Washington educational resource

AI mental-health chatbots are the highest-risk product category under MHMDA

Mental-health information is a named consumer health data category under RCW 19.373.010. An AI chatbot that accepts free-text venting, journaling, mood entries, or stress descriptions is collecting and processing consumer health data on every turn. The model's classification of the user as anxious, depressed, or in crisis is itself an inferred mental-health status, which the inference clause of RCW 19.373.010 brings inside the statute even when the input was ordinary prose. Add the per se Consumer Protection Act bridge under RCW 19.373.090, and AI mental-health chatbots have the highest MHMDA exposure profile of any AI product category.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Citations verified against Chapter 19.373 RCW. This page treats AI mental-health chatbots as direct-to-consumer products. A chatbot embedded in a HIPAA-covered telehealth workflow may have a narrower MHMDA surface for the clinical data, but the public-facing landing pages and marketing remain inside MHMDA.

Why mental-health chatbots are the worst-case fit for MHMDA

The Act's findings at RCW 19.373.005 identify mental-health information as exactly the kind of data the legislature designed the chapter to protect. The definitions in RCW 19.373.010 list mental-health information explicitly. The inference clause means any mood classification, sentiment score, suicidality flag, or therapy-style label generated by the model counts as consumer health data even when the underlying prompt looked ordinary. A user typing "I have not slept well in a week and I cry on my commute" is supplying input. The model's classification is what creates the consumer health data record. The chatbot operator owns that record.

Five compliance hooks specific to AI mental-health chatbots

1. Standalone Consumer Health Data Privacy Policy. RCW 19.373.020 requires a distinct policy, prominently linked from the homepage in a way that survives mobile collapse. For a mental-health chatbot, the policy must specifically address mood inferences, suicidality flags, crisis-routing escalations, transcripts, training-data use, and third-party model APIs.

2. Two-layer consent before the first prompt. RCW 19.373.030 requires affirmative consent for collection and a separate consent for sharing. A chatbot that opens with "Tell me what you are feeling today" needs the consents collected before the prompt, with the sharing consent unbundled. Most consumer chatbot UX defaults to one accept button at signup, which is not compliant.

3. Training-data treatment is a sharing event. If your model-provider contract permits the provider to use submitted prompts for model improvement, that is a sharing of consumer health data with the provider for a non-service purpose. RCW 19.373.030(1)(b) requires a separate consent. The compliant path is either a vendor enterprise tier that prohibits training on user data, or a per-user training opt-out surfaced in the consent flow.

4. Crisis routing and human handoff. When a chatbot detects crisis language and routes to a human counselor, hotline, or emergency contact, that handoff is a sharing of consumer health data with a third party. The consent must cover the handoff specifically, or the handoff must qualify as necessary to provide the requested service.

5. Vendor and processor contracts under RCW 19.373.060. Every external API the chatbot calls (model provider, transcription service, sentiment-analysis service, crisis-routing partner) is a processor. Each needs a binding contract with processing instructions, scope-of-action limits, and the obligation to assist with consumer rights requests and security obligations. Standard API terms usually do not satisfy on their face.

Training-data and model-improvement exposure

If your application sends Washington user prompts to OpenAI's standard API, Anthropic's standard API, or any provider whose default contract permits using the data to improve the model, the application is sharing consumer health data with the provider for a purpose beyond serving the user. Two compliant configurations exist. First, sign the vendor's enterprise tier or zero-data-retention addendum that bars training on submitted data. Second, surface a per-user training opt-out in the consent flow that is meaningful (default off, separately checked, withdrawal mechanism documented). The hybrid configuration (enterprise tier plus optional training opt-in for users who agree) is acceptable. The most common compliance gap is using the default consumer API tier and saying nothing about training in the privacy policy.

What an MHMDA review of an AI mental-health chatbot covers

• Standalone Consumer Health Data Privacy Policy under RCW 19.373.020, audited against the chatbot's actual data flows.
• Two-layer consent UX under RCW 19.373.030: collection consent before the first prompt; sharing consent separated and unbundled.
• Training-data architecture: vendor tier, retention policy, training opt-out at user level.
• Crisis-routing path: who receives the handoff, what data is sent, whether the consent covers it.
• Processor contracts under RCW 19.373.060: model provider, transcription, sentiment analysis, hotline integrations.
• Consumer rights mechanics under RCW 19.373.040: access, withdrawal, deletion, 45-day response window.
• Security posture under RCW 19.373.050: access restricted to those for whom access is necessary; reasonable industry standard of care.

Per se CPA exposure

RCW 19.373.090 declares any MHMDA violation a per se Washington Consumer Protection Act violation. For a chatbot that handles thousands of Washington conversations a week with a non-compliant policy, consent UX, or vendor stack, every conversation generates standing on the consumer side. The remedy is actual damages, discretionary treble damages capped at $25,000 on the enhancement, and one-way attorney's fees to a prevailing plaintiff under RCW 19.86.090, with a four-year SOL under RCW 19.86.120. AG enforcement under Chapter 19.86 RCW is parallel and not exclusive of private action.

Sergei's practical note

I treat AI mental-health chatbots as the highest-risk MHMDA category in operator-side reviews. The combination of named mental-health data, inferred mood states, third-party model APIs, training-data exposure, and a sympathetic plaintiff profile makes the compliance program non-optional. Send me the policy URL, two screenshots of the consent flow, the model-provider contract or enterprise tier confirmation, and a brief description of how crisis routing works. The $240 Written Attorney Consultation is the right starting point; the $1,500 MHMDA memo plus drafted standalone policy is often the right fit for mental-health products at any meaningful scale.

How the engagement works: payment, delivery, process, and scope Flat fee, fast drafting turnaround, a clear four-step process, and exactly what is and is not included. ›

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

1. Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
2. I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
3. I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
4. We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. Related: MHMDA for AI Health Tools cluster hub; AI health data privacy policy; AI health tool consent flow; AI Health Tool MHMDA Analyzer.