Regulatory advisory service

Washington MHMDA Compliance Memo: Fixed-Price Regulatory Review for SaaS, AI, and Health Apps

If your product touches Washington consumers and any data plausibly counts as "consumer health data," Chapter 19.373 RCW (the Washington My Health My Data Act) applies. This is the first US health-privacy law outside HIPAA, with a per se Consumer Protection Act hook and a private right of action. Compliance is a regulatory question I can review under my California license today, no Washington admission required. The three tiers below productize the work into fixed-price written memos so you know the deliverable and the price before you engage.

Last reviewed: 2026-05-18. Statutory citations verified against Chapter 19.373 RCW on app.leg.wa.gov on the review date.

What MHMDA actually requires

MHMDA applies to any "regulated entity" or "small business" that conducts business in Washington or targets products or services to Washington consumers, and that determines the purpose and means of processing consumer health data. The scope, definitions, and small-business cutoff sit in RCW 19.373.010 and RCW 19.373.020. "Consumer health data" reaches anything reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including inferences drawn from non-medical signals. The Act has been operative against regulated entities since March 31, 2024 and against small businesses since June 30, 2024.

The five operative compliance obligations: (1) a standalone Consumer Health Data Privacy Policy prominently linked from the homepage, under RCW 19.373.020; (2) a two-layer affirmative consent regime, separate consent for collection and separate consent for sharing, under RCW 19.373.030; (3) a binding-instructions processor contract regime under RCW 19.373.060; (4) a HIPAA-style nine-element authorization before any sale of consumer health data, under RCW 19.373.070; and (5) a flat prohibition on geofences within 2,000 feet of in-person healthcare facilities for tracking, data collection, or advertising, under RCW 19.373.080.

The reason the stakes are high is RCW 19.373.090. That section declares every MHMDA violation a per se Consumer Protection Act violation under Chapter 19.86 RCW. A private plaintiff does not need to plead the public-interest element separately; the statute supplies it. Combined with discretionary treble damages capped at $25,000 on the enhancement, the one-way fee shift, and the four-year statute of limitations under RCW 19.86.120, MHMDA is the highest-leverage state consumer-health-privacy statute in the United States.

The exemptions at RCW 19.373.100 are narrower than they look. They are data-specific, not entity-blanket. A HIPAA-covered hospital is exempt for its PHI but not for marketing-pixel data on its public website. Wellness apps outside a covered-entity offering, consumer fitness trackers, direct-to-consumer mental-health apps, period and fertility apps, sleep apps, AI symptom checkers, and general-purpose apps that infer health from non-medical signals are not HIPAA-covered and are not exempt.

The three memo tiers

Tier 1, MHMDA Scope Memo, $499

$499, two-page written attorney memo: does MHMDA apply to your product? Covers the regulated-entity vs small-business analysis under RCW 19.373.020, the consumer definition and "consumer health data" definition under RCW 19.373.010 (including the inference-based scope), the separate Consumer Health Data Privacy Policy requirement under RCW 19.373.040 (yes or no, what is missing), and a geofence audit under RCW 19.373.080 (yes or no per your product). Output: written attorney memo in plain English, with citations. Five business day turnaround. Suitable for a SaaS or app operator wondering whether MHMDA applies at all.

Tier 2, MHMDA Memo plus DPA and Vendor Language, $900

$900, the Tier 1 deliverable plus vendor and DPA contract language for downstream processors and third-party service providers (drafted to the binding-instructions standard under RCW 19.373.060), consent UX recommendations against the two-consent regime in RCW 19.373.030, and homepage-link verification for the separate-policy requirement. Five business day turnaround. Suitable for a SaaS launching with embedded third-party processors who needs the vendor contract layer to match the policy.

Tier 3, MHMDA Memo plus Drafted Consumer Health Data Privacy Policy, $1,500

$1,500, the Tier 2 deliverable plus a drafted standalone Consumer Health Data Privacy Policy (the separate document required by RCW 19.373.020 and explained by the rights catalog in RCW 19.373.040), drafted homepage link copy and placement guidance to satisfy the prominent-link requirement, drafted consent flow language for the regulated consumer-health-data collection point, and one round of clarifying email after delivery. Seven business day turnaround. Suitable for a SaaS shipping a product to Washington consumers without an existing health-data privacy posture.

Why I can do this work under my California license

Washington's My Health My Data Act can reach out-of-state companies if they conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of collecting, processing, sharing, or selling consumer health data. A SaaS company in Texas with Washington users, a wellness app in California targeting Washington consumers, or an AI health tool collecting consumer health data from Washington users may need MHMDA review depending on targeting, data categories, and control over processing. Compliance review is regulatory advisory work, not Washington representation. I am California-licensed (CA Bar #279869) with Washington admission pending; an MHMDA memo is a regulatory analysis of how a Washington statute applies to your product, not "Washington representation." If a matter escalates into Washington-specific litigation, an Attorney General enforcement action, or a private CPA claim filed in Washington courts, I would coordinate with Washington counsel or refer the litigation work out.

What I need from you to scope and deliver

Current privacy policy (URL or PDF)
Brief product description: what data you collect, from whom, for what purpose
Whether you have Washington users (yes, no, or unsure)
Whether the data plausibly includes biometric, mental health, reproductive, gender-affirming, fitness, location near a healthcare facility, or inferences from any of the above
Homepage URL (for the separate-privacy-policy link check)
Consent UX screenshots or a written description of the consent flow
Tier 2 and Tier 3 only: your current vendor and processor list plus your existing DPA template, if any

What is not in scope

Three things sit outside these tiers and should be priced separately if you need them. First, defending an active Washington Attorney General inquiry or a filed private CPA complaint is litigation-adjacent work that I would scope hourly and, if needed, coordinate with Washington counsel. Second, a multi-state harmonization memo that maps MHMDA against CCPA / CPRA, the Connecticut Data Privacy Act, the Nevada SB 370 health-data law, or GDPR is broader than the single-statute scope here and would be quoted separately. Third, drafting a general privacy policy or terms of service from scratch is a different product; the Tier 3 deliverable is the MHMDA-specific standalone document, not a complete general privacy policy.

Authority notes

Statutory sources retrieved 2026-05-18 from app.leg.wa.gov:

RCW 19.373.005, legislative findings
RCW 19.373.010, definitions (consumer, consumer health data, regulated entity, small business, geofence)
RCW 19.373.020, Consumer Health Data Privacy Policy and homepage-link requirement
RCW 19.373.030, two-layer affirmative consent regime
RCW 19.373.040, consumer rights (access, deletion, withdrawal, appeal)
RCW 19.373.050, data security and consent-tethered access restrictions
RCW 19.373.060, processor binding-instructions regime
RCW 19.373.070, sale of consumer health data and nine-element authorization
RCW 19.373.080, geofence prohibition within 2,000 feet of in-person healthcare facilities
RCW 19.373.090, per se Consumer Protection Act hook
RCW 19.373.100, exemptions (data-specific, not entity-blanket)

Dollar amounts, statutory amendments, and any subsequent Washington Attorney General guidance, agency forms, or regulations issued under MHMDA should be checked against the current publications on app.leg.wa.gov and atg.wa.gov before relying on them in a specific matter. Each memo I write re-verifies the operative text on the day it is drafted.

Educational and service-information resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is legal advice for a specific matter. An MHMDA memo under any of these tiers is regulatory advisory work product, not Washington-specific representation. Related: Washington My Health My Data Act hub; Washington Consumer Protection Act hub; Washington Data Breach Notification Guide; Washington SaaS Terms Guide.