A Complete Guide to Washington State’s My Health My Data (MHMD) Act for Healthcare Providers

As the digital world evolves, so do data privacy laws, especially in the healthcare sector. For healthcare providers in Washington State, the My Health My Data (MHMD) Act has introduced a new layer of compliance requirements that extend beyond traditional HIPAA regulations. Passed in response to growing concerns about the collection, use, and security of personal health data, this law directly impacts how healthcare websites operate.

This comprehensive guide will explain how the MHMD Act affects healthcare providers, what you need to do to ensure compliance, and what penalties you might face for non-compliance. We’ll also answer frequently asked questions, provide cost estimates for getting your website updated, and offer a practical solution to get started.

What Is the My Health My Data (MHMD) Act?

The My Health My Data (MHMD) Act is a Washington State law that expands privacy protections to a broader category of health-related data, beyond the scope of HIPAA. While HIPAA primarily focuses on Protected Health Information (PHI) like medical records, diagnoses, and treatments, the MHMD Act covers any data that can be linked to an individual’s health status, behaviors, or preferences—even if it’s not strictly medical data.

For healthcare providers, this means that if your website collects any kind of personal health information—whether it’s through appointment forms, patient portals, or third-party tools like analytics—you must ensure compliance with MHMD’s data privacy and security standards.

How Does the MHMD Act Impact Healthcare Providers?

Expanded Data Protections

Under MHMD, the following types of data are protected:

  • Browsing behavior on health-related websites
  • Lifestyle choices, such as searching for fitness or mental health resources
  • Online interactions with healthcare providers, including purchases of wellness or healthcare products

This broader definition means that even seemingly innocuous activities, like using tracking cookies or analytics tools, could result in the collection of data covered by the MHMD Act. Healthcare providers must now account for this and update their websites accordingly.

Increased Transparency Requirements

In addition to securing PHI, healthcare providers are now required to provide transparency about any data collected from website visitors. This includes displaying clear privacy policies, disclosing how data is collected and used, and obtaining explicit opt-in consent before collecting any personal information.

Liability for Data Breaches

If your website fails to meet the standards set by the MHMD Act, you could face serious consequences, including hefty fines, lawsuits, and reputational damage. Even if you use third-party, HIPAA-compliant tools to collect or process data, you are still responsible for ensuring that your website complies with MHMD regulations.

Website Updates Required for MHMD Compliance

The most immediate impact of the MHMD Act is that healthcare providers must update their websites to meet these new regulations. This includes:

  • Implementing opt-in consent mechanisms for data collection
  • Updating privacy policies to meet transparency requirements
  • Ensuring data security with SSL encryption and protection against breaches

Key Differences Between HIPAA and the MHMD Act

While HIPAA remains focused on traditional PHI, the MHMD Act takes a broader approach, covering health-related data that is not explicitly medical. This includes any information that can hint at a person’s health, even if it’s collected for marketing or tracking purposes.

For example:
  • HIPAA: Protects medical records, diagnoses, and treatment data.
  • MHMD: Protects broader data like online search behavior (e.g., searches for mental health resources or wellness products), lifestyle choices, and non-medical interactions that may hint at a person’s health status.

Because of this broader definition, even healthcare websites that do not directly collect PHI may still need to comply with the MHMD Act.

Additional Key Considerations for MHMD Compliance

In addition to the steps above, healthcare providers should be aware of the following important points regarding the My Health My Data (MHMD) Act:

  1. Applicability Beyond Traditional Healthcare Providers: The MHMD Act applies to any organization collecting health-related data from Washington residents, including non-traditional healthcare entities like wellness apps or websites selling health-related products. Ensure that your partners or third-party vendors also comply.
  2. Broader Definition of Health Data: MHMD protects not only PHI but also data such as browsing history, lifestyle choices, and other interactions that could indicate a person’s health status. Ensure your website tracks consent for any health-related data collection, even from cookies or analytics.
  3. Consent Mechanisms: The MHMD Act requires explicit opt-in consent for data collection, even if third-party tools are used. Implementing clear consent prompts is a must.
  4. Data Deletion and Access Rights: Patients have the right to request their data be deleted or accessed under the MHMD Act. Healthcare providers must ensure their systems can handle these requests efficiently.
  5. Out-of-State Implications: Even if your practice is not based in Washington, the MHMD Act applies to any entity that serves Washington residents. Be sure you’re compliant if you have patients or users from Washington.
  6. Breach Notification Requirements: In the case of a data breach, the MHMD Act has strict notification rules in addition to HIPAA requirements. You must notify affected individuals promptly and take corrective action.

Cost to Update Your Website for MHMD Compliance

Ensuring your website complies with the My Health My Data Act will likely require updates and modifications. Here’s a breakdown of potential costs for healthcare providers in Washington
State:

  1. Data Collection Consent Implementation: $600 – $1,700
    This includes integrating opt-in consent mechanisms for any form or tool that collects data from
    users.
  2. Privacy Policy Updates: $350 – $900
Collaborating with legal professionals to revise and update your privacy policy to meet MHMD’s transparency requirements.
  3. Security Enhancements: $900 – $2,800
Ensuring your website has an SSL certificate, security plugins (like Wordfence), and other general hardening measures to prevent data breaches.

Overall, the total cost of updating your website for MHMD compliance could range from $1,850 to $5,400, depending on the complexity of your website and the expertise of the professionals you hire.

FAQs About the My Health My Data (MHMD) Act

Yes. Even if you use third-party HIPAA-compliant tools, your website may still require updates under the MHMD Act. For example:

  • Data Collection Consent: You must have an explicit opt-in consent mechanism on your website before collecting any data.
  • Transparency: Your privacy policy must clearly disclose how third-party tools collect and use data.
  • Security:Your website must be secure and compliant, regardless of how third-party tools handle the data.

Non-compliant practices face penalties, including:

  • Fines: Up to $7,500 per violation.
  • Legal Actions: Potential lawsuits for negligence or breach of patient trust.
  • Reputational Damage: Losing patient trust can lead to long-term business impact.

The MHMD Act came into full effect in March 2024. If your website is not compliant yet, you are already at risk. It’s crucial to act immediately to avoid penalties.

Yes. Audits and fines have already begun. Regulatory bodies may conduct random audits or investigate practices after a breach or complaint. Non-compliance can result in immediate penalties.

If audited and found non-compliant, your practice will face fines and be required to make updates within a specific timeframe. Non-compliance can also damage patient trust, leading to long-term consequences for your practice.

Yes. Even if you’re not collecting PHI, you must still comply with transparency and consent requirements:

  • Transparency: You must disclose how any third-party tools (e.g., Google Analytics) collect and process data.
  • Third-Party Tools: Tools like cookies or tracking pixels could still collect data that falls under MHMD’s definition of health-related information.
  • Privacy Policy: Your privacy policy must explain how non-PHI data is handled.

While HIPAA protects traditional PHI, the MHMD Act protects a broader range of data, including:

  • Browsing behavior on health-related websites
  • Lifestyle choices (e.g., searches for fitness or mental health services)
  • Online interactions with healthcare products or services

This means your website must secure and provide consent for any third-party tools that collect data, even if it’s not strictly PHI.

Currently, the My Health My Data (MHMD) Act is specific to the state of Washington. However, it applies to any organization collecting personal health-related data from residents of Washington, even if the organization itself is based outside the state. This means that out-of-state companies serving Washington residents must also comply with MHMD regulations.

Although the MHMD Act is limited to Washington, it signals a growing trend in data privacy laws at the state level. Other states, like California with its Consumer Privacy Act (CCPA), are adopting similar data protection measures, and more states may implement their own versions of MHMD in the near future. Therefore, it's crucial to stay informed about data privacy legislation across the U.S. to ensure compliance if your practice operates in multiple states.

The MHMD Act requires explicit opt-in consent for any data collection, including non-health data such as user behavior tracking through cookies or analytics. Providers must clearly inform users about what data is being collected, how it is used, and obtain permission before tracking begins.

Yes, it is recommended to update the terms of service in addition to the privacy policy. Your terms should reflect how your website collects and processes any personal or health-related data, ensuring full transparency as required by the MHMD Act.

To prove compliance, maintain comprehensive documentation that includes your updated privacy policy, consent mechanisms, data security practices, and records of patient opt-ins. Keeping a record of regular security audits, data handling protocols, and third-party agreements will also help demonstrate adherence to the MHMD requirements.

Regular audits are necessary to ensure ongoing compliance. At a minimum, an audit should be performed annually or whenever there are significant changes to your website, such as the integration of new third-party tools or the collection of new types of data. Additionally, periodic reviews of consent mechanisms and data processing activities are crucial.

Even if third-party services are HIPAA-compliant, under the MHMD Act, it’s your responsibility to ensure that these services meet the transparency and consent requirements. You must verify that the third-party services you use offer opt-in consent and clearly outline how they process and store personal health data.

If a data breach occurs, you must follow both HIPAA’s and the MHMD Act's breach notification procedures. This includes informing affected patients promptly and reporting the breach to the necessary regulatory bodies. Be prepared to take immediate corrective action to secure your website and prevent future incidents.

Yes, your website must include user-friendly opt-in consent features for any data collection, clear privacy policy access, and security features like SSL encryption. Additionally, mechanisms for users to access, modify, or delete their data in compliance with the MHMD Act should be in place.

If your patient portal collects personal health data, it must comply with the MHMD Act. This includes providing opt-in consent for data collection, ensuring data security, and updating privacy policies to reflect the broader data protection guidelines.

Steps to Ensure MHMD Compliance for Your Website

01

Implement Opt-In Consent Mechanisms

Ensure that any personal data collection, including through third-party tools, includes a clear opt-in consent form.
02

Update Your Privacy Policy

Your privacy policy should be comprehensive and detail how data is collected, stored, and processed, especially if using third-party services.
03

Perform Regular Security Audits

Conduct frequent security audits to ensure that your website's SSL certificates, encryption, & other protective measures are up to date.
04

Review and Update Third-Party Contracts

Ensure all third-party service providers offer HIPAA and MHMD compliance & sign a Business Associate Agreement (BAA) when necessary.

Why Washington Healthcare Providers Must Act Now

The My Health My Data Act is a significant expansion of healthcare privacy laws in Washington State. If your practice’s website is not yet compliant, you could face audits, fines, and legal consequences. Even if your site doesn’t collect PHI, it’s still subject to MHMD regulations due to the broader definition of personal health data.
Blog Image

Immediate Steps to Take:

  1. Implement an opt-in consent mechanism for any data collection.
  2. Update your website’s privacy policy to include information about how data is collected and used.
  3. Ensure your website has proper security measures in place, including SSL encryption and protection against breaches.
  4. Set up a free 15-minute consultation call with HIPAA Website Hosting to assess your current website and determine what updates are needed to ensure compliance with the MHMD Act. Our experts will guide you on the specific steps required to stay compliant and secure.

Get Your Website Compliant with HIPAA Website Hosting

To avoid penalties and ensure your practice is compliant with the My Health My Data Act, it’s crucial to act now. HIPAA Website Hosting offers a free website audit to assess your current compliance and recommend the necessary updates.
Take the first step toward securing your practice by scheduling a free consultation with our compliance specialists. Click here to book your free website audit and make sure your website is compliant with HIPAA, MHMD, and other critical regulations.
Sources

Washington State Legislature - HB 1155 My Health My Data Act

Official Website: link

1155 Bill: link

Protecting Washingtonians’ Personal Health Data and Privacy: link