Posted on
May 7, 2026
Posted on
May 14, 2026
Washington State MHMDA: Managing Consumer Health Data in Clinical AI Scribing — The Complete Compliance Playbook for 2026
TL;DR — What Washington Chief Compliance Officers Need to Know Now
Washington's My Health My Data Act (MHMDA) goes far beyond HIPAA by classifying session telemetry—IP addresses, device IDs, page paths tied to appointment booking or symptom-checker interactions—as consumer health data. When paired with RCW 9.73's all-party recording consent requirement, any AI scribe deployment in Washington demands dual, independent consents: one for audio capture and one for MHMDA-regulated data collection. Each consent prompt must include a visible, in-prompt Privacy Policy link and a point-of-capture revocation control. Failure to present the revocation button at the moment of capture is not merely a civil violation—it is a criminal trigger. This playbook details the legal architecture, clinical decision logic, ICD-10 documentation standards, and technical implementation that Scribing.io provides to eliminate this exposure automatically.
Table of Contents
1. Why Washington's MHMDA Demands a Separate Compliance Layer Beyond HIPAA
2. The Telemetry Blind Spot: Session Data as Consumer Health Data
3. Scribing.io Clinical Logic: Handling the Seattle Urgent-Care Telehealth Scenario
4. Dual-Consent Architecture: RCW 9.73 + MHMDA Collection Consent
5. Technical Reference: ICD-10 Documentation Standards
6. Point-of-Capture Revocation: Why a "Later" Opt-Out Is a Criminal Trigger
7. Audit-Trail Engineering: Hash-Sealed Records and Provable UI State
8. Implementation Roadmap for Washington Health Systems
1. Why Washington's MHMDA Demands a Separate Compliance Layer Beyond HIPAA
Most health-system compliance teams assume HIPAA's authorization framework covers AI scribe consent requirements. In Washington State, that assumption creates material legal exposure that no BAA or Notice of Privacy Practices can resolve.
The My Health My Data Act (MHMDA), codified under RCW 19.373, establishes an independent, consumer-facing consent obligation that applies to any entity collecting, sharing, or selling "consumer health data"—a category defined so broadly that it encompasses data types HIPAA never anticipated in the clinical-recording context. Scribing.io was purpose-built to operate within this dual-regulatory reality, treating HIPAA and MHMDA as parallel but non-overlapping obligation sets that must each produce their own auditable consent artifacts.
Critically, the MHMDA's definition of a "regulated entity" is not limited to covered entities or business associates under HIPAA. Any organization that conducts business in Washington or targets Washington consumers and collects consumer health data falls within scope. This means the AI scribe vendor itself—not just the clinic—bears direct statutory responsibility. The AMA's HIPAA Privacy Rule guidance explicitly notes that state laws providing greater privacy protections are not preempted by HIPAA, and the MHMDA indisputably provides greater protections for the data categories it covers.
Where existing competitor privacy policies fall short is in their treatment of the MHMDA as a disclosure addendum rather than an operational control framework. A review of current market approaches reveals a common pattern: vendors publish a supplemental Consumer Health Data Privacy Policy page that catalogs data categories and sharing practices, then direct users to a generic web form for rights requests. This approach fails Washington clinics on three critical fronts:
No in-prompt Privacy Policy link at the point of consent collection. The MHMDA requires that consumers be presented with a link to the collecting entity's privacy policy within the consent mechanism itself—not on a separate corporate webpage discovered only through footer navigation.
No point-of-capture revocation control. Offering a "contact us" web form or a delayed-response email address does not satisfy Washington's requirement for an immediately accessible revocation mechanism. The statute contemplates contemporaneous ability to withdraw, not a 30-day request-processing pipeline.
No differentiation between recording consent and collection consent. RCW 9.73 requires all-party consent for audio interception. The MHMDA requires a separate just-in-time consent for the collection of consumer health data. These are distinct legal obligations demanding distinct consent artifacts.
For a deeper examination of how AI scribing intersects with privacy and HIPAA compliance, see our Safety & Privacy Guide. For the latest regulatory developments affecting clinical AI documentation nationally, visit our HIPAA 2026 Update.
2. The Telemetry Blind Spot: Session Data as Consumer Health Data
This is the insight that most compliance teams—and every competitor privacy policy we have reviewed—miss entirely:
Washington treats session telemetry (IP address, page path, device IDs) tied to appointment-booking or symptom-checker interactions as consumer health data.
