Washington educational resource

Washington data breach law vs. My Health My Data Act: side-by-side comparison of two different statutes

Operators frequently confuse Chapter 19.255 RCW (Washington's general data breach notification statute, applicable to "personal information" of Washington residents) with Chapter 19.373 RCW (the My Health My Data Act, applicable to "consumer health data" of Washington consumers). They are not the same statute, they do not have the same trigger, they do not have the same content requirements, and they do not have the same enforcement posture. An operator that processes both general personal information and consumer health data is subject to both, in parallel, and a breach can implicate both at once. This page is a side-by-side comparison aimed at operators trying to figure out which statute is in play and what to do when both are.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Last legally reviewed: 2026-05-19. Statute text retrieved from Chapter 19.255 RCW and Chapter 19.373 RCW on app.leg.wa.gov on that date.

Scope

Ch. 19.255 (data breach). Applies to any person or business that owns or licenses computerized "personal information" of Washington residents. "Personal information" is defined at RCW 19.255.010 as first name or first initial and last name combined with a listed identifier (SSN, driver's license, account+code, full date of birth, biometric, login credentials, others).

Ch. 19.373 (MHMDA). Applies to "regulated entities" that conduct business in Washington or produce or provide products or services targeted to Washington consumers AND alone or jointly determine the purposes and means of collecting, processing, sharing, or selling "consumer health data." "Consumer health data" is defined very broadly at RCW 19.373.010 and includes biometric identifiers, mental-health and reproductive-health inferences, fitness or wellness data, and precise location near healthcare facilities.

Trigger

Ch. 19.255. Trigger is an unauthorized acquisition of computerized personal information. The encryption safe harbor at RCW 19.255.010 applies when the data was encrypted and the decryption key was not also acquired.

Ch. 19.373. Trigger is not a breach event but the ongoing collection, processing, sharing, or selling of consumer health data. Obligations attach at intake, not at incident. A separate Consumer Health Data Privacy Policy linked from the homepage is required under RCW 19.373.020.

Consumer-facing obligations

Ch. 19.255. Consumer notice no more than thirty calendar days after discovery (subject to law-enforcement delay and time to determine scope) with statutory content (categories acquired, time frame, contact information, recommended protection steps, FTC and CRA contact information).

Ch. 19.373. Standing consumer rights: access, deletion, withdrawal of consent. Specific consent requirements for collection and sharing under RCW 19.373.030. Separate authorization for sale under RCW 19.373.030. Geofence around in-person healthcare facilities prohibited under RCW 19.373.080.

Regulator notice

Ch. 19.255. AG notice within thirty days of discovery if a single breach affects more than five hundred Washington residents (RCW 19.255.010).

Ch. 19.373. No single AG-notice-on-incident trigger of the same kind. The AG enforces the statute generally. Regulator notice obligations are situation-specific.

Enforcement

Ch. 19.255. The consumer protection section is at RCW 19.255.040. The Attorney General has CPA-style enforcement authority under the public-interest and unfair-or-deceptive framework, and an injured consumer may bring a civil action for damages and injunctive relief. The statute itself says, however, that an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090. The full Chapter 19.86 remedy stack (treble damages capped at twenty-five thousand dollars per RCW 19.86.020 violation, one-way attorney's fees) does not automatically attach to a Chapter 19.255 claim; a separate Chapter 19.86 CPA claim may still be available where the facts independently satisfy the CPA elements. (Note: RCW 19.255.030 is a different provision addressing federal-law, HIPAA covered entity, and Gramm-Leach-Bliley financial-institution treatment, not the consumer enforcement section.)

Ch. 19.373. Per se Consumer Protection Act violation under RCW 19.373.090. This is the substantive enforcement difference from Chapter 19.255: MHMDA expressly creates per se CPA liability, with private right of action and AG enforcement both available under the Chapter 19.86 remedy stack, while Chapter 19.255 itself precludes routing the breach-notification claim through RCW 19.86.090.

Statute of limitations

Both reach the four-year CPA SOL through different routes. Ch. 19.373's per se CPA hook brings Chapter 19.86's four-year limitations period under RCW 19.86.120 straight in. Ch. 19.255 reaches the same four-year period only for any independently pleaded Chapter 19.86 claim, because the Chapter 19.255 enforcement section itself blocks RCW 19.86.090 routing.

When both apply at once

Operators that hold both general personal information (SSN, driver's license, account numbers) and consumer health data (biometric, mental health, fitness, location near healthcare facilities) face both statutes in parallel. A breach involving health data triggers Ch. 19.255 if the data falls within the personal-information definition, and Ch. 19.373 separately because the operator's ongoing handling of consumer health data is regulated regardless of incident. The compliance posture has to satisfy both. The breach response has to satisfy Ch. 19.255 for the notification piece and Ch. 19.373 for the consumer-rights and authorization piece. In a contested matter, plaintiffs and the AG are likely to plead both.

Why this matters in practice

The mistake I see most often is an operator with a fitness app treating Ch. 19.255 as the only relevant statute, building a breach response plan calibrated to it, and missing the Ch. 19.373 compliance baseline entirely. Or the reverse: an MHMDA-aware operator that has built a polished consumer-health-data policy but never built the breach-notification runbook because the only privacy statute on their radar is MHMDA. The two statutes complement each other. If an operator holds the categories of data both statutes reach, both apply, and the operator's posture has to address each separately rather than collapsing them.

What I review when you send a Washington matter that may touch both

When you send the data inventory, the consumer notices in scope, the current privacy policy and (if applicable) the separate Consumer Health Data Privacy Policy, and the incident timeline (if any), I walk Ch. 19.255 and Ch. 19.373 in parallel and tell you which statute is in play, where the compliance gaps are on each, and what the recommended next step looks like. The output is a written evaluation, not a sales pitch.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The Written Attorney Consultation is a flat $240. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Want a written attorney read on your situation? The $240 Written Attorney Consultation

Send your question, a short factual summary, and your key documents. You get a written attorney response identifying the main legal issues, the risks, and the practical next steps, so you know whether you have a real exposure and what to do about it. Provided under my California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this consultation · $240

See the full Washington MHMDA resource → or email me directly for a scoped quote.

Primary sources

RCW 19.255.010: data breach definitions and notice obligations.
RCW 19.255.030: federal-law / HIPAA covered entities and Gramm-Leach-Bliley financial institutions.
RCW 19.255.040: consumer protection section. AG CPA-style enforcement plus consumer civil action for damages and injunctive relief. Statute itself precludes action to enforce Chapter 19.255 from being brought under RCW 19.86.090.
RCW 19.373.010: MHMDA definitions, including consumer health data and regulated entity.
RCW 19.373.020: separate Consumer Health Data Privacy Policy.
RCW 19.373.030: consent and sale-or-share authorization.
RCW 19.373.080: geofence prohibition near healthcare facilities.
RCW 19.373.090: per se CPA hook.

This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.