If you run a clinic in Washington, new data privacy laws like the My Health My Data Act (MHMDA) and federal HIPAA regulations mean you must handle patient information with care - or face serious legal and financial risks. Here's what you need to know:

  • HIPAA applies to clinics billing insurance or handling Protected Health Information (PHI).
  • MHMDA, effective March 31, 2024, protects broader "consumer health data", including wellness, cosmetic, and even website activity data.
  • Violations under MHMDA can lead to lawsuits, as individuals can sue directly for non-compliance.

Key steps for clinics:

  • Publish a clear privacy policy.
  • Get consent before collecting or sharing non-essential data.
  • Avoid geofencing for marketing near healthcare facilities.
  • Use secure, HIPAA-compliant platforms for intake, records, and communications.

Platforms like Prospyr can simplify compliance by centralizing patient data, tracking consents, and ensuring secure messaging. Failure to comply could result in lawsuits, fines, and reputational damage, but following these guidelines can protect your practice and patient trust.

Understanding the My Health My Data Act (MHMDA)

My Health My Data Act

The My Health My Data Act (MHMDA) introduces a new layer of requirements for clinics, reshaping how patient data is managed. This Washington state law broadens the scope of health-related data protection, going well beyond traditional medical records.

What the MHMDA Covers

Under MHMDA, "consumer health data" is defined broadly. It includes any personal information tied to an individual that reveals their physical or mental health, use of health services, or even efforts to seek care. For clinics focused on aesthetics and wellness, this means more than just medical records. It covers online consultation requests, treatment preferences, appointment histories, notes on desired outcomes, participation in health-related membership programs, and even website activity that shows interest in specific treatments. The Act also extends to reproductive health, gender-affirming care, biometric and genetic data, and location data tied to health-related visits.

A "regulated entity" under this law includes any nongovernmental organization doing business in Washington or targeting products and services to Washington consumers. If your clinic collects, processes, shares, or sells health-related data from Washington residents - even through a simple website inquiry form - you’re likely covered. Importantly, there are no revenue or data-volume thresholds, meaning even small practices or med spas fall within the law’s reach.

What Clinics Must Do Under MHMDA

MHMDA outlines several obligations for handling patient data. Key provisions took effect on March 31, 2024, for most entities, while the geofencing restrictions began earlier, on July 23, 2023.

  • Privacy Policy: Clinics must publish a clear and accessible privacy policy detailing what health data is collected, why it’s collected, how it’s used, and with whom it’s shared. This policy should be easy to find - linked on your homepage and included with digital forms - and must reflect actual practices.
  • Consent Requirements: Clinics need opt-in consent for collecting and sharing any data not essential for delivering services. Digital intake forms and online booking tools must provide standalone consent options, separating treatment-related consent from marketing or third-party data sharing.
  • Data Sale Restrictions: The Act defines "sale" broadly, covering exchanges of health data for monetary or other benefits, even in cases where no direct payment is involved. Clinics must obtain separate, written authorization for any sale of data and retain it for six years.
  • Geofencing Ban: The use of geofencing for marketing or profiling within 1,750 feet of healthcare facilities is prohibited.
  • Consumer Rights: Clinics must have workflows in place to handle patient requests, including data access, deletion, consent withdrawal, and a list of third parties with whom their data has been shared.

How MHMDA Affects Daily Clinic Operations

MHMDA impacts nearly every aspect of clinic operations, from intake processes to marketing strategies.

  • Intake and Data Collection: Digital forms must clearly explain why each piece of information is being collected, separating essential care data from optional details. Consent for optional data must be embedded directly into the workflow.
  • Email and SMS Communications: Clinics should only send health-related messages to patients who’ve explicitly consented. Systems must track these consents and allow patients to withdraw them easily.
  • Marketing and Analytics: Tools like website trackers, social media ads, and analytics must comply with the law. For example, if cookies or pixels track a visitor’s interest in specific treatments, explicit consent is required before deploying them.
  • Vendor Management: If third-party tools are used for scheduling, marketing, or payment processing, clinics must ensure these vendors comply with their privacy policy. This involves reviewing contracts, updating data agreements, and configuring technology to handle consent and data requests properly.

