Washington educational resource

Washington Behavioral Health SaaS Privacy Review: When the Product Is Sold to Providers, Not Consumers

B2B behavioral health SaaS sells to clinical organizations: outpatient practices, group practices, recovery centers, employee assistance programs, and digital therapeutics companies. The operator usually signs HIPAA business associate agreements with each customer. That posture handles PHI inside the covered relationship, but MHMDA still reaches the product wherever data sits outside the HIPAA-covered transaction or wherever the operator independently determines the purposes and means of processing. This page describes the privacy review service for B2B and clinical-provider-facing behavioral health platforms.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW.

Where MHMDA still applies under a HIPAA BAA posture

Marketing pixels and analytics on the public-facing website. The site that sells the SaaS to clinical buyers is not HIPAA-covered; conversion events for "depression treatment software" or "SUD program management" are MHMDA-covered data flows about Washington consumers visiting the site.
Free-trial signups, demo requests, and any pre-sale collection that touches health-status indicators.
Aggregated or de-identified data products the operator builds from BAA-covered inputs. The de-identification carve-out at RCW 19.373.100 tracks the 45 CFR 164 standard; confirm the de-identification posture against the actual current standard before relying on it.
Operator-side analytics on usage patterns where the operator determines the purposes and means independently of the BAA-covered customer.
AI features built on aggregated customer data where the operator is not acting purely on behalf of a covered entity.
Any consumer-facing module bolted onto the B2B platform (patient portal, mobile app, peer chat) that interacts directly with consumers rather than through the covered customer.

The "we have BAAs, so MHMDA does not apply" assumption fails on three predictable surfaces. First, the public marketing site is not BAA-covered. Second, the operator's de-identified analytics product is only exempt if the de-identification standard is actually met. Third, any consumer-facing surface (patient app, family portal, community feature) is a direct consumer touchpoint where the operator determines the purposes and means and where MHMDA applies independently of the customer's covered status. Confirm each surface against the actual data flow before relying on the entity-level HIPAA posture.

What the behavioral health SaaS privacy review covers

Separate Consumer Health Data Privacy Policy under RCW 19.373.020 for the operator's direct-to-consumer surface (marketing site, any consumer-facing modules).
Consent posture under RCW 19.373.030 for any consumer-facing collection that is not pure BAA processing.
Data-subject rights under RCW 19.373.040, mapped against HIPAA right-of-access mechanics. The HIPAA right of access at 45 CFR 164.524 is not a substitute for MHMDA rights; they coexist.
Reasonable-care security under RCW 19.373.050, often layered with HIPAA Security Rule controls.
Processor and sub-processor contracts under RCW 19.373.060. BAAs cover PHI; MHMDA processor contracts cover consumer health data that is not PHI in covered transactions. A single BAA-only template usually needs an MHMDA addendum.
Sale of consumer health data under RCW 19.373.070 if aggregated or derivative data products are commercialized.
Geofence audit under RCW 19.373.080 if any operator-controlled location-based feature targets healthcare facilities.
De-identification posture audit against 45 CFR Part 164 standards, with documentation supporting the exemption claim.

What to send for the review

Operator description: pure B2B clinical, B2B plus consumer-facing module, digital therapeutic, EAP, or hybrid.
Customer list profile (covered entity types, multi-state footprint, Washington customer count).
Marketing site URL plus all signup, demo-request, and free-trial flows.
BAA template, MHMDA addendum if any, and the sub-processor list.
Privacy policy, Consumer Health Data Privacy Policy if separate, terms of service, and any consumer-facing notice.
Data flow map: which fields are PHI in covered transactions, which sit outside the BAA, where each is stored, who has access.
AI feature description if any (clinical decision support, documentation assistance, predictive analytics).
De-identification methodology and supporting documentation if a de-identified product exists.

What the engagement produces

A written attorney evaluation under California license identifying the MHMDA gaps, the BAA-versus-MHMDA boundary as applied to the specific operating model, the priority remediation steps, and the recommended package tier. For complex B2B operators with multiple consumer-facing surfaces, the bundle includes the data flow map, the consent-flow design for direct-to-consumer collection, the MHMDA addendum language for the BAA template, and the separate Consumer Health Data Privacy Policy. For the larger SaaS bundle, email me for current availability and scope confirmation.

Sergei's practical note

B2B behavioral health SaaS is the category where the BAA-only mindset misses the most. The marketing site, the demo flow, the consumer-facing patient app, and the de-identified analytics product are all MHMDA surfaces even when the core clinical product is BAA-covered. The fix is incremental: separate Consumer Health Data Privacy Policy for the direct-to-consumer surface, MHMDA addendum on the BAA template for sub-processors that touch non-PHI fields, a documented de-identification standard if the analytics product depends on the exemption, and an operational deletion workflow that handles both HIPAA right-of-access and MHMDA rights without collision. I review under California license. This is regulatory advisory work, not Washington representation.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing here creates an attorney-client relationship or is Washington legal advice.