Washington educational resource

What an AI health startup has to clear before it launches in Washington, before it scales, and before due diligence

The pattern I see most often with AI health startups: founders ship the product, gather a few thousand Washington users, then get an investor diligence request that asks about MHMDA, HIPAA, and AI privacy posture. The cheaper path is to do the compliance work before scale, not after. This checklist is the founder-stage audit I run with AI health startups whose products might touch Washington consumers. It maps to Chapter 19.373 RCW and walks through the items investors typically ask about. The checklist is intentionally short. The detail lives in the linked pages.

Citations verified against Chapter 19.373 RCW. This page is a triage checklist, not a compliance program. The compliance program comes out of the $499 to $1,500 MHMDA memo tiers.

Pre-launch: ten items before the product is publicly available in Washington

• Confirm Washington reach: residents, collection in Washington, or targeting (RCW 19.373.010).
• Map data flows: prompts, conversation logs, model inferences, sensor data, transcripts.
• Classify each data category against the consumer-health-data definition, including the inference prong (RCW 19.373.010).
• Publish a standalone Consumer Health Data Privacy Policy (RCW 19.373.020) and link it prominently from the homepage in a way that survives mobile collapse.
• Build the two-layer consent UX: collection consent and a separate sharing consent (RCW 19.373.030).
• Sign MHMDA-tuned processor addenda with every external API vendor: model provider, transcription, sentiment, analytics, human-handoff (RCW 19.373.060).
• Confirm vendor tier on training-data treatment: enterprise tier, zero-data-retention addendum, or surfaced user-level opt-out.
• Audit any geofence or location-based feature against the 2,000-foot prohibition (RCW 19.373.080).
• Build the rights mechanism into the product: access, withdrawal, deletion, appeal, 45-day window (RCW 19.373.040).
• Document the security posture: reasonable industry-standard measures, access restricted to those for whom access is necessary (RCW 19.373.050).

Operational: six items once Washington users are active

• Track consumer rights requests and meet the 45-day response window with one 45-day extension (RCW 19.373.040).
• Audit analytics SDK payloads quarterly for any prompt content or inferred-health classifications leaking into third-party platforms.
• Re-audit the vendor sub-processor list quarterly; vendor sub-processor changes are a notice trigger.
• Confirm the homepage policy link is still prominent after any homepage redesign or mobile-nav refactor.
• Re-confirm the training-data tier with the model provider after any contract renewal.
• Run a 19.373.080 geofence audit before any campaign that targets locations.

Due diligence: ten items investors will ask about

• Standalone Consumer Health Data Privacy Policy URL and homepage link.
• Date-stamped capture of consent UX (collection screen, sharing screen, withdrawal screen).
• Data inventory of consumer health data categories collected, processed, shared, sold, and inferred.
• Processor and sub-processor list with MHMDA addenda or vendor-published addenda.
• Model-provider contract or enterprise-tier confirmation, with training-data treatment.
• Any Washington Attorney General inquiry letter or response.
• Any consumer demand letter, dispute, or complaint touching consumer health data.
• Breach notification history under Chapter 19.255 RCW where consumer health data was implicated.
• Geofence audit history and any campaign-level approval log.
• Insurance posture (cyber, privacy, errors-and-omissions) for AI-specific exposures.

The per se CPA exposure investors will probe

RCW 19.373.090 declares any MHMDA violation a per se Washington Consumer Protection Act violation. Investors with healthcare or privacy diligence experience know this and will ask about the standalone policy, consent UX, and vendor stack. A clean MHMDA posture is a clean diligence answer. A missing standalone policy or a bundled consent UX is the most common red flag in operator-side reviews, and the founder who has not closed the gap before diligence pays the price.

When to engage

The $125 written email evaluation is the right starting point if you have a current policy and want a triage read. The $499 MHMDA scope memo is the right starting point if the data flows are still being mapped. The $900 memo plus drafted DPA and vendor-contract language is the right fit if the vendor stack is the main exposure. The $1,500 memo plus drafted standalone Consumer Health Data Privacy Policy is the right fit before launch or before a diligence cycle.

Sergei's practical note

The MHMDA work I do for AI health startups is heaviest at two points: before launch (set the standalone policy, the consent UX, and the vendor addenda before scale) and before diligence (clean up the gaps so the policy, consent, and vendor stack survive an investor's privacy diligence cycle). The middle period (operational) is mostly disciplined quarterly audits. Send me the policy URL, consent UX screenshots, vendor list, and a brief description of the data flow. The $125 written email evaluation is the cheapest path to know where you stand.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. Related: MHMDA for AI Health Tools cluster hub; AI health data privacy policy; AI health vendor and processor contracts; AI Health Tool MHMDA Analyzer.