Washington State HIPAA Laws Explained: What Patients and Providers Need to Know

Overview of Washington State Privacy Regulations

Washington overlays federal HIPAA with robust state laws that expand privacy and billing protections. The Uniform Health Care Information Act (RCW 70.02) sets core rules for creating, using, and disclosing medical records, while the My Health My Data Act governs “consumer health data” that may fall outside HIPAA. Together, these frameworks determine how your information is collected, shared, and secured.

For you as a patient, this means stronger rights to access and control your records, clearer notices, and protections against unexpected medical bills. For providers and health plans, it means building policies that satisfy HIPAA and state-specific duties, including Washington Consumer Protection Act enforcement risk for unfair or deceptive data practices.

Other important Washington laws include the Balance Billing Protection Act, which curbs surprise bills, and workers’ compensation rules that allow targeted disclosures to the Department of Labor & Industries. Each law serves a distinct purpose but must be applied in concert to keep your data safe and care affordable.

My Health My Data Act Compliance

Scope and who must comply

The My Health My Data Act applies broadly to “regulated entities” that collect, share, or sell consumer health data, even if they are not HIPAA-covered entities. It reaches websites, apps, and analytics tools that infer or handle health-related information, as well as traditional healthcare organizations when they process data outside HIPAA’s scope.

Consumer health data and valid consent

The Act defines consumer health data expansively, including information that identifies your health status, attempts to obtain care, or data that can be used to infer health conditions. Regulated entities must obtain clear, specific consent before collecting or sharing this data and must secure a signed authorization for any sale. Consent cannot be buried in general terms; it must be separate, granular, and easy to withdraw.

Privacy notices, rights, and controls

• Publish a detailed privacy policy that describes categories of consumer health data, purposes, and disclosures.
• Offer rights to access, delete, and withdraw consent to processing and sharing.
• Honor rights requests within defined medical record access timeframes and maintain records of responses.

Geofencing and advertising limits

The Act prohibits using geofencing around healthcare facilities to identify or target people for health-related marketing. It also restricts targeted advertising that relies on consumer health data without proper consent, protecting you from intrusive outreach tied to sensitive visits or searches.

Vendor contracts, security, and minimization

Organizations must execute contracts with processors that mirror statutory obligations, restrict re-use, and require appropriate safeguards. Data minimization and role-based access are expected, supported by routine risk assessments and documented retention schedules.

Enforcement and the Washington Consumer Protection Act

Violations can be pursued under the Washington Consumer Protection Act, exposing organizations to significant remedies. Practical compliance includes staff training, consent management workflows, and auditing data maps to confirm where consumer health data lives and moves.

Confidentiality Toolkit for Healthcare Providers

Washington’s Health Care Authority Confidentiality Toolkit helps you implement HIPAA and state privacy rules in daily operations. It offers practical guidance, sample forms, and checklists that align with RCW 70.02 and the My Health My Data Act, making it easier to standardize privacy practices across clinics, billing teams, and care coordinators.

What the Toolkit supports

• Minimum necessary standards and role-based access controls for staff.
• Unified authorization and consent templates that reflect both HIPAA and state law.
• Information-sharing pathways for care coordination, including behavioral health and 42 CFR Part 2 considerations.
• Incident response steps for suspected breaches, plus workforce training tips and documentation aids.

Using the Toolkit, providers can translate legal requirements into consistent, auditable workflows—reducing errors, speeding up responses to patient requests, and demonstrating diligence to regulators and partner entities.

Uniform Health Care Information Act Requirements

The Uniform Health Care Information Act (UHIA), codified at RCW 70.02, governs health care information held by providers and facilities. It complements HIPAA by adding Washington-specific rights, timelines, and disclosure rules that you must follow when creating, storing, or sharing patient records.

Patient rights under RCW 70.02

• Access and copies: Patients have the right to examine and obtain copies of their records within defined medical record access timeframes that are generally faster than HIPAA’s 30-day default (commonly within 15 working days in Washington).
• Amendments: Patients may request corrections or add statements of disagreement when information cannot be amended.
• Accounting and restrictions: Patients can request an accounting of certain disclosures and ask for added limits on sharing where feasible.

Authorizations and special protections

Washington requires valid, time-limited authorizations for many disclosures that are not for treatment, payment, or health care operations. Additional protections apply to behavioral health information, HIV test results, and other sensitive categories, which often require heightened consent and handling.