The MHMDA defines consumer health data to include "information that identifies a consumer's attempt to seek health care services or supplies." The NIH's analysis of digital health data governance frameworks highlights how telemetry data tied to health-seeking behavior increasingly falls under state-level regulation—a trend Washington codified before any other jurisdiction.
When a patient uses a clinic's online portal to book a telehealth appointment, the session telemetry generated by that interaction—the IP address that geolocates them, the device fingerprint that identifies their browser, the URL path that reveals they navigated to /urgent-care/respiratory-symptoms—constitutes evidence of an attempt to seek health care services. Under the MHMDA, that telemetry is consumer health data, full stop.
This creates a requirement that no other state privacy law imposes at this granularity: you must log a distinct "collection" consent for telemetry independent of the verbal recording consent.
Consent Obligation Matrix: Washington AI Scribe Encounters | ||||
Obligation | Legal Basis | What Must Be Captured | When It Must Be Presented | Revocation Requirement |
|---|---|---|---|---|
All-party recording consent | Affirmative consent from every participant to audio capture | Before any audio recording begins | Any party may withdraw; recording must stop immediately | |
MHMDA collection consent (clinical audio) | RCW 19.373 | Separate consent acknowledging collection of consumer health data derived from the encounter | Just-in-time, at the point of capture, with in-prompt Privacy Policy link | One-tap revocation control visible at point of capture |
MHMDA collection consent (session telemetry) | RCW 19.373 | Separate consent for collection of IP, device IDs, page paths tied to health-seeking behavior | Before or concurrent with the interaction that generates telemetry | One-tap revocation control; upon revocation, telemetry must be pruned |
Competitor platforms that treat the MHMDA as a simple privacy-policy supplement fail to instrument this telemetry-specific consent flow. Their published policies acknowledge that "many of the categories of data we collect could also be considered consumer health data" but do not create a distinct, auditable consent event for session telemetry. When the Washington Attorney General requests proof of MHMDA collection consent for the telemetry associated with a patient's symptom-checker visit, these platforms cannot produce it.
Scribing.io's WA-aware mode generates three distinct, timestamped consent artifacts—one for RCW 9.73 recording consent, one for MHMDA clinical-data collection, and one for MHMDA telemetry collection—each with its own in-prompt Privacy Policy link and revocation control. For context on how these obligations compare to California's evolving requirements, see our guide to California AI Laws.
3. Scribing.io Clinical Logic: Handling the Seattle Urgent-Care Telehealth Scenario
The scenario every Washington compliance officer should stress-test against their current AI scribe vendor:
A Seattle urgent-care clinic conducts a telehealth visit using a generic AI recorder. The medical assistant announces, "We're recording for notes," and a pop-up appears on the patient's screen. The pop-up lacks a separate Privacy Policy link and offers no revoke option. The patient proceeds with the visit.
Three weeks later, the patient notices targeted advertisements for respiratory medications on their phone—ads that appear to correlate with the symptom-checker they used on the clinic's portal before booking the appointment. The patient files a complaint with the Washington Attorney General's office.
The AG's investigation requests:
Proof of MHMDA collection consent for the consumer health data generated by the symptom-checker interaction (session telemetry)
Evidence that a revocation control was available at the point of capture for both the audio recording and the telemetry collection
All-party consent documentation under RCW 9.73 for the audio capture
Retention and deletion logs demonstrating compliance with revocation obligations
The clinic cannot produce any of these artifacts. The generic recorder captured a single, undifferentiated "consent" click. There is no Privacy Policy link in the consent prompt. There is no revocation button. There is no telemetry-specific consent event. Billing pauses on 47 visits while outside counsel triages civil exposure under the MHMDA's private right of action and criminal exposure under RCW 9.73.
