HIPAA (Health Insurance Portability and Accountability Act) and WPA (Washington Privacy Act) are two frequently referenced laws when discussing healthcare data protection.
HIPAA focuses primarily on the privacy and security of health information in the US. WPA broadens its scope to personal data protection for Washington State residents only.
Recently, Washington State also introduced another significant piece of legislation: the My Health My Data Act (MHMDA). Signed into law by Governor Jay Inslee on April 27, 2023, MHMDA expands privacy rules beyond the current federal and state privacy laws, adding another layer to the data protection ecosystem.
Let’s explore what sets these laws apart.
HIPAA vs WPA Compliance — Comparison
Here’s an overview of both laws:
WPA & MHMDA
|Who It Applies To||Healthcare providers, health plans, healthcare clearinghouses, and business associates.||“Regulated entities” managing consumer health data.|
|Jurisdiction||Nationwide (U.S.)||Washington State|
|Enactment Date||1996||WPA: 2020, MHMDA: April 27, 2023|
|Enacted By||U.S. Congress||Washington State Legislature (Governor Jay Inslee for MHMDA)|
|Primary Focus||Health Information Privacy & Security||Personal Data Protection for WA residents. MHMDA emphasizes health data.|
Information Covered Under HIPAA
In 1996, HIPAA was established to protect the confidentiality and security of specific health information. This legislation primarily covers what is termed Protected Health Information (PHI). PHI refers to any information that identifies a patient and is held or transmitted by a covered entity or business associate.
Examples of PHI include:
- Individual’s full name.
- Residential details include city, street, county, and postal code (anything more detailed than the state).
- Key life events and related dates, such as birth, hospital admission, discharge, passing away, and precise age for those 90 or older, except year details.
- Contact numbers, both landline and mobile.
- Numbers associated with fax machines.
- Email contact details.
- Social security numbers.
- Medical record numbers.
- Number related to an individual’s health plan benefits.
- Banking or financial account identifier.
- Numbers associated with licenses or certificates.
- Identification of automobiles and their associated serial numbers, including registration plate data.
- Identifiers associated with devices and their related serials.
- Website addresses.
- IP addresses used for internet connections.
- Biometric identifiers like voice or fingerprint patterns.
- Photographic images and other unique identifying features.
- Any distinguishing feature or detail that could single out the individual.
Covered entities under HIPAA typically include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
A business associate, as defined under HIPAA, is an individual or entity that performs certain functions or activities on behalf of, or provides specific services to, a covered entity that involves using or disclosing protected health information (PHI).
Examples of services provided by business associates include:
- Data processing or administration.
- Billing and coding.
- Data analysis, processing, or administration.
- Utilization reviews.
- Quality assurance.
- Benefit management.
- Practice management.
- Legal, actuarial, accounting, consulting, data aggregation, management, administrative, or financial services, where such activities involve the use or disclosure of PHI.
A HIPAA compliance software partner can help ensure PHI is protected so your business can establish the trust of patients and healthcare enterprises..
Information Covered Under WPA & MHMDA
While some aspects of MHMDA are broad-ranging, its primary focus is on “regulated entities” overseeing the management of “consumer health data.”
A “regulated entity” encompasses any legal establishment that:
- Operates in Washington or offers products or services intended for Washington consumers.
- Sets the objective and methodology of collecting, handling, distributing, or trading consumer health data independently or in collaboration.
Even establishments not based in Washington could fall under this definition if they engage in commercial activities linked to the state. Moreover, non-profit organizations aren’t exempted.
“Consumer health data” is described as personal details associated with an individual, outlining their current, past, or future health condition. MHMDA enumerates various health statuses, including:
- Specific health ailments, treatments, or diagnoses.
- Medical, psychological, and behavioral interventions.
- Medical procedures.
- Prescription medication usage.
- Bodily indicators or measurements related to health.
- Diagnostic tests and treatments.
- Information regarding gender identity.
- Reproductive or sexual health information.
- Biometric and genetic information.
- Location details that suggest a consumer’s intention to access health services or products.
- Data signaling a consumer’s pursuit of healthcare services.
- Any data, even non-medical, that is processed to link or recognize a consumer with the above health-related details using algorithms or machine learning.
