Washington educational resource

What an AI health startup has to clear before it launches in Washington, before it scales, and before due diligence

The pattern I see most often with AI health startups: founders ship the product, gather a few thousand Washington users, then get an investor diligence request that asks about MHMDA, HIPAA, and AI privacy posture. The cheaper path is to do the compliance work before scale, not after. This checklist is the founder-stage audit I run with AI health startups whose products might touch Washington consumers. It maps to Chapter 19.373 RCW and walks through the items investors typically ask about. The checklist is intentionally short. The detail lives in the linked pages.

Citations verified against Chapter 19.373 RCW. This page is a triage checklist, not a compliance program. The compliance program comes out of the $499 to $1,500 MHMDA memo tiers.

AI Legal Analyst

Ask my AI Legal Analyst about your AI health startup?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step. Answers cover the pre-launch checklist, the per se CPA exposure, and what investors ask in diligence.

Common AI health startup questions, always free

Does MHMDA reach my startup if we are not based in Washington? Are my AI inferences consumer health data? Do I need a separate privacy policy before launch? What do I need from my model provider and vendors? What will investors ask about in diligence? Where should I start if I am pre-launch?

Loading the AI Legal Analyst...

Key terms?

The founder-stage MHMDA checklist turns on a handful of defined terms. Tap a card to flip it.

Consumer health dataIncludes AI-derived inferencesTap for detail

Defined at RCW 19.373.010. Reach turns on Washington residents, collection in Washington, or targeting, and each data category is classified against the consumer-health-data definition, including the inference prong.

Standalone policyLinked prominently from the homepageTap for detail

A standalone Consumer Health Data Privacy Policy under RCW 19.373.020, linked prominently from the homepage in a way that survives mobile collapse.

Two-layer consentCollection and sharing are separateTap for detail

The two-layer consent UX under RCW 19.373.030: collection consent and a separate sharing consent.

Geofence prohibition2,000-foot ruleTap for detail

Any geofence or location-based feature is audited against the 2,000-foot prohibition under RCW 19.373.080.

Per se CPAEvery violation is a CPA violationTap for detail

RCW 19.373.090 declares any MHMDA violation a per se Washington Consumer Protection Act violation, which investors with healthcare or privacy diligence experience know and probe.

Confirm Washington reach: residents, collection in Washington, or targeting (RCW 19.373.010).
Map data flows: prompts, conversation logs, model inferences, sensor data, transcripts.
Classify each data category against the consumer-health-data definition, including the inference prong (RCW 19.373.010).
Publish a standalone Consumer Health Data Privacy Policy (RCW 19.373.020) and link it prominently from the homepage in a way that survives mobile collapse.
Build the two-layer consent UX: collection consent and a separate sharing consent (RCW 19.373.030).
Sign MHMDA-tuned processor addenda with every external API vendor: model provider, transcription, sentiment, analytics, human-handoff (RCW 19.373.060).
Confirm vendor tier on training-data treatment: enterprise tier, zero-data-retention addendum, or surfaced user-level opt-out.
Audit any geofence or location-based feature against the 2,000-foot prohibition (RCW 19.373.080).
Build the rights mechanism into the product: access, withdrawal, deletion, appeal, 45-day window (RCW 19.373.040).
Document the security posture: reasonable industry-standard measures, access restricted to those for whom access is necessary (RCW 19.373.050).

Track consumer rights requests and meet the 45-day response window with one 45-day extension (RCW 19.373.040).
Audit analytics SDK payloads quarterly for any prompt content or inferred-health classifications leaking into third-party platforms.
Re-audit the vendor sub-processor list quarterly; vendor sub-processor changes are a notice trigger.
Confirm the homepage policy link is still prominent after any homepage redesign or mobile-nav refactor.
Re-confirm the training-data tier with the model provider after any contract renewal.
Run a 19.373.080 geofence audit before any campaign that targets locations.

Standalone Consumer Health Data Privacy Policy URL and homepage link.
Date-stamped capture of consent UX (collection screen, sharing screen, withdrawal screen).
Data inventory of consumer health data categories collected, processed, shared, sold, and inferred.
Processor and sub-processor list with MHMDA addenda or vendor-published addenda.
Model-provider contract or enterprise-tier confirmation, with training-data treatment.
Any Washington Attorney General inquiry letter or response.
Any consumer demand letter, dispute, or complaint touching consumer health data.
Breach notification history under Chapter 19.255 RCW where consumer health data was implicated.
Geofence audit history and any campaign-level approval log.
Insurance posture (cyber, privacy, errors-and-omissions) for AI-specific exposures.

The per se CPA exposure investors will probe. RCW 19.373.090 declares any MHMDA violation a per se Washington Consumer Protection Act violation. Investors with healthcare or privacy diligence experience know this and will ask about the standalone policy, consent UX, and vendor stack. A clean MHMDA posture is a clean diligence answer. A missing standalone policy or a bundled consent UX is the most common red flag in operator-side reviews, and the founder who has not closed the gap before diligence pays the price.

When to engage

The $240 Written Attorney Consultation is the right starting point if you have a current policy and want a triage read. The $499 MHMDA scope memo is the right starting point if the data flows are still being mapped. The $900 memo plus drafted DPA and vendor-contract language is the right fit if the vendor stack is the main exposure. The $1,500 memo plus drafted standalone Consumer Health Data Privacy Policy is the right fit before launch or before a diligence cycle.

Sergei's practical note

The MHMDA work I do for AI health startups is heaviest at two points: before launch (set the standalone policy, the consent UX, and the vendor addenda before scale) and before diligence (clean up the gaps so the policy, consent, and vendor stack survive an investor's privacy diligence cycle). The middle period (operational) is mostly disciplined quarterly audits. Send me the policy URL, consent UX screenshots, vendor list, and a brief description of the data flow. The $240 Written Attorney Consultation is the cheapest path to know where you stand.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Need this handled end to end? The $2,500 Healthcare SaaS Legal Package

A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this package · $2,500

See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. Related: MHMDA for AI Health Tools cluster hub; AI health data privacy policy; AI health vendor and processor contracts; AI Health Tool MHMDA Analyzer.