Washington's My Health My Data Act vs. HIPAA

Healthcare organizations have long operated under HIPAA's privacy rules, but Washington state's new My Health My Data Act (MHMD) represents a significant expansion of health data protections. As recent cases like Amazon's privacy lawsuit demonstrate, health data now extends far beyond traditional medical records.

What MHMD covers

When HIPAA was enacted in 1996, healthcare data lived primarily in doctors' offices and hospitals. Today, our health information flows through apps, websites, and various digital services - most of which fall outside HIPAA's scope. According to research on HIPAA compliance, this evolution in health information management has led to over 176 million patients being affected by protected health information breaches in the United States.

Washington's MHMD, which took effect in March 2024, addresses this gap by protecting consumer health data wherever it exists.

The act is designed to protect personal health data outside of HIPAA’s scope and was developed to protect consumers' sensitive health data from being collected and shared without their consent. The law requires regulated entities to follow specific requirements about how and when they may collect and share personal health data, addressing an urgent need that resonated with residents; 76% of Washingtonians expressed support for the Act.

Key differences

• Scope of coverage: While HIPAA applies specifically to healthcare providers, insurers, and their business associates, MHMD casts a wider net. The law covers any company that collects consumer health data, including tech companies, apps, and websites. This means a fitness tracking app or period-tracking website must now comply with privacy requirements in Washington state.
• Types of protected data: HIPAA focuses on protecting medical records and other health information in a healthcare context. MHMD expands this definition to include any data that could reveal information about a person's health, including location data that might show visits to healthcare facilities or biometric information collected by apps.
• Enforcement and rights: Perhaps the most significant difference lies in enforcement. While HIPAA violations are pursued by federal regulators, MHMD gives individuals the right to sue companies directly for violations. This private right of action, combined with penalties of up to $7,500 per violation, creates stronger incentives for companies to protect consumer health data.
• Consent requirements: MHMD introduces stricter consent requirements than HIPAA. Under the new law, companies must obtain explicit consent before collecting or sharing health-related data. This contrasts with HIPAA's approach, which allows certain data sharing between covered entities for treatment, payment, and healthcare operations without specific patient authorization.
• Impact on business operations: Organizations operating in Washington state now face dual compliance requirements. Companies must assess how they will handle health data, which may involve updating privacy policies, implementing new consent mechanisms, and reviewing data sharing practices with third parties.
• Security requirements: Both laws mandate security measures, but MHMD adds modern requirements specifically addressing digital threats. Companies must implement reasonable security measures to protect consumer health data, including encryption, access controls, and regular security assessments.

FAQs

Which law applies to my organization?

If you're a healthcare provider, insurer, or their business associate, you must comply with HIPAA. If you collect any consumer health data in Washington state, including through apps, websites, or other digital services, you must also comply with MHMD. Many organizations may need to comply with both laws.

What counts as consumer health data under MHMD?

MHMD defines consumer health data more broadly than HIPAA. It includes traditional health information plus data that could reveal health-related details, such as location tracking showing medical facility visits, fitness app data, or search histories related to health conditions.

How are violations handled differently?

HIPAA violations are investigated and enforced by federal regulators (the Office for Civil Rights), while MHMD allows individuals to sue companies directly for violations. This means organizations could face both regulatory penalties and private lawsuits under MHMD.