Washington educational resource

Washington Behavioral Health SaaS Privacy Review: When the Product Is Sold to Providers, Not Consumers

B2B behavioral health SaaS sells to clinical organizations: outpatient practices, group practices, recovery centers, employee assistance programs, and digital therapeutics companies. The operator usually signs HIPAA business associate agreements with each customer. That posture handles PHI inside the covered relationship, but MHMDA still reaches the product wherever data sits outside the HIPAA-covered transaction or wherever the operator independently determines the purposes and means of processing. This page describes the privacy review service for B2B and clinical-provider-facing behavioral health platforms.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW.

AI Legal Analyst

Ask my AI Legal Analyst about your behavioral health SaaS?

Tap a question for an instant, free answer (no email needed), or describe your platform and the analyst routes you to the right next step. Answers cover where MHMDA reaches past your BAAs, what the review covers, and what to send.

Common B2B behavioral health SaaS questions, always free

We have BAAs with every customer, does MHMDA still apply? Is my marketing site covered if it sells to clinics? Is my de-identified analytics product exempt? What about a patient app bolted onto my B2B platform? What do I send for the review? What does the engagement produce?

Loading the AI Legal Analyst...

Key terms?

The BAA-versus-MHMDA boundary turns on a handful of defined terms. Tap a card to flip it.

Standalone policyFor the direct-to-consumer surfaceTap for detail

A separate Consumer Health Data Privacy Policy under RCW 19.373.020 for the operator's direct-to-consumer surface, including the marketing site and any consumer-facing modules.

MHMDA processor contractA BAA is not enough on its ownTap for detail

Processor and sub-processor contracts under RCW 19.373.060. BAAs cover PHI; MHMDA processor contracts cover consumer health data that is not PHI in covered transactions. A single BAA-only template usually needs an MHMDA addendum.

De-identification carve-outOnly if the standard is metTap for detail

The de-identification carve-out at RCW 19.373.100 tracks the 45 CFR 164 standard; confirm the de-identification posture against the actual current standard before relying on it.

Data-subject rightsCoexist with HIPAA accessTap for detail

Data-subject rights under RCW 19.373.040, mapped against HIPAA right-of-access mechanics. The HIPAA right of access at 45 CFR 164.524 is not a substitute for MHMDA rights; they coexist.

Sale of consumer health dataTriggered by derivative data productsTap for detail

Sale of consumer health data under RCW 19.373.070 if aggregated or derivative data products are commercialized.

Marketing pixels and analytics on the public-facing website. The site that sells the SaaS to clinical buyers is not HIPAA-covered; conversion events for "depression treatment software" or "SUD program management" are MHMDA-covered data flows about Washington consumers visiting the site.
Free-trial signups, demo requests, and any pre-sale collection that touches health-status indicators.
Aggregated or de-identified data products the operator builds from BAA-covered inputs. The de-identification carve-out at RCW 19.373.100 tracks the 45 CFR 164 standard; confirm the de-identification posture against the actual current standard before relying on it.
Operator-side analytics on usage patterns where the operator determines the purposes and means independently of the BAA-covered customer.
AI features built on aggregated customer data where the operator is not acting purely on behalf of a covered entity.
Any consumer-facing module bolted onto the B2B platform (patient portal, mobile app, peer chat) that interacts directly with consumers rather than through the covered customer.

The "we have BAAs, so MHMDA does not apply" assumption fails on three predictable surfaces. First, the public marketing site is not BAA-covered. Second, the operator's de-identified analytics product is only exempt if the de-identification standard is actually met. Third, any consumer-facing surface (patient app, family portal, community feature) is a direct consumer touchpoint where the operator determines the purposes and means and where MHMDA applies independently of the customer's covered status. Confirm each surface against the actual data flow before relying on the entity-level HIPAA posture.

Separate Consumer Health Data Privacy Policy under RCW 19.373.020 for the operator's direct-to-consumer surface (marketing site, any consumer-facing modules).
Consent posture under RCW 19.373.030 for any consumer-facing collection that is not pure BAA processing.
Data-subject rights under RCW 19.373.040, mapped against HIPAA right-of-access mechanics. The HIPAA right of access at 45 CFR 164.524 is not a substitute for MHMDA rights; they coexist.
Reasonable-care security under RCW 19.373.050, often layered with HIPAA Security Rule controls.
Processor and sub-processor contracts under RCW 19.373.060. BAAs cover PHI; MHMDA processor contracts cover consumer health data that is not PHI in covered transactions. A single BAA-only template usually needs an MHMDA addendum.
Sale of consumer health data under RCW 19.373.070 if aggregated or derivative data products are commercialized.
Geofence audit under RCW 19.373.080 if any operator-controlled location-based feature targets healthcare facilities.
De-identification posture audit against 45 CFR Part 164 standards, with documentation supporting the exemption claim.

Operator description: pure B2B clinical, B2B plus consumer-facing module, digital therapeutic, EAP, or hybrid.
Customer list profile (covered entity types, multi-state footprint, Washington customer count).
Marketing site URL plus all signup, demo-request, and free-trial flows.
BAA template, MHMDA addendum if any, and the sub-processor list.
Privacy policy, Consumer Health Data Privacy Policy if separate, terms of service, and any consumer-facing notice.
Data flow map: which fields are PHI in covered transactions, which sit outside the BAA, where each is stored, who has access.
AI feature description if any (clinical decision support, documentation assistance, predictive analytics).
De-identification methodology and supporting documentation if a de-identified product exists.

What the engagement produces

A written attorney evaluation under California license identifying the MHMDA gaps, the BAA-versus-MHMDA boundary as applied to the specific operating model, the priority remediation steps, and the recommended package tier. For complex B2B operators with multiple consumer-facing surfaces, the bundle includes the data flow map, the consent-flow design for direct-to-consumer collection, the MHMDA addendum language for the BAA template, and the separate Consumer Health Data Privacy Policy. For the larger SaaS bundle, email me for current availability and scope confirmation.

Sergei's practical note

B2B behavioral health SaaS is the category where the BAA-only mindset misses the most. The marketing site, the demo flow, the consumer-facing patient app, and the de-identified analytics product are all MHMDA surfaces even when the core clinical product is BAA-covered. The fix is incremental: separate Consumer Health Data Privacy Policy for the direct-to-consumer surface, MHMDA addendum on the BAA template for sub-processors that touch non-PHI fields, a documented de-identification standard if the analytics product depends on the exemption, and an operational deletion workflow that handles both HIPAA right-of-access and MHMDA rights without collision. I review under California license. This is regulatory advisory work, not Washington representation.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Need this handled end to end? The $2,500 Healthcare SaaS Legal Package

A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this package · $2,500

See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing here creates an attorney-client relationship or is Washington legal advice.