HIPAA Compliance for Washington State Clinics: Federal and State Requirements

Washington State imposes health data requirements that are stricter than HIPAA across several dimensions. Your clinic must satisfy HIPAA, comply with the My Health MY Data Act’s private right of action for consumer health data, meet a 30-day breach notification deadline under RCW 19.255.010, and follow mental health records rules that restrict disclosures HIPAA would otherwise permit.

This guide walks through each layer. It covers the HIPAA baseline, then addresses the Washington My Health MY Data Act (RCW 19.373), the state breach notification law (RCW 19.255.010), and mental health records protections under RCW 70.02.160. Each section closes with what the requirement means for day-to-day clinic operations.

For a full analysis of the MHMD Act’s interaction with HIPAA, see Washington MHMD Act vs HIPAA.

The HIPAA Baseline

Washington clinics that transmit health information electronically in connection with standard transactions are covered entities under HIPAA. The Privacy Rule (45 CFR Part 164, Subpart E) governs permissible uses and disclosures of PHI. The Security Rule (45 CFR Part 164, Subparts A and C) requires administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule (45 CFR Part 164, Subpart D) sets out the obligation to notify individuals, HHS, and sometimes the media after a breach of unsecured PHI.

Meeting the federal baseline requires a current risk analysis, documented risk management plans, workforce training, Business Associate Agreements with vendors (see how small clinics track vendor BAAs), and the ability to execute a breach notification within required deadlines. The administrative safeguards at 45 CFR § 164.308 spell out the minimum required policies and procedures — see HIPAA administrative safeguards for detail.

Where Washington law is stricter than HIPAA, the state standard applies under HIPAA’s preemption framework at 45 CFR § 160.203.

Washington My Health MY Data Act (RCW 19.373)

The My Health MY Data Act (MHMD) was enacted in 2023. Its core provisions took effect March 31, 2024 for regulated entities, with a June 30, 2024 compliance date extended to small businesses.

Scope: what the MHMD Act covers

The MHMD Act applies to regulated entities — any legal entity that conducts business in Washington or produces products or services targeted to Washington residents — and their processors. It covers “consumer health data,” which the statute defines broadly as any personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.

The definition is intentionally expansive. It includes health conditions, diagnoses, treatment records, medications, biometric data, data from fitness trackers and wearables, reproductive or sexual health data, gender-affirming care information, and precise location data where the data is derived from or relates to a healthcare visit.

HIPAA-covered entities and the MHMD Act

HIPAA-covered entities and business associates are exempt from the MHMD Act to the extent they process PHI governed by HIPAA and the HITECH Act. This means a Washington clinic’s core patient treatment records — the PHI it handles as a covered entity — are likely outside the MHMD Act’s reach.

However, the exemption does not cover every data source a modern clinic touches. If a clinic operates a consumer wellness app, collects health data from patients who are not the clinic’s own patients, runs a patient portal that ingests data from consumer wearables, or uses tracking technologies on its website in a way that associates browsing behavior with health conditions, that data may be consumer health data under the MHMD Act and outside the HIPAA exemption.

Rights and obligations under the MHMD Act

The MHMD Act grants consumers rights over their consumer health data:

• The right to confirm whether a regulated entity is collecting their consumer health data and to access that data;
• The right to withdraw consent to collection or sharing;
• The right to delete consumer health data;
• The right to have data corrected in some circumstances.

Regulated entities must obtain valid authorization before collecting consumer health data beyond what is necessary for the transaction the consumer initiated, and before sharing consumer health data with third parties. The statute prohibits geofencing around healthcare facilities to identify, track, or collect data from individuals seeking healthcare.

Private right of action

The MHMD Act creates a private right of action. Consumers may bring civil suits against regulated entities for violations. This is a significant enforcement mechanism that HIPAA — which relies solely on OCR enforcement — does not provide. Washington clinics that mishandle consumer health data outside the HIPAA exemption face both AG enforcement and direct patient litigation.

Practical implications for small clinics

Most small Washington clinics whose data handling is entirely within the HIPAA-covered treatment relationship are not significantly affected by the MHMD Act in their core operations. The risk areas to evaluate are:

• Digital marketing and website analytics — do tracking scripts associate users with health conditions or treatment-seeking behavior?
• Patient-facing apps or portals that collect health data from non-patients;
• Telehealth platforms or scheduling tools that collect health information before a formal treatment relationship begins.

