When health-related data is breached in Washington, an organization may have obligations under more than one law at the same time. Federal HIPAA rules, Washington's data breach notification statute, and potentially the My Health My Data Act can all be relevant depending on the data and the organization. Coordinating them is essential.
Two (or more) layers of obligation
For a HIPAA-covered organization, a breach of unsecured PHI triggers the federal Breach Notification Rule. Separately, Washington's breach notification law applies to a broader range of "personal information" and may impose its own notification duties and timelines. An incident can fall under both.
| Framework | Generally applies to |
|---|---|
| HIPAA Breach Notification Rule | Covered entities and business associates handling unsecured PHI |
| Washington breach notification law (RCW 19.255 / 42.56.590) | Entities holding Washington residents' "personal information," which can include certain health and medical data |
| My Health My Data Act | Regulated entities handling consumer health data outside HIPAA |
Washington's breach notification law
Washington law requires notifying affected Washington residents when a breach of certain personal information occurs, and the definition of personal information has been expanded over time to include data elements beyond names and Social Security numbers. For larger breaches, the law also requires notifying the Washington State Attorney General. Notices must contain specified content, and there are timing requirements measured from discovery of the breach.
The Attorney General's role
The Washington State Attorney General receives breach notifications for qualifying incidents and publishes information about reported breaches. The Attorney General also enforces several of the state's privacy and consumer protection laws, including aspects of the My Health My Data Act through the Consumer Protection Act.
A practical sequence after an incident
- Contain and investigate. Stop the exposure and determine what data was involved and whose.
- Assess applicability. Determine which laws apply: HIPAA, Washington's breach law, MHMDA, or others.
- Run the required assessments. For HIPAA, the four-factor breach risk assessment; for state law, whether the incident meets the statutory definition requiring notice.
- Notify on the strictest applicable timeline. Coordinate individual, regulator, and any media notices.
- Document everything. Keep records of your analysis and notifications.
Verify the current text
Breach notification statutes are amended periodically, and definitions and thresholds change. Before relying on any specific deadline or threshold, confirm the current requirements in the Revised Code of Washington and on the Attorney General's website, and consult counsel. Because penalties and a possible private right of action may be in play, getting the analysis right is worth the effort.
Why coordination is hard in practice
Overlapping frameworks do not align neatly. HIPAA and Washington's breach law can define the covered information differently, calculate their deadlines from different starting points, and require different content in the notices that go to individuals and regulators. The My Health My Data Act adds another layer for consumer health data that falls outside HIPAA. An organization responding to a single incident may therefore need to satisfy several sets of rules at once, which generally means meeting the strictest applicable requirement for each element rather than choosing one framework. Designing your incident-response plan around this reality, with a checklist that walks through each potentially applicable law, prevents a compliant federal response from inadvertently missing a state obligation.
Build the response before you need it
Because the timelines run from discovery and several laws may apply simultaneously, the time to prepare is well before an incident. Practical preparation includes identifying in advance who leads the response and who approves notifications, drafting template notices that can be tailored quickly, maintaining current contact information for individuals, and confirming the reporting channels for the HHS breach portal and the Washington Attorney General. Encrypting data so that more incidents qualify for the safe harbor reduces how often these duties are triggered at all. Above all, document each decision, including any determination that an incident did not require notice, so the organization can show its reasoning later.