Washington educational resource

Washington MHMDA for Fitness Apps: Steps, Heart Rate, and Workout Data Are Consumer Health Data

Fitness app teams typically think of step counts, heart rate, sleep stages, and workout logs as "lifestyle" data. The Washington My Health My Data Act does not. Chapter 19.373 RCW reaches any personal information reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, and the statute extends the same treatment to model-derived inferences. The recovery score your training algorithm spits out, the "elevated resting heart rate" flag your watch surfaces, the "low cardio fitness" tag your onboarding model assigns, all of that is consumer health data under RCW 19.373.010. The fact that your team would never call it "medical" does not change the analysis.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. MHMDA has been operative against regulated entities since March 31, 2024 and against small businesses since June 30, 2024.

Why "fitness data is not medical data" is the wrong frame

The consumer-health-data definition under RCW 19.373.010 reaches inferences derived from non-health information that are used to associate or identify a consumer with a health-related category. That is the prong fitness apps miss. A raw step count is borderline; a "this user is sedentary and at cardiovascular risk" inference is clearly inside the statute. The same logic applies to:

Heart rate variability turned into a recovery or readiness score.
Sleep stages turned into a "sleep debt" or "fatigue" score.
VO2max estimate, cardio fitness band, or training load metric.
Period or cycle prediction from non-cycle inputs (workout consistency, sleep, weight).
"Injury risk" or "overtraining risk" tags surfaced in the app.
Demographic-plus-activity inferences that flag "pre-diabetic risk" or similar.

If your model takes raw fitness signal and outputs anything that categorizes the user's body or health state, the output is consumer health data even if the input was not.

The four MHMDA hooks that decide most fitness-app matters

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Fitness apps are the worst offenders here in my review experience. The team writes one long "Privacy Policy" covering everything including health data, and assumes a section on health data is enough. It is not. The statute requires a separate standalone document with five substantive disclosures including the categories of consumer health data collected, the purposes, the sources, the categories shared, and the list of specific affiliates and categories of third parties, plus the rights-exercise mechanism. The link must be prominently published on the homepage. A burst-collapsed mobile footer link is often inadequate.

2. Two-layer consent under RCW 19.373.030. Collection consent and sharing consent are separate. A signup that says "I agree to the Terms of Service and Privacy Policy" does not collect either consent under MHMDA. The collection consent must specify the purpose. The sharing consent must be distinct and disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. Most fitness apps fail the sharing prong because they treat their analytics SDK, advertising attribution platform, and AI inference vendor as part of the bundled "operating the service" disclosure.

3. Adtech and analytics audit under RCW 19.373.060 and RCW 19.373.070. If you send workout data, heart rate, or any derived inference to Meta, TikTok, Google Ads, AppsFlyer, Branch, Amplitude, Mixpanel, or a similar platform without a binding processor contract that limits processing to documented instructions, you have a processor problem. If that vendor uses the data for its own purposes (training its own model, ad targeting beyond your campaigns), you have a candidate "sale" under the broad definition in RCW 19.373.010, which requires the nine-element written authorization under RCW 19.373.070. The authorization is one year, revocable, and invalid if missing any element.

4. Geofence prohibition under RCW 19.373.080. Fitness apps with location features should map their ad-campaign geofences against the 2,000-foot perimeter around any in-person healthcare facility. The statute is a categorical ban: it is unlawful to implement a geofence around an entity that provides in-person health care services to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements related to health care. Consent does not cure the violation.

The per se CPA hook for fitness apps

RCW 19.373.090 declares an MHMDA violation a per se Consumer Protection Act violation. For a fitness app with a single Washington user that means a private plaintiff gets actual damages, discretionary treble damages capped at $25,000 on the enhancement, and one-way attorney's fees under RCW 19.86.090, with the public-interest and unfair-or-deceptive elements declared by statute. The plaintiff still pleads injury and causation. The four-year SOL under RCW 19.86.120 applies. This is the highest-leverage state health-privacy statute in the United States, and fitness apps with national footprints are squarely inside it.

The wearable-OEM problem. Many fitness apps ingest data from Apple HealthKit, Google Fit, Garmin Connect, Whoop, Oura, or Fitbit. The OEM relationship does not insulate you from MHMDA. The moment your app reads that data into your own system and applies your own purposes and means, you are a controller for that data. The OEM exemptions under RCW 19.373.100 are data-specific, not entity-blanket, and they do not transfer.

What I review when you send me a fitness-app matter

Current privacy policy URL plus a date-stamped capture, plus the separate Consumer Health Data Privacy Policy if one exists.
Homepage screenshot showing the policy link on desktop and mobile after any hamburger collapse.
Signup flow screenshots, consent banner, sharing toggles, and any withdrawal mechanism.
Data inventory: raw signals (steps, heart rate, location, sleep), derived inferences (recovery, training load, risk scores), and storage/retention.
SDK list: analytics, attribution, advertising, AI inference, customer support, and any wearable integration.
Processor and sub-processor list plus current DPA template.
Any geofence campaign configuration if you advertise location-based offers near gyms, clinics, or pharmacies.

Service tiers

$240 Written Attorney Consultation. Two-business-day turnaround. Right starting point for a written attorney read.
$499 MHMDA scope memo. Determination plus top compliance gaps. Five-business-day turnaround.
$900 MHMDA review with DPA and vendor language. Scope memo plus the processor-contract language you need with analytics, adtech, and AI vendors.
$1,500 MHMDA compliance package. Scope memo, DPA language, and a drafted standalone Consumer Health Data Privacy Policy.

Sergei's practical note

Fitness apps come to me with the same misconception: "we are not HIPAA-covered, so we are not regulated." HIPAA scope and MHMDA scope are different statutes with different reach. The MHMDA was written for exactly the data your app collects. Send the privacy policy, the signup-flow screenshots, the SDK list, and a brief product description. I will tell you whether the matter looks like a $499 scope memo or a $1,500 full package. Regulatory advisory work under California license; not Washington representation.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The Written Attorney Consultation is a flat $240. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. To self-assess, use the Wellness App MHMDA Risk Checker or the MHMDA Scope Analyzer. Adjacent verticals: wellness apps, sleep tracking, period tracking, and weight loss.

Want a written attorney read on your situation? The $240 Written Attorney Consultation

Send your question, a short factual summary, and your key documents. You get a written attorney response identifying the main legal issues, the risks, and the practical next steps, so you know whether you have a real exposure and what to do about it. Provided under my California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this consultation · $240

See the full Washington MHMDA resource → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text before relying on it in a live matter.