Washington educational resource

Washington MHMDA for Wellness Apps: Why "Not HIPAA" Is Not a Safe Harbor

If your wellness app collects steps, mood notes, sleep stages, calorie logs, cycle dates, weight trends, meditation history, or anything an algorithm can use to infer something about a user's body or mind, you are probably outside HIPAA. That tells you nothing about your exposure to Chapter 19.373 RCW, the Washington My Health My Data Act. MHMDA was written for exactly this gap. It reaches consumer-facing wellness products, fitness trackers, mental-health adjacents, sleep apps, period and fertility trackers, nutrition coaching, and AI tools that infer health from non-medical signals. The statute attaches private-right-of-action liability through a per se Consumer Protection Act hook in RCW 19.373.090, with treble damages capped at $25,000 on the enhancement and one-way attorney's fees. Wellness operators tend to underprice this risk because the team has been told "we are not HIPAA-covered." That is true, and irrelevant.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. The MHMDA was operative against regulated entities on March 31, 2024 and against small businesses on June 30, 2024.

Fast triage: does MHMDA reach your wellness app?

The reach test under RCW 19.373.010 is broader than most wellness operators expect. A Washington office is not required. A Washington customer base is not required. What is required is one of two predicates plus a controller role.

Do you conduct business in Washington, OR do you target products or services to Washington consumers? A consumer wellness app in the iOS App Store and Google Play, geographically unrestricted, marketed to a national US audience, is targeting Washington consumers.
Do you (alone or jointly) determine the purposes and means of processing consumer health data? If you set what data is collected, what it is used for, and where it goes, you are a controller.
Does any data plausibly count as "consumer health data" under RCW 19.373.010? Wellness apps almost always say yes: physical or mental health status, biometric data, reproductive or sexual health, gender-affirming care, precise location near healthcare, or any inference that puts a consumer in a health-related category.
Do you have a SEPARATE Consumer Health Data Privacy Policy, prominently linked from your homepage? A general privacy policy with an "MHMDA section" does not satisfy RCW 19.373.020.
Did you collect a separate consent for sharing on top of the collection consent under RCW 19.373.030? A single bundled acceptance of "Terms and Privacy" is not enough.

If you cannot answer cleanly on any of these, your wellness app probably has a documented MHMDA gap.

What counts as "consumer health data" for a wellness app

The definition at RCW 19.373.010 covers personal information linked or reasonably linkable to a consumer that identifies the consumer's past, present, or future physical or mental health status. The statute lists categories including biometric data, reproductive or sexual health information, gender-affirming care information, precise location that could reasonably indicate an attempt to acquire health services, and crucially, inferences derived from non-health information that are used to associate or identify a consumer with these categories. For a wellness app this almost always sweeps in:

Step counts, heart rate, sleep stages, workout history (fitness and wellness signals).
Mood logs, journaling content, anxiety check-ins, stress scores (mental-health signals).
Cycle dates, ovulation predictions, pregnancy status, fertility goals (reproductive health).
Calorie logs, macro targets, weight trends, body measurements (nutrition and weight-management).
Symptom check-ins, medication reminders, supplement logs (health-condition signals).
AI-generated inferences (a coaching recommendation, a "burnout risk" score, a "this user is likely pre-diabetic" tag) drawn from any of the above.

Inferences are the prong wellness operators miss most often. Even if the raw inputs look like "lifestyle data," the moment a model categorizes a user into a health bucket, the output is consumer health data.

The four compliance hooks that decide most wellness-app matters

Most MHMDA gaps cluster around four sections. If you only have time to fix four things, fix these.

1. Separate Consumer Health Data Privacy Policy with a homepage link (RCW 19.373.020). This is a standalone document, not a section of a general privacy policy. It must disclose the categories of consumer health data collected, the purposes, the sources, the categories shared, the specific affiliates and categories of third parties, and the rights-exercise mechanism. It must be prominently linked from the homepage in a way that survives mobile collapse. A footer link buried under a hamburger menu often fails the "prominent" test.

2. Two-layer consent for collection and sharing (RCW 19.373.030). Collection requires consent for a specified purpose (or service-necessity). Sharing requires a SEPARATE consent distinct from the collection consent. A bundled "I agree to Terms and Privacy" checkbox at signup does not satisfy the sharing prong. The authorization request must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. Generic CCPA flows fail here.

3. Consumer rights mechanics (RCW 19.373.040). Access, deletion, withdrawal of consent, and an appeal path. Response window 45 days plus one 45-day extension. Archived deletion may be delayed up to six months. The app needs an actual operational pipeline for these requests, not a "contact us" email that quietly goes nowhere.