Outcome Comparison: Generic Recorder vs. Scribing.io WA-Aware Mode | ||
Factor | Generic Recorder | Scribing.io |
|---|---|---|
Patient location detection | Not performed | Auto-detects Washington encounters via IP geolocation and clinic-site metadata |
RCW 9.73 all-party consent | Verbal announcement only; no per-participant artifact | Per-participant affirmative consent captured with timestamp, participant identifier, and session hash |
MHMDA collection consent (clinical audio) | Not separately captured | Separate consent prompt with in-prompt Privacy Policy link |
MHMDA collection consent (telemetry) | Not captured | Distinct telemetry-collection consent with in-prompt Privacy Policy link |
In-prompt Privacy Policy link | Absent | Rendered inline within each consent prompt per MHMDA §5(a) |
Point-of-capture revocation control | Absent | One-tap Revoke button visible at capture; triggers auto-pruning of telemetry and audio references |
Audit record | Basic log entry (if any) | Cryptographically hashed (SHA-256) dual-consent audit event with UI-state screenshot |
AG investigation response time | Weeks of forensic reconstruction; may be irrecoverable | Exportable compliance packet generated on demand with chain-of-custody integrity |
Billing disruption | 47+ visits paused; revenue at risk | Zero disruption; consent integrity verified per-encounter |
Criminal exposure (RCW 9.73) | Gross misdemeanor risk per unconsented recording | Eliminated by per-participant consent artifacts |
Step-by-Step: How Scribing.io Resolves This Scenario
Encounter initiation and jurisdiction detection. When the telehealth session begins, Scribing.io's WA-aware mode detects that the patient is located in Washington State via IP geolocation corroborated by the clinic's registered location in the system configuration. The system flags the encounter for Washington-specific consent orchestration before any data collection occurs—before a single byte of audio is buffered or a single telemetry event is logged.
Dual-consent presentation with separated prompts. Before any audio capture or telemetry logging commences, the patient is presented with two clearly separated consent prompts rendered sequentially:
Recording consent (RCW 9.73): "This visit will be audio-recorded for clinical documentation purposes. All participants must consent to recording." Each participant—patient, provider, MA, interpreter if present—affirms individually via a distinct interaction element. The system will not proceed until all identified participants have consented.
MHMDA collection consent: "We collect health-related data including session information and clinical documentation data as described in our [Privacy Policy]—" where [Privacy Policy] is a hyperlink rendered inside the consent prompt UI element itself, not in a footer, sidebar, or separate page. The prompt continues: "You may revoke this consent at any time using the button below."
Point-of-capture revocation control rendered and verified. A clearly labeled "Revoke Consent" button is displayed alongside the MHMDA consent prompt and remains accessible throughout the session via a persistent UI element. The system captures a UI-state screenshot at render time to prove the Revoke button was visible and interactive at the moment of consent collection. This screenshot becomes part of the immutable audit record.
Revocation execution (if triggered). If the patient taps Revoke at any point during or after the encounter:
Audio capture stops immediately (within the same event loop—sub-100ms latency)
Session telemetry (IP, device IDs, page paths associated with the encounter) is auto-pruned from all data stores within the system's defined SLA (configurable; default 72 hours for complete propagation across backup tiers)
Audio references in any draft clinical note are replaced with a revocation-event marker
A revocation event is logged with its own cryptographic hash, timestamped independently from the original consent event
The provider is notified in-session that the scribe has been deactivated and must complete documentation manually
Audit-event creation with cryptographic integrity. Upon consent, Scribing.io writes a dual-consent audit event containing:
Timestamp (UTC, millisecond precision)
Participant identifiers (internally hashed for privacy; linkable to the encounter via the session key)
Consent type (recording / MHMDA clinical-data collection / MHMDA telemetry collection)
UI-state screenshot proving the Privacy Policy link and Revoke button were rendered at the point of capture
SHA-256 hash of the complete event payload, anchored to the session identifier
The hash of the preceding audit event in the session chain (creating a tamper-evident linked list)
Post-encounter compliance packet availability. The hashed audit record is immutable once written. If the AG—or any other authority—requests proof of compliance, the clinic's compliance officer exports a self-verifying compliance packet directly from Scribing.io's admin console. The packet includes the consent events, UI screenshots, hash chain, and a verification script that any party can run independently to confirm data integrity.
This clinical decision logic converts compliance risk into operational certainty. The JAMA perspective on AI documentation in clinical care (2024) emphasizes that the regulatory overhead of AI scribing will increasingly determine vendor viability—not feature sets or transcription accuracy alone.
4. Dual-Consent Architecture: RCW 9.73 + MHMDA Collection Consent
The architectural distinction between recording consent and collection consent is not academic—it is the difference between a defensible compliance posture and a gross misdemeanor charge.
