AI Healthcare Regulations in Washington State (2025)

Washington has no single AI-in-healthcare law. Your compliance stack is assembled from at least four overlapping frameworks. The strictest rules, especially the My Health My Data Act (RCW 70.372), are already in force and carry a private right of action.

Quick Answer: What Washington AI Healthcare Rules Apply to You

If you deploy, sell, or operate an AI tool that touches health data in Washington, you are already regulated. The applicable rules are a combination of several frameworks.

As of mid-2025, Washington has not enacted a standalone AI-in-healthcare law. Compliance is built from:

• My Health My Data Act (MHMD), RCW 70.372 (effective March 31, 2024, for large regulated entities; June 30, 2024, for small businesses): This is the most consequential Washington-specific rule for health AI operators.
• Washington Consumer Protection Act, RCW 19.86: This prohibits unfair or deceptive acts, including misleading AI-driven health claims.
• DOH licensing authority, RCW 18.130: This governs licensed health professionals and, by extension, the tools they use in clinical practice.
• Federal HIPAA/FDA frameworks: These are layered on top of, not replaced by, state law.

Who this affects:

• Health systems and hospitals using AI for clinical decision support, diagnostics, or care management.
• Telehealth platforms that collect behavioral or biometric data outside a traditional HIPAA-covered relationship.
• Clinical decision-support software vendors selling into Washington facilities.
• Health insurers and managed care organizations using algorithmic prior-authorization or utilization-management tools.

High-risk vs. administrative AI: Regulatory scrutiny varies by risk. AI tools that influence clinical diagnosis, treatment recommendations, or coverage denials face the most exposure. This includes FDA device classification analysis, DOH survey readiness requirements, and insurer oversight under RCW 48.43. Administrative AI (scheduling, billing, coding assistance) carries lower clinical risk but is still subject to MHMD if it processes consumer health data, and to RCW 19.86 if consumer-facing.

Enforcement posture: As of mid-2025, enforcement is primarily complaint-driven through the Attorney General's Consumer Protection Division and DOH. There is no dedicated AI enforcement unit in Washington state government. MHMD's private right of action means plaintiffs' attorneys are a significant enforcement vector.

Washington-Specific Statutes and Regulations Governing AI in Healthcare

My Health My Data Act (RCW 70.372)

MHMD covers "consumer health data," defined broadly to include any personal information that identifies a consumer's physical or mental health condition. This includes data inferred by an algorithm from non-health inputs (RCW 70.372.010). An AI model that infers a user's likely pregnancy, chronic condition, or mental health status from location, purchase, or behavioral data is processing consumer health data under Washington law, even if no clinician is involved and no HIPAA-covered entity is in the chain.

Key MHMD obligations for AI operators:

• Consent: Separate, valid authorization is required before collecting or sharing consumer health data (RCW 70.372.030). Pre-checked boxes and bundled consent do not satisfy this requirement.
• Geofencing prohibition: It is prohibited to use geofencing to identify or track individuals near healthcare facilities (RCW 70.372.060). AI tools that use location signals as model inputs should be reviewed against this provision.
• No small-entity exemption: MHMD applies regardless of entity size or revenue. A two-person health app startup serving Washington residents is covered.
• Private right of action: Consumers may sue directly. Consult RCW 70.372.900 for penalty provisions. The statutory damages figure cited in legislative history is $25,000 per violation, but confirm the current enrolled text of RCW 70.372.900 directly, as penalty provisions can be amended.

Insurance Code: Algorithmic Prior Authorization (RCW 48.43.535)

Washington law prohibits health carriers from making adverse benefit determinations based solely on automated processes without clinical review (RCW 48.43.535, utilization review and prior authorization standards). If your AI tool generates a prior-authorization denial recommendation, a licensed clinician must review it before the denial issues. This requirement is not satisfied by a physician "approving" a batch of AI outputs without individual review.

The Washington Office of the Insurance Commissioner (OIC) regulates health insurance AI tools under WAC 284-43. Consult OIC directly at insurance.wa.gov for any bulletins or rulemaking issued in 2024 to 2025 on algorithmic underwriting or claims adjudication. Verify current OIC bulletin status before relying on any secondary summary.

Hospital Licensing (RCW 70.41.030 and WAC 246-320)

DOH sets conditions of participation for licensed hospitals under RCW 70.41.030. WAC 246-320 governs hospital survey standards. While DOH has not issued AI-specific guidance under WAC 246-320 as of mid-2025, hospital surveyors can review clinical decision-support tools as part of quality and patient safety assessments. Consult the DOH Health Systems Quality Assurance division to confirm current status. Document your AI tool's validation, intended use, and clinical oversight protocols before a survey.

What Did Not Pass: Previous Legislative Efforts

Previous legislative sessions saw the introduction of algorithmic accountability bills that would have imposed broader AI transparency and impact-assessment requirements. These bills did not pass. The 2025 session bills identified in available source material (SB 5167, SB 5998, SB 5810, HB 1197, HB 2289, HB 1198) are budget and appropriations measures with no dedicated AI healthcare provisions confirmed in their titles or subjects. Whether SB 5167's enrolled text includes specific line items for DOH health technology oversight requires direct review of the enrolled bill at leg.wa.gov.

