Washington educational resource

Washington MHMDA for Mental Health SaaS: Compliance Outside HIPAA

If you run a therapy app, mood tracker, journaling product, substance-use platform, peer-support community, AI mental health chatbot, or any behavioral health SaaS that touches Washington consumers, Chapter 19.373 RCW probably reaches you, and HIPAA usually does not. Most mental health SaaS sits outside HIPAA entirely because the operator is neither a covered entity nor a business associate. Washington's My Health My Data Act fills the gap and treats mental health status, mood, symptoms, diagnosis, treatment-seeking, journal entries, and inferences as consumer health data. A violation is a per se Consumer Protection Act violation under RCW 19.373.090. This hub walks the live compliance surface for behavioral health products.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW. For the general MHMDA framework, see my Washington MHMDA hub. For scope triage, see the MHMDA Scope Analyzer; for a mental health SaaS specific gap check, see the Mental Health SaaS MHMDA Gap Checker.

AI Legal Analyst

Ask my AI Legal Analyst about MHMDA for mental health SaaS?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step. Answers cover why this is the highest-risk category, the third-party SDK trap, and the compliance stack.

Common mental health SaaS questions, always free

My app is not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? How real does my deletion workflow have to be? What happens if I get this wrong?

Loading the AI Legal Analyst...

Key terms?

The mental health SaaS compliance surface turns on a handful of defined terms. Tap a card to flip it.

Consumer health dataMental health is named expresslyTap for detail

Defined at RCW 19.373.010 as personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including inferences. Reaches mood logs, journal entries, assessment results, crisis-language flags, and any AI inference drawn from non-clinical inputs.

Standalone policyNot bundled into the general policyTap for detail

Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Standalone document, prominently linked from the homepage, distinct from the general privacy policy. Bundling MHMDA disclosures into a general privacy policy is the single most common failure pattern.

Two-layer consentOne checkbox is insufficientTap for detail

Under RCW 19.373.030: affirmative consent for collection plus a separate, distinct consent for sharing, unbundled from general terms acceptance. A single "I agree to the privacy policy" checkbox is insufficient.

MHMDA processor contractsA standard DPA usually needs an addendumTap for detail

Under RCW 19.373.060: binding instructions, scoped permitted purposes, reasonable-assistance obligation. Standard GDPR DPAs and CCPA service-provider agreements usually need a Washington addendum. A processor that strays outside instructions converts into a regulated entity for the data at issue.

Per se CPANo Hangman Ridge public-interest proofTap for detail

The per se CPA bridge in RCW 19.373.090 means a plaintiff does not have to prove public-interest impact under Hangman Ridge; a private right of action with discretionary trebling capped at $25,000 and one-way fees attaches automatically.

MHMDA defines consumer health data at RCW 19.373.010 as personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including inferences. Mental health is named expressly. The definition reaches the obvious categories (diagnosis, treatment, symptoms, medication) and also reaches the inputs and outputs of most mental health SaaS products: mood logs, journal entries, sleep and stress markers, PHQ-9 / GAD-7 / PCL-5 questionnaire results, crisis-language flags, and any AI inference drawn from non-clinical inputs.

Three reasons this category carries more exposure than ordinary wellness SaaS. First, most mental health products explicitly invite users to disclose mental health status, which removes any "we never collect health data" argument. Second, third-party SDKs (analytics, session replay, attribution pixels, CRM, AI APIs, customer support tooling) commonly receive content that is consumer health data, which converts marketing pixels and AI-API calls into MHMDA sharing events. Third, the per se CPA bridge in RCW 19.373.090 means a plaintiff does not have to prove public-interest impact under Hangman Ridge; a private right of action with discretionary trebling capped at $25,000 and one-way fees attaches automatically.

HIPAA reaches covered entities (health plans, healthcare clearinghouses, healthcare providers transmitting health information electronically in HIPAA transactions) and their business associates. A consumer-facing mental health SaaS without a provider relationship is usually neither. Direct-to-consumer therapy chatbots, journaling apps, mood trackers, peer-support apps, and AI mental health assistants typically sit outside HIPAA. The exemption at RCW 19.373.100 is data-specific, not entity-blanket: even an app that has some HIPAA-covered relationships still owes MHMDA duties on any consumer health data that is not PHI in a covered transaction.

For a side-by-side analysis of overlap, exemptions, and the practical posture for hybrid products, see my HIPAA vs MHMDA for Mental Health SaaS.

Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Standalone document, prominently linked from the homepage, distinct from the general privacy policy. Five substantive disclosures including the specific affiliates list. Bundling MHMDA disclosures into a general privacy policy is the single most common failure pattern.
Two-layer consent under RCW 19.373.030. Affirmative consent for collection plus a separate, distinct consent for sharing. Unbundled from general terms acceptance. A single "I agree to the privacy policy" checkbox is insufficient.
Operational rights and deletion workflow under RCW 19.373.040. Confirmation, access with third-party recipient list, withdrawal, deletion (including downstream notification to processors and third parties), and an appeal process with a written decision within 45 days. This must be operational, not just policy text. A deletion request that cannot actually be executed against the AI vector store, the analytics warehouse, and the CRM is a violation in practice.
Reasonable-care security under RCW 19.373.050. Restrict access to only the employees, processors, and contractors for whom access is necessary to further consented purposes. Administrative, technical, and physical controls at or above industry baseline.
MHMDA-compliant processor contracts under RCW 19.373.060. Binding instructions, scoped permitted purposes, reasonable-assistance obligation. Standard GDPR DPAs and CCPA service-provider agreements usually need a Washington addendum. A processor that strays outside instructions converts into a regulated entity for the data at issue.
Geofence prohibition under RCW 19.373.080. Flat prohibition on geofencing within 2,000 feet of an in-person healthcare facility for identifying or tracking consumers, collecting health data, or sending notifications. Behavioral health products with location-based ads or push triggers should audit ad-platform configurations against psychiatric facility, treatment center, and methadone clinic addresses.
Per se CPA bridge under RCW 19.373.090. Any violation is automatically a Washington Consumer Protection Act violation. Public-interest prong is given by declaration; plaintiff still pleads injury and causation.

The third-party SDK trap. Most consumer-facing mental health apps load analytics, attribution, session replay, ad pixels, AI APIs, and customer support widgets that receive content from the screen. When that content is journal entries, mood logs, chat messages, or symptom inputs, every SDK call is a sharing event subject to RCW 19.373.030. The fix is a documented vendor map, MHMDA processor contracts under RCW 19.373.060, and either (a) shut off the data flow to the vendor, (b) collect a separate sharing consent for that specific vendor with a stated purpose, or (c) treat the vendor as a regulated entity for the data at issue. AI features that send free-text mental health content to a third-party model API are the most common gap I see.

The exposure profile differs by sub-category. I keep an issue page for each so the gap analysis stays specific to your product.

Therapy app MHMDA compliance: licensed-provider directories, asynchronous messaging, video sessions, and the HIPAA-MHMDA overlap analysis for hybrid models.
Mood tracker MHMDA compliance: mood logs, sleep / stress markers, inference engines, and PHQ-9 style assessments outside any clinical relationship.
Journaling app MHMDA compliance: free-text journal entries as the highest-sensitivity input category, AI summarization risk, and processor mapping for AI features.
Substance use app MHMDA compliance: sobriety trackers, recovery community apps, and the 42 CFR Part 2 carve-out at RCW 19.373.100.
Mental health AI chatbot privacy: AI model APIs, training-data posture, retention windows, crisis-flag transmission, and the licensed-professional branding line.
Behavioral health SaaS privacy review: B2B and clinical-provider-facing products, provider portals, and HIPAA business associate analysis layered on MHMDA.
HIPAA vs MHMDA for mental health SaaS: side-by-side coverage, exemption mechanics, and the practical posture for hybrid products.
Does HIPAA apply to my startup: the covered-entity vs business-associate vs neither decision tree, and what governs your data when HIPAA does not.
Senior-living and sensor-tech privacy: HIPAA status across care settings plus passive sensor data through a hardware cloud API.
Minimum legal scope for a pilot: the short consent, disclaimer, and privacy-notice set to run a small or free pilot before launch.

Sergei's practical note

The mental health SaaS category is where MHMDA actually changes behavior in practice. The product invites the user to disclose mental health status; the platform integrates with analytics, attribution, an AI model API, a CRM, and a support widget; and almost none of it has been mapped against the Washington statute. The fix is not aspirational policy text. It is a vendor map, MHMDA-compliant processor contracts under RCW 19.373.060, an operational deletion workflow that actually reaches the AI vector store and the analytics warehouse, a separate Consumer Health Data Privacy Policy under RCW 19.373.020, and two-layer consent at signup. I review mental health SaaS products under California license. This is regulatory advisory work, not Washington representation.

Current privacy policy URL plus a date-stamped capture; the consumer-health-data policy if you publish one separately.
Homepage screenshot on desktop and mobile showing the policy link.
Consent UX screenshots: signup, in-app consent banners, sharing toggles, AI-feature disclosures, withdrawal mechanism.
Data inventory of consumer health data categories (mood logs, journal entries, assessment results, chat content, inferred categories).
Vendor map: analytics, session replay, attribution, ad pixels, CRM, AI model APIs, support widgets, cloud processors, sub-processors, plus current DPA template.
HIPAA posture: are you a covered entity, a business associate, or neither, and which data fields if any sit inside a HIPAA-covered relationship.
Brief product description: what the product does, what data it collects, which Washington users it touches, what AI features it ships.

What I review and what the tiers cover

The work splits into a scope memo, a memo plus processor and consent fixes, and a memo plus a drafted Consumer Health Data Privacy Policy. For behavioral health products with multiple integrations, the SaaS bundle includes the vendor map, processor language, the policy, and the consent flow under California license. For the larger SaaS bundle, email me for current availability and scope confirmation.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Need this handled end to end? The $2,500 Healthcare SaaS Legal Package

A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this package · $2,500

See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.

Statutory sources retrieved 2026-05-19 from app.leg.wa.gov: RCW 19.373.010, .020, .030, .040, .050, .060, .080, .090, .100.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text before relying on it in a live matter.