4. Processor contracts (RCW 19.373.060). Every vendor that touches consumer health data, your analytics SDK, your push notification provider, your AI inference vendor, your customer-support tool, your ad attribution platform, needs a binding processor contract that limits processing to documented instructions. MHMDA processor contracts are not interchangeable with GDPR DPAs or CCPA service-provider agreements. A processor that strays outside instructions becomes a regulated entity for the data at issue.

The per se Consumer Protection Act hook (RCW 19.373.090)

This is the section that should focus every wellness operator's mind. RCW 19.373.090 declares that the practices covered by MHMDA vitally affect the public interest and that a violation is per se an unfair or deceptive act under Chapter 19.86 RCW. The Washington CPA's five-element Hangman Ridge framework is essentially handed to the plaintiff: public interest is declared, unfair-or-deceptive is declared, and the plaintiff need only plead injury and causation. Treble damages capped at $25,000 on the enhancement and one-way attorney's fees follow under RCW 19.86.090. Four-year SOL under RCW 19.86.120. A private plaintiff does not need to wait for the Washington Attorney General to act.

Translated for product strategy: a single Washington user who downloads your wellness app, agrees to a bundled terms-and-privacy checkbox, and later sees that their mood-tracker data was shared with a Meta ad pixel has a candidate complaint with the public-interest and deceptive-act elements pre-supplied. That is a different risk profile than a generic privacy claim.

Why "we are not HIPAA-covered" is irrelevant. HIPAA reaches only covered entities (health plans, clearinghouses, providers transmitting in HIPAA transactions) and their business associates. Consumer wellness apps usually sit outside that perimeter. RCW 19.373.100 exempts HIPAA-regulated PHI from MHMDA, but the exemption is data-specific, not entity-blanket. A wellness app that is not HIPAA-covered does not get the exemption. The exemption burden is on the entity claiming it.

What I review when you send me a wellness-app MHMDA matter

For a wellness operator, my standard scope memo covers the documents and flows below. I read the actual product against the actual statute, not a generic privacy checklist.

Current privacy policy URL plus a date-stamped capture. Is there a separate Consumer Health Data Privacy Policy at all?
Homepage screenshot showing the policy link on desktop and mobile after any hamburger collapse.
Consent UX screenshots: signup flow, consent banner, sharing toggles, and any withdrawal mechanism.
Data inventory: what categories the app collects, what it infers, where it stores, what it shares, and what it sells.
Processor and sub-processor list, plus the current DPA template.
Adtech and analytics audit: Meta pixel, TikTok pixel, Google Analytics, AppsFlyer, Amplitude, Mixpanel, Branch, Segment, plus any AI inference vendor (OpenAI, Anthropic, an ML platform).
Any Washington Attorney General inquiry letter (if one has arrived).

Service tiers for wellness operators

The deliverables and price points below cover the most common engagements. Send the documents and I will recommend the right tier.

$125 written email evaluation. Two-business-day turnaround, upload up to 30 pages, no call required. The right starting point if you want a written attorney read before committing to a full scope memo.
$499 MHMDA scope memo. Written determination of whether MHMDA applies to your product, the top compliance gaps, and the recommended next step. Five-business-day turnaround.
$900 MHMDA review with DPA and vendor-contract language. Scope memo plus the processor-contract language you need with your analytics, adtech, and AI vendors. Five-business-day turnaround.
$1,500 MHMDA compliance package. Scope memo, DPA language, and a drafted standalone Consumer Health Data Privacy Policy. Seven-business-day turnaround.

Sergei's practical note

Wellness operators are the cleanest fit for an MHMDA scope memo. The work is bounded, the statute is narrow enough to read in one sitting, and the separate-policy requirement under RCW 19.373.020 is a discrete compliance gap I can identify in an hour of document review. The hardest call is usually the inference question: a fitness tracker that derives "recovery score" from heart rate variability is generating consumer health data even if the inputs feel like "lifestyle." Send the privacy policy, the consent UX screenshots, and a brief product description, and I will tell you whether you are looking at a $499 scope memo or a $1,500 full package. I review under California license; this is regulatory advisory work, not Washington representation.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. To run a fast self-assessment, use the Wellness App MHMDA Risk Checker, the MHMDA Scope Analyzer, or the MHMDA Privacy Policy Gap Checker. Related verticals in this cluster: fitness apps, nutrition apps, sleep tracking, period tracking, health coaching, meditation, and weight loss.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text and any case citations before relying on them in a live matter.