Washington Data Breach Notification: RCW 19.255.010

Washington’s data breach notification law requires any entity that owns, licenses, or maintains data including personal information to notify Washington residents of a security breach in the most expedient time possible and no later than 30 days after discovering the breach.

The 30-day deadline vs. HIPAA

HIPAA permits covered entities to take up to 60 days after discovery to notify affected individuals. Washington’s 30-day ceiling is twice as demanding. For any breach affecting Washington residents, the 30-day deadline controls.

Washington personal information includes first name or initial plus last name combined with any of the following when unencrypted: Social Security number, driver’s license number, financial account numbers, health information, or medical history. Health information as defined in the statute covers information about an individual’s health condition, health history, and health treatment.

AG notification

When a breach affects more than 500 Washington residents, RCW 19.255.010(8) requires notice to the Washington State Attorney General. The AG notice must occur in the most expedient time possible and may not exceed 30 days. This is an additional obligation alongside HIPAA’s requirement to notify HHS of breaches affecting 500 or more individuals in a state.

Encryption safe harbor

Washington law provides a safe harbor for encrypted data. If personal information was encrypted using industry-standard techniques at the time of the breach, the notification obligation does not arise. Small clinics encrypting laptops, mobile devices, and removable storage media can reduce their notification burden while improving their overall security posture.

Washington Mental Health Records: RCW 70.02.160

Washington’s health care information privacy law (Chapter 70.02 RCW) creates a comprehensive framework for health information disclosure. RCW 70.02.160 specifically addresses mental health treatment records.

Restrictions beyond HIPAA

Under RCW 70.02.160, a healthcare provider may disclose mental health treatment information only with the patient’s written authorization, unless an exception applies. The exceptions are narrow: emergencies involving risk to the patient or others, public health reporting requirements, court orders, and a small set of treatment continuity situations.

HIPAA’s Privacy Rule permits covered entities to disclose PHI for treatment, payment, and healthcare operations without patient authorization. Mental health information is PHI under HIPAA and generally subject to the same treatment/payment/operations exceptions. Washington’s law is stricter: it requires written authorization for many disclosures — including to health insurers for payment purposes in some circumstances — that HIPAA would permit without explicit consent.

What this means for billing and insurance

A Washington clinic that treats patients for mental health conditions must confirm that its billing and insurance verification processes comply with RCW 70.02.160, not just HIPAA. Submitting a mental health claim to an insurer may require specific patient authorization under Washington law. Clinics handling mental health records should review their authorization forms and billing procedures with Washington legal counsel.

Psychotherapy notes

HIPAA separately protects psychotherapy notes (45 CFR § 164.524(a)(1)(i)) and excludes them from the general right of access. Washington law adds another layer of protection. Records of a patient’s mental health treatment — including progress notes, session summaries, and diagnostic formulations — carry Washington-specific handling requirements beyond the HIPAA psychotherapy notes definition.

Four Action Items for Washington Clinics

1. Set your breach response clock to 30 days. Update your incident response policy and any breach notification templates to reflect Washington’s 30-day deadline, not HIPAA’s 60-day ceiling. Include a workflow trigger for AG notification when a breach affects more than 500 Washington residents. Start from the HIPAA breach notification templates framework and modify the deadlines.

2. Assess your MHMD Act exposure. Audit your digital touchpoints: website analytics, patient-facing apps, scheduling tools, and any technology that collects health-related data from individuals. If any of these operate outside the HIPAA-covered treatment relationship, evaluate whether the MHMD Act applies and what authorization or deletion infrastructure you need.

3. Review your mental health records authorization procedures. Audit the authorization forms and disclosure procedures your clinic uses for mental health information. Confirm that your billing and insurance workflows obtain the authorizations Washington law requires, not just what HIPAA permits by default.

4. Document your risk analysis with Washington-specific risk factors. Use the HIPAA risk analysis worksheet as a foundation and add sections covering Washington-specific risks: MHMD Act exposure, 30-day breach response capability, and mental health records handling. Your documented risk management decisions are your best evidence in an investigation.

Staying Current with Washington Requirements

Washington’s compliance environment evolves. The My Health MY Data Act is relatively new and enforcement posture will develop through AG guidance and litigation. Small clinics should subscribe to Washington State AG consumer protection updates and the Washington State Medical Association’s compliance resources to stay current.

PHIGuard supports Washington clinics with policy documentation, vendor BAA tracking, and incident response management — with current plan and BAA details published on the pricing page. Visit PHIGuard HIPAA or see pricing.