Is my Washington medical practice subject to MHMDA?

If you only handle PHI under HIPAA, no. If you also run consumer-facing programs (wellness apps, community-health data, public-engagement tools), MHMDA applies to that side. Audit your data flows to identify the boundary.

What's the geofencing prohibition?

MHMDA prohibits creating a virtual perimeter within 2,000 feet of a healthcare facility for the purpose of identifying consumers seeking healthcare. This affects healthcare-marketing technology stacks; any geofencing within that radius for healthcare-related targeting violates MHMDA.

Does MHMDA apply to fitness apps and period trackers?

Yes. MHMDA explicitly targets consumer health data held by entities outside HIPAA's scope. Period-tracking apps, fitness trackers, and similar consumer health products are squarely within MHMDA's remit, including the consent and consumer-rights obligations.

Does HIPAA preempt MHMDA?

MHMDA exempts data subject to HIPAA, so the two regimes don't directly conflict. Where data falls outside HIPAA — consumer apps, pre-clinical engagement, voluntary wellness data — MHMDA fills the gap.

What are MHMDA penalties?

MHMDA includes a private right of action under Washington's Consumer Protection Act. Damages can include actual damages, treble damages where willful, and attorney's fees. Class-action exposure is significant; this is the same enforcement mechanism that drove BIPA litigation in Illinois.

State-Specific

Washington NPP Requirements + My Health My Data Act

By NPP Generator Research Team · Published Apr 25, 2026 · Last reviewed Apr 28, 2026 · 7 min read

Need to update your NPP?

Update → Generate new →

Quick answer: Washington HIPAA covered entities follow HIPAA's NPP rules. Separately, Washington's My Health My Data Act (MHMDA, 2024) imposes consent and disclosure obligations on non-HIPAA-covered consumer health data — wellness apps, fitness trackers, period-tracking apps, etc. If your practice or a vendor handles consumer health data outside HIPAA's scope, MHMDA's separate consent and consumer-rights regime applies in addition.

Washington's My Health My Data Act, which took effect in March 2024, was the first state law specifically targeting consumer health data outside HIPAA's scope. For most HIPAA covered entities, MHMDA doesn't change the NPP itself — HIPAA-covered PHI is exempt. But for healthcare entities operating dual products (clinical care + a consumer wellness app, for example), MHMDA materially expands disclosure obligations.

Family resources. For the broader cross-state-law landscape, see ComplyCreate's HIPAA vs state privacy laws guide.

MHMDA's scope: where HIPAA ends

MHMDA targets "consumer health data" held by entities that are not HIPAA-covered or are not handling the data under HIPAA. The statute's definition is expansive — it includes any data identifying a consumer's past, present, or future physical or mental health status, including biometric data, location data revealing health-status, gender-affirming care info, and reproductive or sexual health data.

If your organization is exclusively a HIPAA covered entity acting on PHI, MHMDA exempts that activity. If you have separate consumer-facing operations (e.g., a wellness app marketed to consumers, a community-health-data initiative), MHMDA likely applies to that side.

Practical implications for Washington healthcare entities

Three scenarios commonly trigger MHMDA review for Washington healthcare practices and vendors:

Wellness or community-engagement programs run outside the clinical EHR. If your practice runs a wellness program where consumers (not patients) submit health data, MHMDA likely applies to that data even if HIPAA doesn't.
Digital-health vendors offering both HIPAA-covered services and consumer apps. The HIPAA-covered side is exempt; the consumer side falls under MHMDA.
Healthcare practices using consumer apps to engage patients before they become patients. Pre-engagement (intake forms on the public website, marketing-list signups) may fall under MHMDA before the clinical relationship triggers HIPAA.

MHMDA-specific NPP-adjacent disclosures

MHMDA requires a separate Consumer Health Data Privacy Policy (distinct from a HIPAA NPP) covering:

Categories of consumer health data collected
Purposes of collection and processing
Categories of sources
Whether data is sold (broadly defined) and to whom
Specific consumer rights (access, deletion, withdraw-consent)
Authentication procedures for consumer requests
Contact information for the controller

Avoiding MHMDA pitfalls

Two implementation traps catch Washington practices:

The geofencing prohibition. MHMDA prohibits geofencing within 2,000 feet of a healthcare facility for the purpose of identifying or tracking consumers seeking healthcare services or sending notifications. Healthcare practices using geofencing for marketing or engagement should audit those programs.
Consent specificity. MHMDA's consent requirements are stricter than HIPAA's. A general HIPAA authorization isn't necessarily MHMDA-compliant. Healthcare entities running consumer-facing programs need MHMDA-tailored consent flows.

How this affects your Washington NPP

For most clinical practices, the NPP itself doesn't change — the HIPAA NPP covers HIPAA-protected encounters. But the practice should:

Audit which information flows fall outside HIPAA's scope (consumer apps, pre-clinical engagement, wellness programs)
Maintain a separate Consumer Health Data Privacy Policy if MHMDA applies
Reference the boundary in the NPP itself, so patients understand which data is HIPAA-protected and which falls under different rules
Apply MHMDA breach-notification requirements to non-HIPAA breaches

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

Privacy Officer drift. The named Privacy Officer leaves or moves to a different role; the NPP isn't updated.
Acknowledgment-form mismatch. The acknowledgment form references an outdated NPP version. The form should always reference the current effective date.
Multi-site inconsistency. Multi-location practices inadvertently use slightly different NPPs at different sites. Standardize on a single document.
Translation drift. Practices providing Spanish or other-language NPPs sometimes update one language and not the other. Maintain version parity.
Vendor-relationship update lag. When the practice adds or removes a major vendor relationship, the NPP isn't updated to reflect the new data flow until much later.

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

Current NPP version with effective date
Sample acknowledgment forms from the past 12 months
Documentation of distribution process (front-desk procedure, telehealth workflow)
Evidence of website posting (URL of public-facing NPP page)
Evidence of physical posting (typically a photograph of the lobby posting)
Documentation of material changes and re-distribution events
Privacy Officer contact and complaint-log
Training records (HIPAA-required workforce training, plus any state-specific requirements)

Quick reference checklist

When producing or updating an NPP, work through this checklist:

Identify the legal covered entity. One NPP per legal entity. If you have multiple legal entities, you need multiple NPPs.
List all clinical locations covered by this entity, including any virtual-only telehealth presence
Confirm the Privacy Officer. Name, title, contact information. Update when this person changes.
Inventory uses and disclosures. What data flows happen in your practice? Each major flow should be reflected in the NPP's permitted-use section.
Confirm authorization-required disclosures. Marketing, sale of PHI, psychotherapy notes, and any state-specific authorization-required categories.
Verify HIPAA-required content. Header statement, all eight individual rights, entity duties, complaint procedures, breach notification rights, paper-copy availability.
Add state-law overlay. If your state has additional protection (mental health, HIV, genetic, biometric), reflect it in the NPP.
Set effective date and last-revised date. Both should be current and visible.
Distribution mechanics. First-encounter delivery, website posting, physical posting, electronic availability, multi-language versions if applicable.

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

More state-specific NPP guides

NPP for California NPP for Massachusetts NPP for New York NPP for Florida NPP for Georgia NPP for Illinois NPP for New Jersey NPP for Pennsylvania NPP for Texas

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: State-specific NPP guides

Florida Georgia Illinois New Jersey Pennsylvania Texas