MHMDA breaches fall under the purview of Washington’s Consumer Protection Act. Not only does the state attorney general hold the authority to act against such violations, but aggrieved consumers also possess the right to pursue legal action independently.
Rights & Controls Of the Data
HIPAA Patient Rights
According to the HIPAA Security Rule, covered entities must provide patients with the following rights:
- Access to Health Records: Patients can request to see and obtain copies of their health records.
- Amendments to Health Information: Patients can request corrections to their health information if inaccuracies are present.
- Receive a Notice: Patients should receive a notice explaining how their health information might be utilized and shared.
- Permission for Use and Sharing: Before using or sharing health information for specific purposes, such as marketing, patients have the right to decide if they want to provide their consent.
- Request Restrictions: Patients can request that a covered entity limit how they use or disclose health information.
- Disclosure Report: Patients can obtain a report detailing when and why their health information was shared for specific reasons.
- Filing a Complaint: If patients feel that their rights are being infringed upon or that their health data isn’t being protected adequately:
- They can lodge a complaint with their provider or health insurer.
- They can submit a complaint to the U.S. Department of Health and Human Services (HHS).
MHMDA Consumer Rights
Here are the consumer rights under Washington’s “My Health My Data Act”:
- Robust Notice and Consent: Entities must offer detailed consumer health data privacy policies. Separate opt-in consents are necessary for collecting and sharing consumer health data. This consent must detail what categories of health data are being collected or shared, their intended use, what data will be shared, and how consumers can retract their consent.
- Authorization for Data Sale: Any sale of consumer health data mandates specific authorization from the consumer. Such authorizations must detail the particular health data set to be sold, the details about the purchaser, and the purpose of the sold data. The consumer can revoke these authorizations at any time, valid for up to a year.
- Absolute Right of Deletion: Consumers can retract their consent concerning collecting and sharing of their health data. Additionally, they possess the right to demand deletion of such data. On receiving this request, entities must delete this data from all of their systems, including backups and archives, and inform their affiliates about the deletion request.
- Geofencing Restrictions: The Act restricts the deployment of geofencing around entities providing in-person health care services. Geofencing shouldn’t be used to identify or track consumers, collect health data, or send related notifications or advertisements.
- Regulated Entity Obligations for Processors: If data processors managing consumer health data on behalf of a regulated entity violate their contract, they are designated as a regulated entity and must adhere to all obligations under the Act.
- Private Right of Action: The Act integrates a private right of action under Washington’s Consumer Protection Act, allowing individuals to raise claims against entities. They can seek damages up to $7,500 per violation. The specific definition of what constitutes a “violation” is not explicitly laid out in the Act.
Cross-Border Data Transfer and Jurisdiction
HIPAA’s Impact on International Data Transfer
At its core, the HIPAA privacy rule mandates that PHI should not be sent to foreign locations without the necessary safeguards.
The Office for Civil Rights (OCR) permits the transfer of PHI outside the U.S., provided a business associate agreement (BAA) is in place and other HIPAA stipulations are met.
Protection Measures for Cross-Border Transfers:
- Technical and Organizational Assessment: Before sharing PHI internationally, covered entities must verify the recipient’s compliance capabilities, ensuring appropriate safeguards like encryption, access controls, audits, and training are in place.
- Compliance with International Laws: Due diligence is needed to understand foreign data protection laws and ascertain their compatibility with HIPAA.
- Data Sensitivity Assessment: Extra caution is warranted when sharing sensitive data types, and entities should employ de-identification or aggregated data to lower risks.
- HIPAA Minimum Necessary Rule: Only transfer the least amount of PHI required for the intended purpose, ensuring unnecessary data is excluded.
Under specific conditions like research, public health, and healthcare operations, PHI can be shared as an LDS after removing direct identifiers. A data use agreement detailing protection is required.
Washington Privacy Act (WPA) Impact on Data Transfer
WPA does not provide specific information or guidelines regarding data transfers. Cross-border data transfer regulations generally concern the movement of personal data across national borders only.
Whether it’s HIPAA, WPA, or the newer MHMDA, each law aims to safeguard personal and health data, with varying focuses and jurisdictional scopes.
Want top-notch data safety for your health app?
MedStack makes it simple. Don’t get lost in the rules — let us handle compliance so you can do what you do best.