HIPAA Compliance for Telehealth Therapists in Seattle, Washington — 2026 Guide
Washington state's My Health MY Data Act (2023) creates additional obligations for telehealth therapists. This guide covers what telehealth therapists in Seattle must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in Washington, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.
Seattle telehealth therapists represent an early-adopter market for digital health tools, making them particularly vulnerable to the MHMD Act's broader-than-HIPAA scope. Many Seattle practices use website analytics tools, digital intake forms, and third-party scheduling apps that HIPAA does not directly regulate but the MHMD Act does.
$43,000
Average HIPAA fine in Washington
WA state law went into effect March 2024 — most therapists unaware.
Source: HHS Office for Civil Rights enforcement data, 2025
Washington Law Requirements for Telehealth Therapists
Seattle telehealth therapists face one of the most recently updated privacy law frameworks in the country. Washington's My Health MY Data Act (MHMD Act), effective March 2024, creates sweeping new requirements for entities that collect, share, or process health data — including telehealth platforms and EHR systems. The MHMD Act covers health information beyond HIPAA's scope, including any data that could reasonably identify a health condition. For Seattle telehealth therapists, this means platforms they use — scheduling tools, payment processors, even websites with health-related tracking pixels — may be covered under MHMD Act requirements in addition to HIPAA. Washington's Attorney General has broad enforcement authority, and the Act creates a private right of action that allows clients to sue practices directly.
Washington's Attorney General enforces the MHMD Act with civil penalties up to $7,500 per intentional violation and provides a private right of action for clients — Seattle telehealth therapists face both government enforcement and direct civil suit liability.
Top HIPAA Violations for Telehealth Therapists in Seattle — and How to Fix Them
These are the violations OCR most frequently cites for telehealth therapists in Washington. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.
No informed consent for telehealth recording
HOW TO FIX IT
Add a session recording consent section to your informed consent document: state the purpose of any recording, who will have access, how long it will be retained, and how it will be destroyed. Obtain separate written consent from each client and store signed copies.
Unencrypted session notes synced to personal cloud
HOW TO FIX IT
Move session notes from personal iCloud, Dropbox, or Google Drive (without BAA) to SimplePractice's BAA-covered storage. Set up automatic sync to a dedicated work account only, not your personal Apple ID or Google account.
Missing BAA with teletherapy platform
HOW TO FIX IT
Review your website's privacy tools: remove standard Google Analytics or Facebook Pixel if it collects any health-related data from visitors. Replace with privacy-focused analytics tools (Plausible, Fathom) that do not collect personally identifiable health data.
The #1 Tech Compliance Gap for Telehealth Therapists in Seattle
Washington's My Health MY Data Act adds extra requirements beyond HIPAA
SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.
Trusted by 225,000+ Therapists — Recommended for Telehealth Therapist in Seattle
50% Off Your First 4 Months of SimplePractice
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Limited-time summer offer · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
Telehealth Therapist HIPAA Compliance Checklist — Seattle
Work through this checklist to confirm your practice meets the baseline HIPAA requirements for telehealth therapists in Washington. Every item marked incomplete is a potential OCR audit finding.
Review your website for any analytics or tracking tools (Google Analytics, Facebook Pixel) that collect health-related data — these may require MHMD Act compliance
Obtain explicit written informed consent for any session recording, store consents in client files, and never record without consent
Migrate all session notes from personal cloud storage to a BAA-covered platform with full encryption
Sign BAAs with every telehealth platform including your video platform, scheduling tool, and payment processor
Review Washington state licensing requirements for telehealth — Washington requires interstate compact participation or licensure for clients in different states
Create a written data minimization policy: only collect health data necessary for treatment
Post a MHMD Act-compliant privacy notice on your website in addition to your HIPAA NPP
Complete a Security Risk Assessment addressing your home office setup specifically
This checklist covers the most common compliance gaps for telehealth therapists in Seattle. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.
Frequently Asked Questions — Telehealth Therapists in Seattle
Does a telehealth therapist in Seattle need to comply with HIPAA?
Washington state's My Health MY Data Act (2023) creates additional obligations for telehealth therapists.
What is the average HIPAA fine for therapy practices in Washington?
The average HIPAA fine for therapy practices in Washington is $43,000. WA state law went into effect March 2024 — most therapists unaware.
What are the most common HIPAA violations for telehealth therapists?
No informed consent for telehealth recording. Unencrypted session notes synced to personal cloud. Missing BAA with teletherapy platform.
What is the February 2026 HIPAA deadline?
By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.
What is SimplePractice and does it solve HIPAA compliance?
SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.
What is Washington's My Health MY Data Act and does it apply to my therapy practice?
Yes. The MHMD Act (effective March 2024) applies to any entity that collects or processes health data about Washington state residents, even if the entity is not a HIPAA-covered entity. For telehealth therapists seeing Washington clients, you must obtain consent before collecting health data, you cannot share health data for purposes beyond treatment without explicit consent, clients have the right to access and delete their health data, and your website's tracking tools may be subject to the Act. Unlike HIPAA, clients can sue you directly under the MHMD Act.
Do I need to record consent separately from general informed consent for telehealth?
Yes — recording consent should be explicit and specific, separate from general telehealth informed consent. Your recording consent document should specify: that the session will be recorded, the purpose, who will have access to the recording, how long it will be retained, and how it will be destroyed. Washington's MHMD Act and HIPAA both support this separate consent approach. Clients can revoke recording consent at any time.