hover near the law’s “small business” thresholds, treat compliance as current and ongoing. Reassess status regularly, because crossing a threshold can convert you into a regulated entity with immediate obligations.

Differences Between HIPAA and MHMDA

Scope: HIPAA protects PHI within covered entities and business associates. MHMDA reaches a far wider universe—any organization that collects or shares Consumer Health Data about Washington consumers, including apps, retailers, publishers, and adtech.

Legal basis: HIPAA allows many core uses for treatment, payment, and operations without consent. MHMDA generally requires informed, opt-in consent to collect and separate consent to share, plus a published Data Privacy Policy and strong Data Sharing Restrictions.

Individual rights: HIPAA guarantees access and amendment; MHMDA adds deletion, broader access and portability rights, and an easy way to withdraw consent. Selling data is tightly restricted under both regimes, but MHMDA requires a specific, signed authorization for any sale of Consumer Health Data.

Enforcement and risk: HIPAA is enforced by federal regulators, often through corrective action plans and civil penalties. MHMDA is enforceable under Washington law and creates additional private litigation and state enforcement exposure, increasing operational and reputational risk for noncompliance.

Conclusion

To navigate Washington healthcare privacy laws, classify your datasets as PHI or Consumer Health Data, publish a precise Data Privacy Policy, secure informed consents, operationalize DSARs, and harden vendor and security controls. Doing so positions you to meet HIPAA, satisfy MHMDA, and build durable trust with the people whose data you steward.

FAQs

What entities are covered by the My Health My Data Act?

Any organization that conducts business in Washington or targets Washington consumers and determines the purposes and means of collecting or sharing Consumer Health Data is a regulated entity. This includes traditional healthcare companies and nontraditional players like mobile apps, retailers, publishers, and advertising or analytics providers. Processors that handle data on behalf of others must also meet contract-bound obligations.

How does MHMDA differ from HIPAA?

HIPAA focuses on PHI held by covered entities and business associates and permits many core uses without consent. MHMDA applies broadly to Consumer Health Data, requires informed opt-in consent to collect and separate consent to share, restricts geofencing and selling without a signed authorization, and grants broader deletion and control rights to consumers.

What are the consumer rights under Washington healthcare privacy laws?

Under MHMDA, consumers can access, receive a copy of, and delete Consumer Health Data and can withdraw consent to collection or sharing. Under HIPAA, patients can access and obtain copies of PHI and request amendments, along with additional protections like confidential communications and an accounting of certain disclosures.

When must small businesses comply with MHMDA?

Small businesses were required to comply by June 30, 2024. The geofencing prohibition was already in force as of July 23, 2023, and most other regulated entities had to comply by March 31, 2024.