
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

For decades, the federal Health Insurance Portability and Accountability Act (HIPAA) has regulated how healthcare providers and other entities use and disclose “protected health information”.
But many organizations that process health-related information are not covered by HIPAA. As such, several states have passed new health privacy laws to bridge this compliance gap.
Washington’s My Health My Data Act (MHDMA) is the strictest example of these new state-level health privacy laws. In fact, the MHMDA is arguably tougher than HIPAA itself.
This article explores the essential differences between HIPAA and the MHMDA, explaining who’s covered, what types of health information data are covered, and what’s required to comply with each law.
HIPAA is an extensive law covering many issues. HIPAA’s Privacy Rule and Security Rule are most relevant to this article. These rules regulate how organizations use, disclose, and maintain “protected health information” (PHI).
HIPAA covers entities across every US state. Most HIPAA-covered activities are exempt from state privacy laws, including the MHMDA.
HIPAA is enforced by the Office for Civil Rights (OCR)—and state Attorney Generals, where state laws allow. HIPAA fines can range from $100 to $50,000 per violation. Anthem Healthcare settled a HIPAA case for $16 million in October 2018.
The MHMDA was passed in 2023 and will come into force in March 2024. The MHMDA captures organizations operating in Washington that process “consumer health data” but that are not covered by HIPAA.
The MHMDA provides consumer rights and imposes strict rules on regulated entities' collection, use, sharing, and selling of consumer health data. Unlike HIPAA, the MHMDA provides a “private right of action”, meaning consumers can sue businesses that violate the law.
HIPAA covers two types of organizations:
Covered entities include medical practitioners, hospitals, insurance companies, and other organizations that deliver or facilitate healthcare or health insurance.
Business associates include IT service providers, companies that maintain electronic health records, billing companies, auditors, and consultants that access PHI.
The MHMDA applies to:
The MHMDA also references “small businesses”, which are treated the same as “regulated entities” except that the compliance deadline is different:
From now on, we’ll refer to both types of organizations as “regulated entities”.
Organizations are exempt from the MHMDA when processing health information under certain laws, including the following:
You’re likely covered by HIPAA if you’re:
You’re likely covered by the MHMDA if you’re:
The definition of PHI includes references to several types of data.
Health information: Any information that:
Protected health information (PHI) is “individually identifiable health information” that:
Electronic protected health information (ePHI) is PHI transmitted or maintained electronically.
Note that each definition is a subset of the previous definition.
HIPAA interprets PHI broadly. The OCR recently warned that cookies, pixels, and other tracking technologies can collect ePHI.
Under the MHMDA, “consumer health data” means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status”.
There are 13 non-exhaustive examples of “consumer health data” in the MHMDA, including information relating to a consumer’s health condition, use of prescription medication, or biometric information.
The law cites a cookie ID, IP address, or device identifier as examples of “personal information”. As such, these data types are “consumer health data” if they are linkable to a consumer and identify the consumer’s health status.
Example: A consumer visits a website selling arthritis supplements. The website operator collects the consumer’s IP address and mobile advertising ID. That information could be “consumer health data” because it relates to the consumer and their health status.
Both HIPAA and the MHMDA should be interpreted broadly. While each law uses different language, they essentially both cover information that:
These different “health information” definitions affect the types of entities covered by each law.
Example 1: A hospital commissions a software company to track diabetes symptoms. A patient in Washington uses the app on his doctor’s advice. The app automatically updates the patient’s electronic health record at the hospital.
The software company is a business associate under HIPAA—and thus exempt from the MHMDA—because it submits ePHI to a covered entity.
Example 2: A doctor advises a Washingtonian heart disease patient to track his heart rate. The patient downloads a heart rate-tracking app for his smartwatch and discloses his health condition.
The company operating the smartwatch app is a regulated entity under the MHMDA because it processes “consumer health data”. The app was not commissioned by a covered entity and does not interact with the patient’s electronic health record, so HIPAA is not relevant.
Let’s look at the primary obligations under the HIPAA Privacy Rule and Security Rule.
Covered entities and business associates may only use or disclose PHI under six conditions.
Broadly, covered entities and (in some cases) business associates may use or disclose PHI:
Each of these “permitted uses and disclosures” has caveats and restrictions.
Some of the HIPAA Privacy Rule’s other requirements include:
Broadly, the HIPAA Security Rule requires covered entities and business associates to:
Compliance with the HIPAA Security Rule requires an in-depth understanding of ePHI flows. Consistent data mapping is crucial for HIPAA compliance.
The MHMDA focuses on restricting how regulated entities collect, share, and sell consumer health data.
Regulated entities may only collect or share consumer health data if either:
There are a handful of exceptions, including where collecting or sharing consumer health data is necessary for law enforcement or fraud prevention purposes.
The MHMDA defines “consent” strictly. Regulated entities must obtain the consumer’s, voluntary, specific, informed, unambiguous opt-in agreement—and not rely on broad “terms of use” agreements or “dark patterns” to obtain consent.
Example: A therapy app collects device information to deliver its core services. It requests consent to collect location data to provide information on local therapists. It requests consent to share app usage data with a processor for third-party analytics purposes.
“Selling” consumer health data can involve any exchange of consumer health data to a third party (other than a processor, under strict conditions) for money or other “valuable consideration” (effectively any benefit).
Selling consumer health data can include sharing information with third-party analytics and advertising networks, including via cookies, pixels, and software development kits (SDKs).
Before selling consumer health data, a regulated entity must obtain a “valid authorization” from the consumer that, among other things, includes the consumer’s signature, restricts the use of the data by the recipient, and expires automatically after one year.
The MHMDA provides consumers with the right to
Facilitating consumer rights requests requires total oversight of how consumer health data is collected, where it is stored, and with whom it is shared. Data mapping is vital for regulated entities to comply with this part of the MHMDA.
The MHDMA requires regulated entities to implement “reasonable” data security practices that effectively restrict access to consumer health data.
For software developers and engineers, reasonable security can include regularly scanning code to ensure consumer health data is not collected, shared, or sold without consent or valid authorization.
Regulated entities must maintain a privacy policy explaining, among other things:
HIPAA-covered entities and business associates must (or may) obtain authorization from individuals for certain uses and disclosures of their PHI—and can also use and disclose PHI for other purposes set out in the Privacy Rule.
The MHMDA puts consumers firmly in control. With very few exceptions, regulated entities may not collect or share consumer health data without consent—unless the collection or sharing is necessary to provide a service requested by the consumer.
To comply with either HIPAA or the MHMDA, an organization must: