We're sorry, but OSHAcademy doesn't work properly without JavaScript enabled. Please turn on JavaScript or install a browser that supports Javascript.

625 HIPAA Privacy Training
Skip to main content

625 HIPAA Privacy Training

Washington MHMDA

Difference between HIPAA and MHMDA

The Washington My Health My Data Act (MHMDA) introduces privacy protections that extend beyond those established by the Health Insurance Portability and Accountability Act (HIPAA). Key distinctions between the two include:​

The state of Washington with an overlay of the Washington flag.
  1. Scope and Applicability
    • HIPAA: Applies to "covered entities" such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates handling protected health information (PHI).
    • MHMDA: Covers a broader range of entities, including any legal entity that conducts business in Washington or targets products or services to Washington consumers and determines the purpose and means of collecting, processing, sharing, or selling consumer health data. This includes organizations beyond traditional healthcare providers.
  2. Definition of Protected Data
    • HIPAA: Protects PHI, which includes individually identifiable health information related to an individual's past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare services.
    • MHMDA: Protects "consumer health data," encompassing any personal information linked to a consumer's health status, including data derived from non-health-related activities that can be associated with health conditions. This broader definition includes information such as browsing behavior on health-related websites and lifestyle choices.
  3. Consent Requirements
    • HIPAA: Allows the use and disclosure of PHI for treatment, payment, and healthcare operations without explicit patient consent.
    • MHMDA: Requires consumer consent before collecting or sharing health data, even for purposes like providing services or processing transactions. This ensures consumers are informed and have control over their health data.
  4. Consumer Rights
    • HIPAA: Grants individuals rights to access and amend their PHI and receive an accounting of certain disclosures.
    • MHMDA: Provides consumers with rights to access, delete, and withdraw consent for the collection and sharing of their health data. It also ensures the right to data portability and prohibits discrimination against consumers exercising these rights.
  5. Prohibition of Geofencing
    • HIPAA: Does not address geofencing practices.
    • MHMDA: Prohibits the use of geofencing technology around healthcare facilities to collect data or target advertisements without consumer consent, enhancing privacy protections in sensitive locations.
  6. Enforcement and Penalties
    • HIPAA: Enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services, with penalties ranging from fines to corrective action plans.
    • MHMDA: Allows for enforcement by the Washington Attorney General and provides a private right of action, enabling consumers to sue for violations. This can result in statutory damages, injunctions, and other remedies.

Knowledge Check Choose the best answer for the question.

3-10-Washington. How does the definition of protected health data differ between HIPAA and MHMDA?

Back