Comparison · Privacy

MHMDA vs HIPAA (Washington)

MHMDA is Washington's My Health My Data Act — regulating consumer health data outside HIPAA, with a private right of action. HIPAA continues to govern PHI handled by covered entities and BAs.

Last reviewed May 24, 2026

Side by side

Option A

MHMDA (Washington)

My Health My Data Act — Washington statute regulating consumer health data collected outside the HIPAA framework. Requires consent, valid authorization for sale, and security safeguards. Private right of action under the Consumer Protection Act.

RCW 19.373
  • RCW 19.373.
  • Excludes most PHI handled by HIPAA covered entities in that capacity.
  • Covers app developers, wearable makers, and consumer-health services.
  • Private right of action via Washington's Consumer Protection Act.
Option B

HIPAA

Federal baseline for PHI held by covered entities and business associates.

45 CFR Parts 160 & 164
  • Continues to govern PHI in HIPAA-handler capacity.
  • No private right of action.
What it covers
MHMDAConsumer health data outside HIPAA
HIPAAPHI inside HIPAA
Geo reach
MHMDAWashington residents and people whose data is processed in WA
HIPAAAll US covered entities and BAs
Private right of action
MHMDAYes — via Washington CPA
HIPAANo
Overlap
MHMDASame business can be subject to both for different data sets
HIPAASame business can be subject to both for different data sets

When to use MHMDA (Washington)

  • Patient-facing apps, wearables, telehealth companies collecting consumer health data from WA residents outside the HIPAA scope.

When to use HIPAA

  • Standard practice handling PHI in its HIPAA capacity — HIPAA continues to govern.

Common mistakes

  • Treating MHMDA as preempted by HIPAA — only the HIPAA-capacity data is excluded.
  • Failing to map which data flows are inside HIPAA vs outside (e.g., patient-portal preferences, wellness program data).

Sources

Take it into the workspace

Map WA data flows in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.