Platforms like Prospyr (https://prospyrmed.com) can help clinics streamline compliance by centralizing scheduling, digital intake, and consent tracking. These tools create audit trails and workflows that demonstrate good-faith efforts to meet MHMDA’s requirements.

It’s worth noting that MHMDA allows consumers to sue non-compliant businesses directly under Washington’s consumer protection laws, increasing litigation risks. Unlike other privacy laws that rely on enforcement by state attorneys general, this private right of action means clinics must take compliance seriously. By aligning with MHMDA and broader privacy standards, clinics can better protect themselves from legal challenges.

HIPAA Compliance for Aesthetic and Wellness Clinics

For aesthetic and wellness clinics, understanding the compliance framework shaped by HIPAA and Washington's MHMDA is crucial. HIPAA focuses on protecting specific health information, while MHMDA covers broader consumer health data. Knowing when these laws apply and how to navigate them is essential for clinic operations.

When HIPAA Applies to Your Clinic

HIPAA applies to covered entities, which include healthcare providers that electronically transmit health information for specific transactions like insurance billing or claims. If your clinic submits electronic claims, bills health plans, or uses a clearinghouse for payment processing, it likely falls under HIPAA. This applies to aesthetic and wellness clinics offering services such as reconstructive procedures, hormone therapy, or other medically necessary treatments covered by insurance.

Some clinics operate in a gray zone. For instance, a cash-pay med spa that avoids insurance billing might not be a HIPAA-covered entity. However, HIPAA obligations can arise if the clinic accepts insurance, shares patient records with a supervising medical director, or integrates with an EHR/EMR system that transmits standard transactions.

Business associates are external vendors or service providers handling PHI on behalf of a covered entity. For clinics, this might include cloud-based practice management systems, billing services, telehealth platforms, marketing tools that access PHI, or IT support teams with system access. These relationships require written business associate agreements (BAAs) that clearly define responsibilities for safeguarding PHI.

Examples that could trigger HIPAA requirements include shared office spaces, remote chart reviews, or data sharing between affiliated clinics. The key is whether the clinic engages in HIPAA-standard electronic transactions or manages PHI for another covered entity.

Next, let’s explore the core rules that shape HIPAA compliance for clinics.

Main HIPAA Rules for Clinics

Once HIPAA applies, three primary rules govern how clinics handle PHI in their day-to-day operations.

Privacy Rule: This rule outlines how PHI can be used or disclosed. PHI refers to identifiable health information about an individual’s health, healthcare services, or payment for care, created or received by a covered entity or business associate. In aesthetic clinics, PHI might include medical histories, treatment notes, lab results, billing details, appointment records, or even before-and-after photos when linked to identifiable patients.

Clinics can use and share PHI for treatment, payment, and healthcare operations without patient authorization. However, using PHI for marketing - like sending promotional emails or sharing patient testimonials - requires explicit written consent unless it qualifies as a healthcare operation or appointment reminder. Clinics must also provide patients with a Notice of Privacy Practices, explaining how their information will be used and their rights.

Everyday activities like sending text reminders, using digital intake forms, or running loyalty programs can involve PHI. For example, a text saying, "Your Botox appointment is tomorrow at 2:00 PM", reveals both the patient’s identity and the treatment they’re receiving. Posting before-and-after photos without proper consent also risks violating the Privacy Rule.

Security Rule: This rule requires clinics to safeguard electronic PHI (ePHI) through administrative, physical, and technical measures. Administrative steps include conducting risk assessments, training staff, managing user access, and having an incident response plan. Physical protections cover facility access controls, workstation security, and device management. Technical safeguards include using encryption, audit logs, and secure communication channels.

Key measures for clinics include role-based permissions in EMR/CRM systems, encrypted devices, secure Wi-Fi networks with separate guest access, and documented onboarding/offboarding procedures. HIPAA-compliant platforms can help enforce these safeguards by offering features like unique logins, audit trails, and encrypted messaging.

Breach Notification Rule: If PHI is accessed or disclosed without authorization, clinics must determine whether the incident poses a low probability of compromise. If it doesn’t, the breach must be reported. Affected individuals, the U.S. Department of Health and Human Services (HHS), and sometimes the media must be notified - typically within 60 days. A common example is sending a treatment plan to the wrong email address. Clinics should have a written incident response plan detailing steps for containment, documentation, risk assessment, and notification procedures.

How HIPAA and MHMDA Work Together

For clinics in Washington, understanding how HIPAA and MHMDA intersect is essential. HIPAA focuses on PHI handled by covered entities and business associates, while MHMDA governs broader "consumer health data" collected by apps, websites, and nontraditional sources. According to the Washington Attorney General, 76% of residents support stronger protections for personal health data beyond HIPAA’s scope.

Clinics subject to both HIPAA and MHMDA must navigate these frameworks carefully. HIPAA governs traditional PHI, such as medical records, billing data, and clinical notes. MHMDA, on the other hand, applies to consumer health data like website tracking pixels, wellness questionnaires, app-based interactions, location data tied to clinic visits, and marketing lists built from online inquiries.

HIPAA generally overrides state laws that conflict with it, but state laws offering stricter protections take precedence. For instance, while HIPAA allows certain healthcare operations without patient consent, MHMDA may require opt-in consent for collecting and sharing nonessential data.

Cash-pay or "non-medical" clinics face unique challenges. A med spa offering cosmetic injectables without insurance billing or a wellness center providing IV hydration may not qualify as HIPAA-covered entities. However, if they collect, process, or share consumer health data from Washington residents, they must comply with MHMDA.

Using an integrated, HIPAA-compliant practice management system can help clinics align with both frameworks. Platforms like Prospyr (https://prospyrmed.com) centralize patient management, scheduling, digital intake, payments, and communication in a secure environment. Features like role-based access, audit logging, encryption, and BAAs address federal requirements, while configurable consent workflows and marketing controls support MHMDA compliance.

Stay tuned to learn how to implement these compliance measures effectively in your clinic.

How to Implement Compliance in Your Clinic

Turning knowledge of regulations into actionable compliance measures requires a well-organized plan. Clinics must carefully map how data flows through their systems, set up robust safeguards, and utilize the right tools to maintain compliance without interfering with daily operations.

Safeguards for Protecting Data

Start by mapping out all data flows to pinpoint where patient and consumer health information is created, stored, and transmitted. This includes platforms like electronic medical records (EMRs), scheduling tools, marketing systems, online forms, texting platforms, and social media lead capture tools. A clear map ensures no gaps in coverage under regulations such as HIPAA and MHMDA, which were discussed earlier.

Assign a privacy lead or committee to create a written compliance program covering both HIPAA and MHMDA. This program should include a detailed timeline with milestones for updating policies, configuring systems, and training staff.

Administrative safeguards are essential and should include written policies on data access, minimum necessary use, incident response, vendor management, data retention and deletion, and patient rights. These policies need regular reviews - at least annually or whenever there are updates to laws, technology, or clinic workflows. Regular risk assessments and documented staff training ensure everyone understands their responsibilities.

Physical safeguards address real-world risks. Secure workstations and storage areas with lockable spaces, use screen privacy filters, enforce visitor sign-in procedures, and implement clean desk policies. Clear guidelines should be in place for removing devices or paper records from the clinic, especially when staff work in public spaces.

Technical safeguards focus on securing technology. Use strong authentication methods, such as unique logins with strong passwords and multi-factor authentication. Role-based permissions ensure staff only access the data they need. For instance, front desk staff may only need scheduling details, while marketing teams might only handle de-identified data.