RCW 9.73: The Criminal Statute
Washington's wiretapping law, RCW 9.73, makes it a gross misdemeanor to record a private conversation without the consent of all participants. In the clinical telehealth context, this means every person whose voice will be captured—patient, provider, medical assistant, interpreter, family member participating via speaker—must provide affirmative consent before the recording begins. A verbal announcement ("We're recording for notes") does not satisfy the statute's requirements when a participant has not affirmatively agreed. The CMS telehealth policy framework reinforces that state-law consent requirements apply in full to telehealth encounters regardless of the platform used.
MHMDA: The Civil and Regulatory Statute
The MHMDA's consent requirement is separate, additive, and structurally different. It requires:
A just-in-time consent for the collection of consumer health data (not merely the recording of audio)
A Privacy Policy link rendered inside the consent prompt—the consumer must be able to review the policy without navigating away from the consent interaction
A revocation mechanism available at the point of capture—not a separate web form, not a customer-service email address, not a settings page buried in an account dashboard
Why Two Consents Cannot Be Merged
Merging these into a single consent prompt ("By clicking Accept, you consent to recording and data collection") creates two failures:
RCW 9.73 requires per-participant consent. A single "Accept" button clicked by one participant does not constitute all-party consent. The recording consent must be obtained from each individual whose voice will be captured.
MHMDA requires a visible Privacy Policy link and revocation control within the collection-consent prompt. If the collection consent is bundled with the recording consent, the Privacy Policy link and Revoke button may be interpreted as pertaining to the recording (which has its own stop mechanism) rather than to the broader data-collection activity. Washington's enforcement guidance makes clear that ambiguity in consent scope works against the collecting entity.
Scribing.io's architecture enforces separation at the database level. Recording-consent events and MHMDA-collection-consent events are stored in separate audit tables with independent hash chains. Neither can be modified or deleted without producing a verifiable break in the chain. This separation is not a UI choice—it is a data-architecture decision that ensures each consent obligation can be independently proven to any auditor, court, or regulatory body.
5. Technical Reference: ICD-10 Documentation Standards
Compliance consent workflows have direct implications for ICD-10 coding accuracy—particularly for encounter types that are administratively driven rather than diagnostically driven. When an encounter is paused, disrupted, or retroactively questioned due to consent failures, the documentation supporting the billed codes degrades. This is where Scribing.io's consent-integrated documentation pipeline eliminates a category of denial risk that most coding teams never trace back to its root cause.
Administrative and Counseling Encounter Codes
Two ICD-10 codes are disproportionately affected by consent-related documentation gaps in Washington:
Z02.89 — Encounter for other administrative examinations; Z71.89 — Other specified counseling
Z02.89 covers encounters where the primary purpose is administrative—pre-employment physicals, fitness-for-duty evaluations, insurance examinations, and telehealth intake visits where the clinical content is secondary to the administrative documentation requirement. In the Seattle urgent-care scenario, the initial telehealth intake—where the MA collects consent (or fails to) and the provider confirms the patient's identity and visit reason—often maps to Z02.89 when billed as a distinct service. If the consent architecture for that encounter is later challenged, the documentation supporting Z02.89 becomes unreliable, and the claim is exposed to retroactive denial.
Z71.89 covers counseling encounters that do not fit neatly into more specific Z71 subcategories—including patient education about data privacy rights, informed-consent counseling for telehealth modalities, and pre-visit orientation sessions. Washington clinics increasingly code pre-visit consent-and-orientation sessions under Z71.89 when the interaction involves substantive patient education about how their data will be used. Scribing.io's structured consent flow generates documentation that directly supports the medical necessity of Z71.89 by capturing the educational content delivered during the consent interaction, time spent, and patient questions.
