Washington Journaling App MHMDA Compliance: Free-Text Is the Highest-Sensitivity Input
Journaling apps look benign next to clinical mental health products, but under MHMDA the sensitivity is higher because the user is invited to disclose mental health status in free-text form. A journal entry that names a diagnosis, references medication, describes treatment-seeking, mentions a therapist, or describes symptoms is consumer health data under RCW 19.373.010. Any AI feature that summarizes, classifies, or extracts sentiment from journal entries generates additional consumer health data through inference. If the product touches Washington consumers and the operator determines the purposes and means of processing, MHMDA applies and HIPAA almost never reaches the product.
Ask my AI Legal Analyst about Washington consumer health data and MHMDA?
Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.
Common Washington consumer-health-data questions, always free
Why free-text journal entries carry more risk than structured logs
- The user disclosure is unfiltered: diagnoses, medications, providers by name, suicidal ideation, substance use, trauma history, sexual orientation, reproductive health, immigration status, custody disputes.
- The data is high-volume per user: a 2-minute journal entry contains more identifying mental health detail than ten PHQ-9 scores.
- AI features become processor relationships: a "summarize my week" or "find patterns" feature sends the full journal text to a model API. Every API call is a sharing event under RCW 19.373.030 unless the consent and processor posture are MHMDA-compliant.
- Search and export features create downstream copies: the journal is now in the analytics index, the AI vector store, and possibly the customer-support tool, all subject to MHMDA deletion under RCW 19.373.040.
- Crash logs and session replay can include journal content. Most session replay vendors offer masking, but the masking has to be configured per field and verified.
What MHMDA requires for a journaling app
- Separate Consumer Health Data Privacy Policy under RCW 19.373.020 that addresses free-text journal content, AI summarization, sentiment analysis, and any inference outputs.
- Two-layer consent at signup under RCW 19.373.030: collection (journal storage) plus a separate sharing consent for AI features, analytics, attribution, and CRM. AI feature consent should be granular per feature.
- Operational deletion under RCW 19.373.040 that runs against the journal store, search index, AI vector store, AI fine-tune datasets, analytics warehouse, CRM, support tool, and backups.
- Reasonable-care security under RCW 19.373.050, with encryption at rest as a practical baseline for journal content and access restrictions on engineering and support team views.
- MHMDA-compliant processor contracts under RCW 19.373.060 with every AI provider and every SDK vendor that receives journal content or derived inferences.
- Training-data posture: a clear policy that journal content is not used to train external models without separate opt-in consent. The "we may use customer data to improve our services" language in standard SaaS terms does not satisfy MHMDA.
- Sale-of-data authorization under RCW 19.373.070 if journal-derived insights are sold or licensed. All nine elements required.
What to send for a written review
- Current privacy policy, Consumer Health Data Privacy Policy if separate, terms of service, and any AI feature description on the marketing site.
- Signup and consent screens, AI feature opt-in screens, and the homepage link to the policy on desktop and mobile.
- AI architecture: which model provider, hosted vs API, retention, training-data posture, vector store posture, fine-tune posture.
- Vendor map: analytics, attribution, session replay, ad pixels, CRM, AI APIs, support tooling, cloud processors, sub-processors.
- Current DPA templates and any Washington addendum already in place.
- Deletion workflow: which systems are reached, whether deletion is verified, retention windows for backups.
Sergei's practical note
Journaling apps are where the AI processor question gets pointed. Most operators have a model-provider DPA that satisfies GDPR but does not satisfy MHMDA's binding-instructions and reasonable-assistance language under RCW 19.373.060. The fix is either a Washington addendum on top of the existing DPA, a switch to a self-hosted model, or a geographic gate. None of those are hard to implement, but they need to be documented and aligned with the consent flow and the privacy policy. I review under California license. This is regulatory advisory work, not Washington representation.
Payment
Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.
Delivery
Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.
Process
- Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
- I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
- I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
- We refine. Reasonable revision rounds are included so the final version fits how your product actually works.
Scope
This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.
Related: Mental Health SaaS MHMDA hub; Mental Health AI Chatbot Privacy; Mental Health SaaS MHMDA Gap Checker.
A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.
See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.
Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing here creates an attorney-client relationship or is Washington legal advice.