Encryption is critical for protecting data both "in transit" and "at rest." Use full-disk encryption for stored data and secure connections (like TLS) for transmitted information. Opt for HIPAA-compliant messaging portals or email and SMS gateways for sharing clinical details. Audit logs are essential to track access and modifications, enabling quick detection of issues.

Apply these safeguards consistently across all platforms, and review access permissions quarterly or whenever staff roles change. A centralized practice management system with role-based access controls can simplify this process, ensuring policies are uniformly enforced.

An incident response plan is also crucial. Define what qualifies as a security or privacy breach - examples include misdirected emails, lost devices, unauthorized access, or phishing attacks. The plan should outline internal notification procedures, assign responsibilities for containment and investigation, and specify timelines for notifying affected individuals and regulators. Maintain an incident log, preserve evidence, and conduct regular tabletop exercises to prepare for potential breaches.

Leveraging Technology for Compliance

Beyond safeguards, technology can play a pivotal role in streamlining compliance. Centralized platforms that integrate EMR, CRM, scheduling, intake, communications, and analytics into a single HIPAA-compliant system reduce the risk of fragmented data and inconsistent policies. These systems ensure uniform role-based permissions, audit logging, encryption, and retention rules across all types of data, from clinical notes to marketing interactions.

Prospyr (https://prospyrmed.com) is an example of a HIPAA-compliant, cloud-based platform tailored for aesthetics and wellness clinics. It combines patient data and care management into one system, improving both operational efficiency and patient experience while ensuring data security.

The platform’s digital intake forms feed data directly into a secure system, with privacy and consent language included at the point of collection. Automated scheduling and reminders can be configured to avoid exposing sensitive health details, keeping communications secure.

For marketing automation, Prospyr captures health-related interests using opt-ins and structured tagging, securely funneling leads from websites and social media into its CRM. Automated workflows create an audit trail that demonstrates proper permissions and restricted data access. This centralization simplifies honoring patient rights requests, such as searching, exporting, or deleting data, all from one system.

The benefits of consolidation are clear. For example, New Life Cosmetic Surgery, led by Dr. Daniel Lee, saw a 50% revenue increase and a 40% rise in appointments after switching from multiple systems to Prospyr. Dr. Lee shared:

"We've seen a 50% increase in revenue and a 40% increase in appointments booked since switching away from using several different point solutions to running our practice on Prospyr."

As highlighted earlier, protecting data is vital for compliance and building trust with patients. Clinics should ensure staff training is tailored to specific roles, focusing on what staff can and cannot do with patient data, how to securely use the clinic’s systems, and how to identify and report potential incidents. Regular training and refresher sessions help maintain compliance while safeguarding both patient information and the clinic’s reputation.

Patient Rights and Clinic Workflows

Washington’s data privacy laws give patients considerable control over their health information. By understanding these rights and creating effective systems to respect them, clinics can reduce legal risks while building trust with their patients. This sets the foundation for workflows that ensure these rights are upheld.

What Rights Patients Have Under MHMDA and HIPAA

Both the MHMDA and HIPAA grant patients specific rights, though they differ in scope. HIPAA applies to covered entities like healthcare providers, health plans, and clearinghouses. On the other hand, the MHMDA extends protections to any organization collecting consumer health data in Washington, including aesthetic and wellness clinics that might not fall under HIPAA.

Under the MHMDA, patients have four key rights:

  • The right to know if their health data is being collected, shared, or sold.
  • The right to access their health data, including a list of third parties who have received it.
  • The right to withdraw consent, stopping future data collection, sharing, or selling.
  • The right to request corrections to inaccurate health data.

Unlike HIPAA, which relies on the Department of Health and Human Services for enforcement, the MHMDA allows patients to sue directly for violations. This private right of action reflects strong public support, with 76% of Washington residents backing the MHMDA’s protections.

When patients request their health data, clinics must provide it in standard electronic formats like PDF or CSV. The data should be presented clearly and include explanations for any technical terms.