How Scribing.io Ensures Maximum Specificity
Denial prevention for Z02.89 and Z71.89 requires three documentation elements that generic recorders fail to produce:
ICD-10 Specificity Requirements: Z02.89 and Z71.89 | |||
Required Element | Z02.89 Application | Z71.89 Application | Scribing.io Output |
|---|---|---|---|
Encounter purpose documentation | Administrative nature of the encounter must be explicitly stated | Counseling topic and educational content must be specified | Auto-generated encounter-purpose statement derived from session metadata and consent-flow type |
Time documentation | Duration of administrative interaction must be recorded | Counseling time must meet payer-specific thresholds | Millisecond-precision timestamps from consent-prompt display through encounter completion |
Participant documentation | All participants in the administrative encounter must be identified | Patient engagement in counseling must be documented | Per-participant consent artifacts serve as participant identification and engagement proof |
When the consent flow is intact and hash-sealed, the ICD-10 codes are supported by documentation that survives audit. When the consent flow is absent or defective—as in the generic-recorder scenario—the entire encounter's coding is vulnerable. The 47 paused visits in our scenario are not just a consent problem; they are a coding and revenue-cycle problem. Each paused visit requires manual chart review by a certified coder to determine whether the documentation, absent reliable consent artifacts, still supports the billed codes. Per the AMA's ICD-10 coding guidance, specificity at the encounter level is the primary defense against payer denials—and that specificity depends on the integrity of the documentation chain from consent through note finalization.
6. Point-of-Capture Revocation: Why a "Later" Opt-Out Is a Criminal Trigger
This section addresses the single most dangerous compliance gap in Washington AI scribe deployments: the absence of a revocation control at the moment of data capture.
The Anchor Truth: Washington's MHMDA requires a separate Privacy Policy link inside the recording consent prompt; failing to offer a revocation button at the point of capture is a criminal trigger.
The criminal dimension arises from the interaction between two statutes:
RCW 9.73.030 makes unconsented recording a gross misdemeanor. If a patient's consent is vitiated—because it was obtained without the legally required MHMDA elements (Privacy Policy link, revocation control)—then the recording arguably proceeded without valid consent. A prosecutor or plaintiff's attorney will argue that consent obtained through a defective mechanism is no consent at all.
MHMDA §6 establishes the right to revoke consent for data collection. The statute requires that this right be actionable, not aspirational. A "contact us" form that processes requests within 30 days is not a revocation mechanism—it is a request queue. The MHMDA's revocation right, read in conjunction with its requirement that consent be obtained with a visible Privacy Policy link, creates an implied obligation that the revocation control be co-located with the consent control.
When these two statutes converge on a telehealth encounter where an AI scribe is actively recording and processing consumer health data, the absence of a point-of-capture Revoke button means:
The patient cannot exercise their MHMDA revocation right in real time
The recording continues to accumulate consumer health data without a legally complete consent
Each second of continued recording after the patient would have revoked (had the option been available) deepens both civil and criminal exposure
The clinic and the vendor share liability—the clinic as the collecting entity, the vendor as a processor operating without valid consent from the data subject
Scribing.io eliminates this exposure by rendering the Revoke button as a persistent, always-accessible UI element from the moment of consent presentation through the end of the encounter. The button is not hidden behind a menu, not relegated to a settings page, and not dependent on the patient navigating away from the video/audio interface. It is present, labeled, and functional at all times. When tapped, revocation is executed synchronously—audio capture halts, telemetry pruning begins, and the revocation event is hash-sealed into the audit chain within the same user interaction.
7. Audit-Trail Engineering: Hash-Sealed Records and Provable UI State
An audit trail that can be modified is not an audit trail—it is a log file. Washington's enforcement environment demands cryptographic proof that consent was obtained correctly, that revocation controls were available, and that revocation (if exercised) was honored completely.
Scribing.io's Audit Architecture
Every consent event in Scribing.io produces an immutable audit record with the following structure:
Audit Record Schema: Scribing.io WA-Aware Mode | ||
Field | Content | Purpose |
|---|---|---|
| UUID v7 (time-ordered) | Unique identification and chronological ordering |
| Encounter session identifier | Links all consent events to the clinical encounter |
| ENUM: | Distinguishes between the three independent consent obligations |
| SHA-256 of participant identifier | Identifies the consenting party without storing PII in the audit table |
| ISO 8601 with millisecond precision | Proves temporal sequence of consent events |
| PNG capture of the consent prompt as rendered | Proves Privacy Policy link and Revoke button were visible at capture |
| The exact URL rendered in the consent prompt | Proves in-prompt Privacy Policy link requirement was met |
| Boolean + coordinates | Proves Revoke button was displayed and its screen position |
| SHA-256 of the complete event payload | Tamper detection for this individual event |
| SHA-256 hash of the preceding event in the session chain | Creates a tamper-evident linked list; any modification breaks the chain |
UI-State Screenshots: The Proof That Matters
The UI-state screenshot is the single most valuable artifact in a Washington AG investigation. It proves—visually, unambiguously, and contemporaneously—that the patient was presented with:
A consent prompt that was clearly worded and specific to the data being collected
A Privacy Policy link rendered inside the consent prompt
A Revoke button that was visible and interactive at the moment of consent collection
No competitor in the clinical AI scribing market produces this artifact. Generic recorders may log a consent event timestamp, but they cannot prove what the user saw at that timestamp. Scribing.io captures the rendered UI state at the moment of consent interaction and seals it into the hash chain. This screenshot is not reconstructable after the fact—it is captured at render time and becomes part of the immutable record.
