HIPAA vs MHMDA
For decades, the federal Health Insurance Portability and Accountability Act (HIPAA) has regulated how healthcare providers and other entities use and disclose “protected health information”.
But many organizations that process health-related information are not covered by HIPAA. As such, several states have passed new health privacy laws to bridge this compliance gap.
Washington’s My Health My Data Act (MHDMA) is the strictest example of these new state-level health privacy laws. In fact, the MHMDA is arguably tougher than HIPAA itself.
This article explores the essential differences between HIPAA and the MHMDA, explaining who’s covered, what types of health information data are covered, and what’s required to comply with each law.
HIPAA vs MHMDA: The Basics
HIPAA is an extensive law covering many issues. HIPAA’s Privacy Rule and Security Rule are most relevant to this article. These rules regulate how organizations use, disclose, and maintain “protected health information” (PHI).
HIPAA covers entities across every US state. Most HIPAA-covered activities are exempt from state privacy laws, including the MHMDA.
HIPAA is enforced by the Office for Civil Rights (OCR)—and state Attorney Generals, where state laws allow. HIPAA fines can range from $100 to $50,000 per violation. Anthem Healthcare settled a HIPAA case for $16 million in October 2018.
The MHMDA was passed in 2023 and will come into force in March 2024. The MHMDA captures organizations operating in Washington that process “consumer health data” but that are not covered by HIPAA.
The MHMDA provides consumer rights and imposes strict rules on regulated entities' collection, use, sharing, and selling of consumer health data. Unlike HIPAA, the MHMDA provides a “private right of action”, meaning consumers can sue businesses that violate the law.
Who Is Covered By HIPAA?
HIPAA covers two types of organizations:
- Covered entities:
- Health plans.
- Healthcare clearinghouses.
- Any healthcare provider that submits health information in electronic form.
- Business associates: Any organization that “creates, receives, maintains, or transmits” PHI (defined below) on behalf of a covered entity or provides certain services to a covered entity.
Covered entities include medical practitioners, hospitals, insurance companies, and other organizations that deliver or facilitate healthcare or health insurance.
Business associates include IT service providers, companies that maintain electronic health records, billing companies, auditors, and consultants that access PHI.
Who Is Covered By the MHMDA?
The MHMDA applies to:
- Regulated entities: Any legal entity that:
- Conducts business in Washington or produces goods and services targeted at Washington consumers, and
- Determines the purposes (the “why”) and means (the “how”) of collecting, selling, sharing, or processing “consumer health data” (defined below).
- Processors: Any person that processes consumer health data on behalf of a regulated entity.
The MHMDA also references “small businesses”, which are treated the same as “regulated entities” except that the compliance deadline is different:
- Regulated entities: March 31, 2024.
- Small businesses: June 30, 2024.
From now on, we’ll refer to both types of organizations as “regulated entities”.
Organizations are exempt from the MHMDA when processing health information under certain laws, including the following:
- The Gramm-Leach Bliley Act (GLBA)
- Washington’s medical records law
- The Family Educational Rights and Privacy Act (FERPA)
- The Fair Credit Reporting Act (FCRA)
Covered Entities: HIPAA vs. MHMDA
You’re likely covered by HIPAA if you’re:
- A health plan, healthcare clearinghouse, or healthcare provider (a “covered entity”), or
- Working on behalf of a covered entity (a “business associate”).
You’re likely covered by the MHMDA if you’re:
- Based in Washington or targeting Washington consumers,
- Processing consumer health data, and
- Not engaged in an activity covered by HIPAA or another MHMDA-exempted law.
What Is Protected Health Information (PHI) Under HIPAA?
The definition of PHI includes references to several types of data.
Health information: Any information that:
- Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and
- Relates to:
- An individual’s past, present, or future physical or mental health or condition,
- The provision of healthcare to an individual. or
- The past, present, or future payment for the provision of healthcare to an individual.
- Individually identifiable health information: “Health information” that:
- Is created or received by a healthcare provider, health plan employer, or healthcare clearinghouse; and
- Identifies an individual; or
- Could reasonably be used to identify an individual.
Protected health information (PHI) is “individually identifiable health information” that:
- Is transmitted or maintained in any form (including on paper), and
- Is not:
- Part of a record maintained under FERPA,
- About an individual acting as a covered entity’s employee, or
- About an individual that has been dead for more than 50 years.
Electronic protected health information (ePHI) is PHI transmitted or maintained electronically.
Note that each definition is a subset of the previous definition.
HIPAA interprets PHI broadly. The OCR recently warned that cookies, pixels, and other tracking technologies can collect ePHI.
What Is Consumer Health Data Under the MHMDA?
Under the MHMDA, “consumer health data” means “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status”.
There are 13 non-exhaustive examples of “consumer health data” in the MHMDA, including information relating to a consumer’s health condition, use of prescription medication, or biometric information.
The law cites a cookie ID, IP address, or device identifier as examples of “personal information”. As such, these data types are “consumer health data” if they are linkable to a consumer and identify the consumer’s health status.
Example: A consumer visits a website selling arthritis supplements. The website operator collects the consumer’s IP address and mobile advertising ID. That information could be “consumer health data” because it relates to the consumer and their health status.