For deletion requests, clinics must verify any legal retention requirements before erasing data, as some records may need to be kept under state law. Documenting the decision-making process for each request ensures compliance.

If a patient withdraws consent, clinics should immediately stop collecting and sharing data, record the withdrawal date, and notify any third parties involved.

With these rights in mind, clinics need structured workflows to handle these requests effectively.

Setting Up Workflows to Handle Patient Rights

To consistently honor patient rights, clinics must establish clear and efficient workflows. Start by assigning a specific staff member or team to handle these requests, ensuring accountability and uniformity.

A centralized consent management system is essential. This system should track each patient’s consent status, including what they’ve agreed to, when consent was given, and any expiration dates. Integrating this system with your EMR or practice management platform ensures staff always have access to up-to-date information. When consent is withdrawn, the system should document the date and notify any third parties who previously received the data.

Set internal response timelines for patient requests - aiming for 30 to 45 days for access requests, in line with HIPAA recommendations. For correction requests, verify the information’s accuracy, update the record if needed, or document the patient’s dispute. Keeping detailed records of all requests and responses not only demonstrates compliance but also protects the clinic in case of disputes.

Digital intake forms should include clear privacy and consent language at the point of data collection. For data sales authorizations, use systems that automatically retain consent records for the required six-year period. Even if your clinic doesn’t sell data, documenting this in your privacy policy demonstrates transparency.

Automated alerts can simplify management by notifying staff when a patient’s consent is about to expire or has been withdrawn. Regular audits - conducted at least quarterly - help ensure patient requests are properly addressed.

When fulfilling access requests, provide patients with a summary document that explains what data was collected, why it was collected, and how it has been used. Presenting this information in an easy-to-read format, rather than raw database exports, promotes clarity and trust.

Using a HIPAA-compliant practice management platform designed to meet MHMDA requirements can make these processes easier. For instance, Prospyr’s integrated system centralizes patient consent information and automates notifications, streamlining request management within a single platform.

Staff training is another critical component. Every team member should know how to identify patient rights requests, where to route them, and what commitments to avoid. Tailor training to specific roles - whether front desk, clinical staff, or marketing - so everyone can handle requests appropriately. Standardized response templates for acknowledging requests, providing data access, confirming corrections, and documenting deletions can further streamline processes and ensure consistency.

Finally, track key metrics related to patient rights requests. Monitoring the volume, types, and response times of these requests not only helps identify inefficiencies but also reinforces your clinic’s commitment to compliance and patient trust.

Conclusion: Staying Compliant and Building Trust

Navigating Washington's data privacy requirements means aesthetic and wellness clinics must treat compliance as an ongoing effort. The My Health My Data Act (MHMDA) expands protections beyond traditional HIPAA standards, covering consumer health data collected through websites, intake forms, marketing platforms, and wellness apps. This means clinics need to evaluate every point where patient data is collected - whether it's online booking systems or treatment photos - and apply the highest standards to safeguard that information.

The stakes are high. The MHMDA empowers the Washington Attorney General to enforce violations and gives patients the right to sue under the state Consumer Protection Act. Combined with federal HIPAA penalties, even a single data breach can result in steep fines, loss of patient trust, and reputational harm. On the other hand, clinics that prioritize transparency and robust data protection often see increased patient trust, stronger reviews, and even higher revenue.

Investing in privacy programs does more than just help avoid penalties. It streamlines operations, improves data accuracy, and enhances documentation, saving staff time and reducing errors. By embedding privacy measures into scheduling, intake, marketing, and follow-up processes, clinics can see fewer no-shows, smoother patient communication, and better analytics to guide decisions on services and memberships. These operational benefits, as discussed earlier, can significantly improve efficiency and patient care.

Technology plays a key role in managing compliance. A centralized, HIPAA-compliant platform can integrate electronic medical records (EMR), secure messaging, digital intake, payment processing, and more - all while controlling who has access to sensitive data. For instance, New Life Cosmetic Surgery replaced four separate software systems with Prospyr and reported a 50% revenue increase and 40% more appointments booked. Dr. Daniel Lee, the clinic’s founder, shared:

"We've seen a 50% increase in revenue and a 40% increase in appointments booked since switching away from using several different point solutions to running our practice on Prospyr."

