Washington Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Washington.
Washington stands out among Pacific-Northwest states for its assertive breach posture. RCW 19.255.010, the Washington Data Breach Notification Act, requires notification within 30 days of discovery — a deadline materially stricter than HIPAA's 60-day federal ceiling — with simultaneous notification to the Washington Attorney General when 500 or more Washington residents are affected. Penalties under the Consumer Protection Act (RCW 19.86) reach $25,000 per violation. Washington's recently enacted My Health My Data Act (RCW 19.373) layered consumer-health-data protections on top of HIPAA for non-covered entities, but covered healthcare practices still anchor to RCW 19.255 for breach response. Retention under WAC 246-318-440 requires 10 years for hospitals from last discharge and 6 years for physician records (HIPAA floor controlling). Pediatric records run until age 21 or 10 years, whichever is longer. The Washington PMP at washington.pmpaware.net must be queried on every controlled-substance prescription.
Breach Notification Rules
Notification deadline
30 calendar days
Notification must be made within 30 days of discovery. AG must be notified if 500+ Washington residents affected. WDPA provides additional requirements.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $25,000 per violation under Consumer Protection Act
Enforcement Posture
The Washington Attorney General's office maintains one of the more active enforcement programs west of New York. Historically the AG has pursued breach-notification cases through the Consumer Protection Division under the Consumer Protection Act, with a documented pattern of seeking corrective-action agreements that include independent privacy assessments, mandatory employee training, and multi-year compliance monitoring. Washington also publishes an annual Data Breach Report that names breached entities, which functions as a reputational enforcement tool independent of any monetary penalty. The Department of Health separately licenses healthcare facilities and coordinates with the AG on systemic compliance failures. Practices should expect any breach affecting 500+ Washington residents to be reviewed for both notification timeliness and the adequacy of pre-breach security controls.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 3 years | Patient turns 18 |
| Mental health | 10 years | Last treatment |
Controlled-Substance Prescription Monitoring (WA PMP)
The Washington Prescription Monitoring Program (washington.pmpaware.net) requires queries on every controlled-substance prescription with delegation to licensed staff permitted. Exemptions cover hospice, cancer treatment, ER ≤3-day supplies, inpatient and long-term-care administration, and medication-assisted treatment. The Department of Health enforces compliance with civil penalties up to $5,000 plus license-board discipline. Out-of-state prescribers writing for Washington patients must register before issuing controlled-substance prescriptions.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000; possible criminal charges
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration, medication-assisted treatment
How Washington Rules Hit by Specialty
Behavioral health
Washington's RCW 71.05 layers enhanced confidentiality protections on mental-health records on top of the 10-year retention baseline in WAC 246-318-440. Mental-health information requires specific written authorization for disclosures, and breach involving RCW 71.05 records can trigger separate Department of Health investigation in addition to AG action.
Pediatrics
Pediatric records under WAC 246-318-440 must be retained until age 21 (age of majority 18 + 3 years) or 10 years from last treatment, whichever is longer. For a chart opened at birth this means up to 21 years of retention even with no subsequent encounters. Encode the 'whichever is longer' rule in your destruction schedule.
Pharmacy/compounding
Washington pharmacies face dual reporting — WA PMP for controlled-substance dispensing and the Department of Health Pharmacy Quality Assurance Commission for compounding-related adverse events. The My Health My Data Act adds new consent requirements for any consumer-health-data sharing beyond clinical use.
Telehealth providers
Out-of-state telehealth providers serving Washington residents must register with the Washington Medical Commission's telemedicine framework, query WA PMP for any controlled-substance prescription, and comply with RCW 19.255 for breaches affecting Washington residents — regardless of where the provider's primary practice is located.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, pharmacists, and all healthcare professionals
Report to
Department of Children, Youth, and Families (DCYF) or local law enforcement
Timeline
Within 48 hours
Penalty for failure
Gross misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability under RCW 26.44.060
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Adult Protective Services, Department of Social and Health Services
Timeline
Immediately / as soon as possible
Penalty for failure
Gross misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are not specifically mandated to report domestic violence in adults; encouraged to screen and refer
Report to
Local law enforcement (voluntary reporting permitted with patient consent)
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Washington State Department of Health or local health jurisdiction
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $250 fine per day
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Gross misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Washington Compliance FAQs
RCW 19.255.010 requires notification within 30 days of discovery — stricter than HIPAA's 60-day ceiling. If 500 or more Washington residents are affected, the Washington Attorney General must be notified simultaneously, and the AG publishes an annual Data Breach Report naming the breached entity.
RCW 19.373 (effective 2024) regulates consumer health data held by non-HIPAA-covered entities (apps, wellness platforms, data brokers). HIPAA-covered healthcare practices continue to operate under RCW 19.255 for breach response and HIPAA for PHI handling, but should track MHMDA when sharing data with non-covered partners.
Under WAC 246-318-440, pediatric records must be retained until age 21 or 10 years from last treatment, whichever is longer. A chart opened at birth with no further encounters runs to age 21; an encounter at age 18 runs 10 years from then. Code the longer-period rule into your retention engine.
Yes. Licensed staff (RNs, LPNs, MAs working under a documented standing order from a licensed prescriber) may perform PMP queries. The prescriber must review and document the PMP result before issuing the prescription. Out-of-state telehealth prescribers must register before delegating.
Up to $25,000 per violation under the Washington Consumer Protection Act (RCW 19.86). The AG can aggregate violations across affected residents and seek injunctive relief plus consumer restitution. Severe cases involving willful conduct may also trigger Department of Health licensing actions.
Guides & Articles
Stay audit-ready in Washington
GuardWell tracks Washington-specific breach deadlines, retention periods, WA PMP PDMP queries, and mandatory reporting obligations automatically.