MHMD vs. HIPAA: Where Washington Is Stricter

Federal Overlay: FDA, HIPAA, and FTC Rules That Apply in Washington

Both state and federal rules apply, and where Washington is stricter, Washington controls.

FDA Software as a Medical Device (SaMD)

If your AI tool meets the FDA's definition of a medical device, it requires clearance or approval before marketing in Washington or anywhere else in the US. The FDA's SaMD framework, grounded in 21 CFR Part 880 and the 2021 AI/ML-Based SaMD Action Plan, classifies software by its intended use and the risk level of the clinical decision it supports.

Practical triggers for FDA review:

• AI that analyzes medical images to detect disease
• Algorithms that recommend specific treatments or drug dosing
• Tools that predict patient deterioration and prompt clinical intervention

Administrative AI (scheduling, billing, documentation assistance) generally falls outside FDA device jurisdiction under the 21st Century Cures Act software exclusions, but the line is fact-specific. Consult FDA's Digital Health Center of Excellence (fda.gov/medical-devices/digital-health-center-excellence) for current classification guidance.

Predetermined Change Control Plans (PCCPs): FDA finalized guidance on PCCPs in 2024, allowing AI/ML device developers to pre-specify the types of algorithm modifications they can make post-clearance without a new submission. Washington-based SaMD developers should incorporate PCCP planning into their product roadmap. Confirm the exact final guidance publication date and applicability scope directly with FDA.

HIPAA (45 CFR Parts 160 and 164)

HIPAA's Privacy and Security Rules apply to covered entities and business associates handling protected health information (PHI). For AI operators, the key pressure points are:

• Training data: Using PHI to train AI models requires either a valid authorization, a waiver from an IRB or Privacy Board, or de-identification meeting the standards of 45 CFR §164.514(b). Expert determination de-identification is more defensible than safe harbor for AI training sets, given re-identification risks.
• Business Associate Agreements (BAAs): Any AI vendor that receives, processes, or stores PHI on behalf of a covered entity is a business associate and requires a compliant BAA (45 CFR §164.308(b)).
• Security Rule: AI systems processing PHI must be included in your risk analysis under 45 CFR §164.308(a)(1).

FTC Act (15 U.S.C. § 45)

The FTC's Section 5 authority covers unfair or deceptive acts in commerce. The FTC's 2023 policy statement on AI and biometric data signals that consumer-facing health AI apps making unsubstantiated clinical claims, or using health data in ways consumers would not expect, are enforcement targets. This applies to Washington-based companies and companies serving Washington consumers.

CMS Interoperability and Prior Authorization Rule (CMS-0057-F)

The CMS Interoperability and Prior Authorization Final Rule requires payers, including Medicaid managed care plans, to implement prior-authorization APIs. The compliance deadline for Washington Medicaid managed care plans under CMS-0057-F is January 1, 2026. AI workflow tools that integrate with prior-authorization processes must be compatible with these API requirements. Confirm current deadlines with Washington HCA (hca.wa.gov) and CMS directly, as phased compliance timelines have been subject to CMS updates.

Compliance Requirements: What Healthcare AI Operators Must Do in Washington

Consent and Disclosure Under MHMD

If your AI tool infers health conditions from non-HIPAA data (wearables, apps, location, purchase history), you need a separate, affirmative consumer authorization before collecting or sharing that data (RCW 70.372.030). This authorization must be:

• Presented separately from general terms of service
• Written in plain language
• Specific to the health data being collected and the purpose
• Revocable by the consumer

Data Minimization and Purpose Limitation

Washington does not have a standalone data minimization statute for health AI, but MHMD's consent framework effectively limits use to disclosed purposes. For AI training datasets, document the legal basis for each data element, the population it represents, and the retention schedule. Over-collection is a litigation risk under both MHMD and RCW 19.86.

Vendor and BAA Due Diligence

Your AI vendor contracts should address:

• HIPAA BAA terms if PHI is involved (45 CFR §164.308(b))
• MHMD obligations if the vendor processes consumer health data on your behalf
• Model documentation: what data was used to train the model, what validation was performed, and what the model's known limitations are
• Audit rights: your ability to inspect the vendor's data handling practices
• Breach notification obligations aligned with Washington's 45-day rule (RCW 19.255.010)

Algorithmic Transparency and DOH Survey Readiness

For clinical AI tools deployed in licensed hospitals, maintain documentation of:

• Model inputs and outputs
• Validation studies, including performance on Washington-relevant patient populations
• Clinical oversight protocols (who reviews AI recommendations and how)
• Incident reporting procedures when AI outputs are incorrect or harmful

DOH surveyors reviewing hospital quality and patient safety programs under WAC 246-320 may request this documentation.

Human Oversight for High-Risk Clinical Decisions

For any AI tool that influences a clinical decision, including prior-authorization determinations, a licensed clinician must review the AI recommendation before an adverse action is taken. This is required under RCW 48.43.535 for insurance contexts and is a sound practice standard for clinical settings.

Breach Notification: Washington's 45-Day Rule Controls

Washington's data breach notification law (RCW 19.255.010) requires notification to affected consumers within 45 days of discovering a breach involving personal information, including health data. HIPAA allows 60 days. Washington's stricter timeline applies to breaches affecting Washington residents. Build 45-day breach response workflows into your incident response plan.

OIC Filing Requirements for AI in Insurance

If your organization uses AI in health insurance rating, underwriting, or claims adjudication, consult OIC (insurance.wa.gov) regarding filing requirements under WAC 284-43A. Rate and form filings involving algorithmic tools may require disclosure of the AI methodology. OIC filing review timelines vary by filing type; contact OIC's compliance division directly for current processing times.

What Changed Recently: 2024 to 2025 Legislative and Regulatory Activity

MHMD Enforcement Is Active

The March 31, 2024, effective date for large regulated entities and June 30, 2024, date for small businesses have passed. The Washington AG's Consumer Protection Division is the primary enforcement authority, supplemented by private litigation. Monitor the AG's office (atg.wa.gov) for enforcement actions involving AI-inferred health data. Verify current enforcement activity directly with the AG's office before relying on any secondary report.

2025 Legislative Session: No Dedicated AI Healthcare Statute

The 2025 session bills available in source material (SB 5167, SB 5998, SB 5810, HB 1197, HB 2289, HB 1198) are budget and appropriations measures. No dedicated AI healthcare statute passed in the 2025 session as of the data available. Whether SB 5167 (effective May 20, 2025) includes specific appropriations for DOH health technology oversight or AI-related programs requires review of the enrolled bill text at leg.wa.gov. Do not assume appropriations language creates new substantive compliance obligations without reading the enrolled text.

Federal Developments With Washington Impact

• CMS-0057-F prior-authorization API compliance: The January 1, 2026, deadline for Washington Medicaid managed care plans is approaching. Health systems and AI workflow vendors should be in implementation.
• FDA PCCP final guidance (2024): Washington-based AI medical device developers should incorporate PCCP planning. Confirm the exact finalization date and scope with FDA's Digital Health Center of Excellence.
• FTC enforcement posture: The FTC's focus on health data and AI remains active at the federal level, with direct implications for consumer-facing health AI apps operating in Washington.

OIC Activity

Consult OIC directly at insurance.wa.gov for any bulletins or rulemaking issued in 2024 to 2025 on algorithmic health insurance tools.

Looking Ahead to 2026

Given the national trend toward standalone AI accountability legislation, a Washington-specific AI bill in the 2026 session is plausible. The failure of previous AI-related bills does not mean the issue is dormant. Monitor the Washington State Legislature's website (leg.wa.gov) and the AG's office for pre-session activity.

Permit Fees, Review Timelines, and Compliance Costs: Washington vs. Neighboring States

Washington has no AI-specific permit or registration fee as of 2025. Your costs are indirect.

Washington Compliance Cost Reality

There is no application, registration, or permit fee specific to AI healthcare tools in Washington. Compliance costs are driven by:

• Legal review of MHMD applicability and consent workflow design
• Technical work to implement data minimization, audit logging, and breach response
• BAA negotiation and vendor due diligence
• DOH survey preparation for hospital-based clinical AI

Cost ranges vary significantly by entity size and AI tool complexity. A small health app operator implementing MHMD consent workflows might spend $15,000 to $50,000 in legal and technical costs. A large health system deploying a clinical AI platform could face $200,000 or more in compliance infrastructure. These are illustrative ranges based on general legal market rates, not published Washington agency figures. Get quotes from health IT counsel for your specific situation.

MHMD Litigation Exposure

The private right of action under RCW 70.372.900 is a significant financial risk. Review the current enrolled text of RCW 70.372.900 directly to confirm the per-violation damages figure, as penalty provisions are subject to amendment. Legislative history references $25,000 per violation. A class action involving a health app with thousands of Washington users and a defective consent workflow represents material exposure.

State Comparison Table

DOH Licensing and Survey Timelines

DOH licensing timelines for new hospital programs or technology deployments vary by application type. Consult DOH Health Systems Quality Assurance (doh.wa.gov/LicensesPermitsandCertificates/FacilitiesNewReneworUpdate) for current processing times.

OIC Rate and Form Filing Timelines

OIC rate and form filing review timelines for health insurance products are governed by WAC 284-43A. Timelines vary by filing type and completeness. Contact OIC's rates and forms division at insurance.wa.gov for current processing estimates.

Next Steps and Who to Contact in Washington

Step 1: Data Inventory

Identify every data source your AI tool touches. For each source, determine whether it constitutes "consumer health data" under RCW 70.372.010. Pay particular attention to inferred data: if your model outputs a health-related inference, the input data that produced it may be covered.

Step 2: FDA SaMD Classification Analysis

Determine whether your AI tool meets the FDA's definition of a medical device. If there is any ambiguity, request a pre-submission meeting with FDA's Digital Health Center of Excellence (fda.gov/medical-devices/digital-health-center-excellence) before marketing.

Step 3