AI symptom checkers are inside MHMDA the moment they classify a query as health-related
An AI symptom checker accepts a free-text complaint from a consumer ("headache, mild fever, two days") and returns a structured ranking of possible explanations. That output is consumer health data on the inference prong of RCW 19.373.010. The prompt, the model output, the classification metadata, and any session log are all collected consumer health data once the system retains them. If the symptom checker serves Washington consumers, MHMDA's compliance program applies in full: standalone Consumer Health Data Privacy Policy, two-layer consent, processor contracts with the model vendor, and a geofence audit if location or facility-based features are used.
Ask my AI Legal Analyst about Washington consumer health data and MHMDA?
Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.
Common Washington consumer-health-data questions, always free
Why the inference prong catches AI symptom checkers
RCW 19.373.010 defines consumer health data as personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including information derived or extrapolated from non-health information. A symptom checker exists to do exactly that derivation. The prompt may include no clinical record, no diagnosis code, no lab value. The model's job is to read the prompt and infer plausible health states. That inference is consumer health data the moment the system stores it. The stored classification "user asked about chest pain" is consumer health data even if the prompt itself is ambiguous.
The four AI-specific compliance hooks
Standalone privacy policy. RCW 19.373.020 requires a Consumer Health Data Privacy Policy as a distinct document, prominently linked from the homepage in a way that survives mobile collapse. A general SaaS policy that mentions health data in a paragraph does not satisfy the rule. The standalone policy must disclose categories of consumer health data collected and the purpose, sources, sharing, the specific affiliates and third parties with whom data is shared, and the consumer rights mechanism.
Two-layer consent. RCW 19.373.030 requires affirmative consent for collection and a separate consent for sharing. A symptom checker that stores prompts to improve the product, sends prompts to a third-party model API, and uses analytics SDKs is doing three things that may each require their own consent layer. Bundling all of them into one "I accept the privacy policy" checkbox fails on this point.
Processor contract with the model vendor. If the symptom checker calls OpenAI, Anthropic, Azure OpenAI, or any external API, that vendor is a processor under RCW 19.373.060. The vendor's default API terms usually do not satisfy MHMDA's processor-contract requirement on their face. A written DPA addendum or a vendor-published MHMDA-aware addendum is required, with binding instructions, scope-of-processing limits, and the obligation to assist with consumer rights requests and security obligations.
Geofence audit. RCW 19.373.080 prohibits any virtual boundary within 2,000 feet of an in-person healthcare facility used to identify consumers seeking health services, collect consumer health data, or send notifications. AI symptom checkers that integrate with location-based "find a clinic nearby" features need to verify that no ad-platform or analytics SDK is implementing a sub-2,000-foot geofence.
Specific gaps I look for in symptom-checker reviews
- Privacy policy is one combined document, not a standalone Consumer Health Data Privacy Policy.
- Consent is one acceptance, not two; the sharing consent is missing or bundled with the terms of service.
- The API contract with the model provider is the default web-page terms, not a written DPA tuned to consumer health data.
- The vendor's default contract allows the vendor to use submitted prompts for model improvement, and the user is never given a chance to opt out at the application level.
- Analytics SDKs (Mixpanel, Amplitude, GA4) observe prompt text in event payloads.
- "Find a clinic" or "find a doctor" features use a third-party ad-platform geofence whose radius is not audited.
What the per se CPA bridge does to symptom-checker exposure
RCW 19.373.090 converts any MHMDA violation into a per se Washington Consumer Protection Act violation. A Washington consumer who can show a violation does not need to plead public-interest impact under the Hangman Ridge framework; .090 declares it. The remedy is actual damages, discretionary treble damages capped at $25,000 on the enhancement, and one-way attorney's fees to a prevailing plaintiff. The four-year SOL under RCW 19.86.120 applies. A symptom checker that handles thousands of Washington prompts a week with a non-compliant policy or consent UX is generating standing day after day.
Sergei's practical note
If you run an AI symptom checker that accepts free-text prompts from consumers, treat MHMDA as applicable until the data inventory disproves it. The conservative path is the standalone Consumer Health Data Privacy Policy plus the two-layer consent UX plus the written processor addendum, deployed before scale, not after the first AG inquiry. Send me the policy URL, two screenshots of the consent flow, and your model-provider contract. The $240 Written Attorney Consultation is the right starting point; the $499, $900, or $1,500 MHMDA memo tiers follow if the gaps justify it.
Payment
Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.
Delivery
Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.
Process
- Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
- I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
- I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
- We refine. Reasonable revision rounds are included so the final version fits how your product actually works.
Scope
This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.
A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.
See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.
Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. Related: MHMDA for AI Health Tools cluster hub; AI mental-health chatbot MHMDA compliance; AI health vendor and processor contracts; AI Health Tool MHMDA Analyzer.