Platforms like Prospyr offer features such as role-based permissions, encrypted communications, audit logs, AI-assisted documentation, and built-in consent tracking. These tools not only meet MHMDA’s notice and consent requirements but also support effective marketing and patient communication.

Even smaller clinics can achieve compliance without needing extensive legal or IT resources. Steps like using HIPAA-compliant platforms, standardizing intake forms, enabling multi-factor authentication, and creating template responses for patient requests are manageable. Washington regulators provide resources to guide clinics, and many technology vendors include built-in safeguards to help practices implement strong security measures without starting from scratch.

To ensure compliance, map out all data collection points - such as website forms, intake systems, and payment platforms - to identify where HIPAA and MHMDA rules apply. Update privacy policies, unify consent forms, and integrate compliance into your digital workflows. Additionally, review marketing practices like geofencing, retargeting, or analytics scripts to ensure they align with MHMDA’s restrictions on sharing consumer health data without proper consent.

Beyond regulatory requirements, strong compliance fosters patient trust and operational excellence. When patients see their data is handled securely and transparently, they’re more likely to share their wellness goals, return for additional treatments, and recommend your clinic to others. By embedding privacy into your daily operations, you protect your patients, your practice, and your future growth.

Consider scheduling an internal privacy review and consulting legal counsel to ensure seamless integration of compliance measures. Explore HIPAA-compliant management platforms like Prospyr to align your workflows with MHMDA and HIPAA standards. The steps you take today will not only safeguard your clinic but also build patient loyalty, improve efficiency, and provide peace of mind - highlighting the connection between compliance and long-term success.

FAQs

What are the key differences between the My Health My Data Act (MHMDA) and HIPAA for clinics in Washington?

While both the My Health My Data Act (MHMDA) and HIPAA are designed to safeguard sensitive health information, their focus and reach are quite different. HIPAA is mainly concerned with regulating traditional healthcare entities like providers, insurers, and their business associates, ensuring the privacy and security of what’s known as protected health information (PHI). On the other hand, MHMDA takes a broader approach. It applies to any organization in Washington that collects, processes, or shares consumer health data - even those outside the traditional healthcare industry.

This distinction is particularly important for aesthetic and wellness clinics. Under MHMDA, these clinics face stricter rules around transparency and consent. They’re required to clearly communicate how they collect and use health-related data and must obtain explicit consumer consent before sharing it. What sets MHMDA apart is that it also protects data that might not meet HIPAA’s definition of PHI but is still health-related.

Navigating compliance with both laws is essential - not just to avoid penalties but also to maintain patient trust in an increasingly data-conscious world.

Under Washington’s My Health My Data Act (MHMDA), clinics are obligated to get explicit consent from patients before gathering, sharing, or selling their personal health information. This consent must be clear, fully informed, and directly tied to the specific purpose for which the data will be used. Patients also have the right to withdraw their consent whenever they choose.

On top of that, clinics must maintain a transparent privacy policy that clearly explains how they collect, use, and share health data. Meeting these requirements isn’t just about following the law - it’s a critical step in safeguarding patient privacy and steering clear of potential legal issues.

How can aesthetic and wellness clinics stay compliant with HIPAA and Washington's MHMDA when using digital tools for patient management?

To meet the requirements of HIPAA and Washington's MHMDA (My Health My Data Act), clinics need to rely on a secure platform specifically designed to protect patient data. Tools like Prospyr provide features such as encrypted communication, secure data storage, and privacy-focused functionalities that are tailored for aesthetic and wellness clinics.

Using a system built with compliance in mind allows clinics to handle patient information securely, improve operational efficiency, and build trust with clients - all while staying aligned with both state and federal regulations.

Related Blog Posts