Health Information: HIPAA vs. MHMDA
Both HIPAA and the MHMDA should be interpreted broadly. While each law uses different language, they essentially both cover information that:
- Identifies, or could reasonably be used to identify, an individual, and
- Links, or could reasonably be linked, to an individual’s health.
These different “health information” definitions affect the types of entities covered by each law.
Example 1: A hospital commissions a software company to track diabetes symptoms. A patient in Washington uses the app on his doctor’s advice. The app automatically updates the patient’s electronic health record at the hospital.
The software company is a business associate under HIPAA—and thus exempt from the MHMDA—because it submits ePHI to a covered entity.
Example 2: A doctor advises a Washingtonian heart disease patient to track his heart rate. The patient downloads a heart rate-tracking app for his smartwatch and discloses his health condition.
The company operating the smartwatch app is a regulated entity under the MHMDA because it processes “consumer health data”. The app was not commissioned by a covered entity and does not interact with the patient’s electronic health record, so HIPAA is not relevant.
What Are the Main Obligations Under HIPAA?
Let’s look at the primary obligations under the HIPAA Privacy Rule and Security Rule.
HIPAA Privacy Rule
Covered entities and business associates may only use or disclose PHI under six conditions.
Broadly, covered entities and (in some cases) business associates may use or disclose PHI:
- To the consumer at their request.
- For treatment, payment, and healthcare operations purposes.
- After offering the individual an opportunity to agree or object.
- In a manner incidental to an otherwise permitted use and disclosure.
- For certain public interest and benefit activities, including where required by law.
- For research, public health, or healthcare operations purposes, provided direct identifiers have been removed.
Each of these “permitted uses and disclosures” has caveats and restrictions.
Some of the HIPAA Privacy Rule’s other requirements include:
- Only using or disclosing the minimum PHI necessary for a given purpose.
- Providing notice of the covered entity’s privacy practices.
- Enabling individuals to access or amend their PHI under certain conditions.
- Implementing privacy policies, workplace training, and records retention policies.
HIPAA Security Rule
Broadly, the HIPAA Security Rule requires covered entities and business associates to:
- Ensure the confidentiality, integrity, and availability of ePHI.
- Identify and protect against “reasonably anticipated threats” to the security or integrity of ePHI.
- Protect against “reasonably anticipated impermissible uses or disclosures” of ePHI.
- Ensure HIPAA Security Rule compliance among employees.
Compliance with the HIPAA Security Rule requires an in-depth understanding of ePHI flows. Consistent data mapping is crucial for HIPAA compliance.
What Are the Main Obligations Under the MHMDA?
The MHMDA focuses on restricting how regulated entities collect, share, and sell consumer health data.
Collecting and Sharing Consumer Health Data
Regulated entities may only collect or share consumer health data if either:
- The collection or sharing is necessary to provide a service requested by the consumer, or
- The consumer has consented to the collection or sharing.
There are a handful of exceptions, including where collecting or sharing consumer health data is necessary for law enforcement or fraud prevention purposes.
Example: A therapy app collects device information to deliver its core services. It requests consent to collect location data to provide information on local therapists. It requests consent to share app usage data with a processor for third-party analytics purposes.
Selling Consumer Health Data
“Selling” consumer health data can involve any exchange of consumer health data to a third party (other than a processor, under strict conditions) for money or other “valuable consideration” (effectively any benefit).
Selling consumer health data can include sharing information with third-party analytics and advertising networks, including via cookies, pixels, and software development kits (SDKs).
Before selling consumer health data, a regulated entity must obtain a “valid authorization” from the consumer that, among other things, includes the consumer’s signature, restricts the use of the data by the recipient, and expires automatically after one year.
The MHMDA provides consumers with the right to
- Confirm whether a regulated entity is processing their consumer health data.
- Obtain a list of any third parties or affiliates that received their data.
- Access their data.
- Withdraw consent for the collection or sharing of their data.
- Delete consumer health data, including where it is stored on backup systems or by a third party.
Facilitating consumer rights requests requires total oversight of how consumer health data is collected, where it is stored, and with whom it is shared. Data mapping is vital for regulated entities to comply with this part of the MHMDA.
The MHDMA requires regulated entities to implement “reasonable” data security practices that effectively restrict access to consumer health data.
For software developers and engineers, reasonable security can include regularly scanning code to ensure consumer health data is not collected, shared, or sold without consent or valid authorization.
- How they collect, use, share, and sell consumer health data.
- How consumers may exercise their rights under the MHMDA.
Main Obligations: HIPAA vs. the MHDMA
HIPAA-covered entities and business associates must (or may) obtain authorization from individuals for certain uses and disclosures of their PHI—and can also use and disclose PHI for other purposes set out in the Privacy Rule.
The MHMDA puts consumers firmly in control. With very few exceptions, regulated entities may not collect or share consumer health data without consent—unless the collection or sharing is necessary to provide a service requested by the consumer.
To comply with either HIPAA or the MHMDA, an organization must:
- Gain total visibility over how its products and systems collect health information.
- Fully understand how and why it discloses health information to third parties.
- Implement privacy and security processes.
- Keep accurate records of its data processing activities.
- Publish up-to-date transparency notices.
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.