Compliance Packet Export
When an investigation or audit requires documentation, Scribing.io's admin console generates a self-contained compliance packet for any encounter or set of encounters. The packet includes:
All consent events with their hash chains
UI-state screenshots for each consent interaction
Revocation events (if any) with their independent hash chains
Telemetry-pruning confirmation logs (if revocation was exercised)
A standalone verification script (Python) that any party can execute to independently verify hash-chain integrity
The packet is designed to be handed directly to outside counsel, the AG's office, or a payer's audit team without requiring Scribing.io personnel to be present for interpretation.
8. Implementation Roadmap for Washington Health Systems
Deploying Scribing.io's WA-aware mode across a multi-site Washington health system follows a structured seven-day activation path. This is not a feature toggle—it is a compliance-architecture deployment that touches consent workflows, EHR integration, staff training, and audit-trail verification.
7-Day WA-Aware Mode Activation Roadmap | |||
Day | Activity | Responsible Party | Deliverable |
|---|---|---|---|
1 | Compliance intake: review existing consent workflows, identify all encounter types, map telemetry-generating systems | Scribing.io Implementation + Client Compliance Officer | Gap analysis document; risk-priority matrix |
2 | Privacy Policy link verification: confirm client's Consumer Health Data Privacy Policy URL; validate MHMDA-required content | Client Legal + Scribing.io Compliance | Approved Privacy Policy URL for in-prompt rendering |
3 | EHR integration configuration: map consent events to encounter records; configure audit-trail export endpoints | Scribing.io Engineering + Client IT | Integration test results; EHR-mapped consent event verification |
4 | Consent-prompt localization and review: WA-specific consent language reviewed by client's legal team; UI rendered for approval | Client Legal + Scribing.io UX | Approved consent-prompt language and UI screenshots |
5 | Staff training: MA, provider, and front-desk workflows updated; revocation-handling procedures documented | Scribing.io Clinical Operations + Client Training | Training completion logs; workflow SOPs |
6 | Shadow-mode testing: WA-aware mode runs in parallel with existing workflows for one full clinic day; audit records reviewed | Joint team | Shadow-mode audit report; discrepancy resolution |
7 | Go-live: WA-aware mode activated for all Washington encounters; monitoring dashboard enabled | Scribing.io Operations | Go-live confirmation; first 24-hour compliance dashboard review |
Post-Deployment: Continuous Compliance Monitoring
After go-live, Scribing.io's compliance dashboard provides real-time visibility into:
Consent-completion rates by encounter type, provider, and site—flagging any encounters where consent was not fully obtained before recording commenced
Revocation events with time-to-prune metrics, ensuring telemetry deletion SLAs are met
Hash-chain integrity alerts if any audit record fails verification (indicating potential system issues or tampering attempts)
Regulatory-update integration as Washington issues enforcement guidance or amends the MHMDA, Scribing.io's compliance team pushes consent-language and workflow updates through the platform
The CMS 2026 Medicare Physician Fee Schedule increasingly ties reimbursement integrity to documentation provenance. Health systems that cannot prove the consent chain underlying their AI-generated documentation face not only state-law exposure but federal reimbursement risk. Scribing.io's audit architecture addresses both vectors simultaneously.
See our Washington MHMDA + RCW 9.73 dual-consent capture with in-prompt Privacy Policy link, one-tap Revocation, and immutable EHR-mapped audit trail—live in under 7 days.
Schedule your compliance assessment at Scribing.io →
About this playbook: Written by the Scribing.io Clinical Compliance Team. Last updated January 2026. This document is for operational guidance purposes and does not constitute legal advice. Washington health systems should consult qualified legal counsel for jurisdiction-specific compliance planning. Regulatory citations reference statutes as of January 2026; monitor the Washington Attorney General's office for enforcement updates.