Formats, fees, and interoperability

Providers must furnish records in a reasonably available format, including electronic copies when feasible. Washington caps copying fees and expects timely, well-documented responses to requests, allowing designated third parties to receive records at a patient’s direction.

How UHIA aligns with HIPAA

Where state law is more protective than HIPAA, Washington requirements typically control. Practically, you should build one intake-and-response process that meets the stricter standard to avoid conflicting timelines or forms.

Balance Billing Protection Act Provisions

Washington’s Balance Billing Protection Act shields you from surprise bills in common out-of-network scenarios. When you receive emergency care—or certain non-emergency services at an in-network facility from an out-of-network clinician—you cannot be balance billed beyond your in-network cost-sharing.

Key patient safeguards

• In-network cost-sharing: Your copays, coinsurance, and deductibles are calculated as if the care were in-network.
• Provider–insurer dispute resolution: Payment disputes move to a structured negotiation and arbitration process, keeping you out of the middle.
• Clear notices: Facilities and plans must provide disclosures about network status and your protections, improving financial transparency before and after care.

These state protections work alongside the federal No Surprises Act, ensuring comprehensive coverage for emergency services and many ancillary out-of-network services. If both laws apply, the stronger patient protection generally prevails.

Workers' Compensation HIPAA Exemptions

In Washington, disclosures for workers’ compensation are treated differently to keep your claim moving. Under HIPAA’s workers’ compensation provisions and state law, providers may share claim-related health information without patient authorization with the Department of Labor & Industries and self-insured employers—often referred to as the Department of Labor & Industries HIPAA Exemption.

What can be shared for a claim

• Injury-related diagnoses, treatment plans, and work restrictions.
• Functional capacity and return-to-work information.
• Billing documentation and records needed to adjudicate or pay the claim.

What remains protected

Only information reasonably necessary to administer the claim should be disclosed. Unrelated conditions, particularly sensitive categories, should be segregated and withheld unless specifically required by law, a court order, or the patient’s authorization.

Provider best practices

• Verify the claim number and requestor’s authority before disclosing.
• Limit disclosures to the minimum necessary for claim administration.
• Document what was shared, to whom, and why, maintaining consistency with RCW 70.02.

Protections for Provider Communication with Patients

Washington law and HIPAA both safeguard your ability to communicate openly with patients. Communications for treatment, care coordination, case management, refill reminders, and appointment scheduling are permitted without additional authorization, so you can deliver timely guidance and follow-up care.

State rules reinforce transparency by discouraging “gag clauses” in network contracts and empowering providers to discuss costs, network status, quality, and alternatives candidly. At the same time, marketing that uses consumer health data may require explicit consent under the My Health My Data Act, and selling such data demands a signed authorization.

Digital communication—secure messaging, email, or text—should follow the minimum necessary standard, include reasonable safeguards, and respect patient preferences. With patient consent or when otherwise permitted, providers may involve family or caregivers, while honoring heightened confidentiality for sensitive services.

FAQs.

What additional consent requirements does the My Health My Data Act impose?

The Act requires clear, separate, and specific consent before collecting or sharing consumer health data outside HIPAA, and a signed authorization to sell such data. Consent cannot be bundled in general terms and conditions, must be easy to understand, and must be revocable. Entities must also publish a detailed privacy notice and honor rights to access and delete data within applicable medical record access timeframes.

How does the Uniform Health Care Information Act affect patient record access?

Under RCW 70.02, you have a right to inspect and obtain copies of your records promptly—on a timeline that is typically faster than HIPAA’s federal 30-day default (commonly within 15 working days in Washington). Providers must supply records in a reasonably available format, may charge capped copying fees, and must document timely responses. You can also request amendments and an accounting of certain disclosures.

What protections does the Balance Billing Protection Act provide patients?

It prevents out-of-network clinicians and facilities from billing you above in-network cost-sharing for covered emergency services and many non-emergency services rendered at in-network facilities. The law pushes payment disputes to provider–insurer arbitration, mandates clear notices about network status and rights, and coordinates with federal No Surprises Act safeguards so you are not stuck with unexpected charges.

Are healthcare providers allowed to share information without patient authorization for workers' compensation?

Yes. For workers’ compensation claims, providers may disclose information reasonably necessary to administer or pay the claim to Washington’s Department of Labor & Industries or a self-insured employer without obtaining patient authorization. Disclosures should be limited to the minimum necessary and documented, and unrelated sensitive information should be withheld unless otherwise required by law or authorized by the patient.