Washington educational resource

Washington My Health My Data Act: Consumer Health Privacy Outside HIPAA

If your app, website, SaaS product, or AI tool touches Washington consumers and processes anything that could be construed as consumer health data, the My Health My Data Act in Chapter 19.373 RCW applies, and the cost of getting it wrong is high. MHMDA violations are per se Consumer Protection Act violations: a private plaintiff gets actual damages, discretionary treble damages capped at $25,000 on the enhancement, and one-way attorney's fees, all without proving public interest separately. No statutory pre-suit notice. This page walks the live compliance and dispute surface, not the press releases.

Last legally reviewed: 2026-05-18. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov; operative text from sections .005, .010, .020, .030, .040, .050, .060, .070, .080, .090, and .100. Agency guidance and court-rule cross-references should be confirmed before relying on them in a specific matter.

Fast triage: does MHMDA reach you?

The Act's reach is broader than most operators assume. Washington's My Health My Data Act can reach out-of-state companies if they conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of collecting, processing, sharing, or selling consumer health data. A Washington office or customer base is not required. "Consumer health data" reaches anything reasonably linkable to a consumer that identifies physical or mental health status, sweeping in wellness apps, fitness trackers, mental-health apps, period and fertility apps, sleep apps, and AI tools that infer health from non-medical signals.

Do you process data of Washington consumers (by residence, by collection in Washington, or by targeting your product to Washington residents)?
Does any data plausibly count as "consumer health data" (physical or mental health status, biometric, gender-affirming, reproductive or sexual health, precise location near a healthcare facility, or any inference that puts a consumer in a health-related category)?
Do you sell consumer health data, share it with third parties, or run a geofence within 2,000 feet of an in-person healthcare facility?
Do you publish a separate Consumer Health Data Privacy Policy, prominently linked from your homepage, distinct from your general privacy policy?
Did you obtain affirmative consent for collection and a separate consent for sharing, as RCW 19.373.030 requires?

If any answer is unclear, the matter merits a written review. The Act has been operative against regulated entities since March 31, 2024 and against small businesses since June 30, 2024.

The scope and definition layer (RCW 19.373.005, .010, .020)

The finding at RCW 19.373.005 will drive liberal construction in close cases: "The legislature finds that the people of Washington regard their privacy as a fundamental right and an essential element of their individual freedom." The stated legislative tools include heightened disclosures and consent, deletion rights, a ban on selling consumer health data without valid authorization signed by the consumer, and a ban on geofencing health care facilities.

The definitions at RCW 19.373.010 are bedrock. "Consumer" means (a) a Washington resident or (b) a natural person whose consumer health data is collected in Washington. A non-resident whose data is collected in Washington is also a consumer. "Consumer health data" means personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including inferences. "Regulated entity" means any legal entity that (a) conducts business in Washington or produces or provides products or services targeted to consumers in Washington, and (b) alone or jointly determines the purpose and means of collecting, processing, sharing, or selling consumer health data.

"Small business" means a regulated entity that satisfies one or both of: (a) fewer than 100,000 consumers during a calendar year, or (b) less than 50 percent of gross revenue from consumer health data. "Sell" means exchange for monetary or other valuable consideration, with carve-outs for mergers, acquisitions, bankruptcies, and processor arrangements. "Geofence" is "a virtual boundary that is 2,000 feet or less from the perimeter of the physical location," using GPS, cell tower, cellular data, RFID, Wifi, or any other spatial or location detection.

Two takeaways. First, jurisdictional reach goes beyond Washington-domiciled companies: a Texas SaaS marketing a sleep app to Washington downloaders may be covered if it targets Washington consumers and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. Second, the definition reaches inferences; an AI model inferring health status from purchasing patterns, search history, or location is generating consumer health data.

RCW 19.373.020 is the privacy policy section and the most overlooked compliance gap: "Except as provided in subsection (2) of this section, beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) the categories of sources from which the consumer health data is collected; (iii) the categories of consumer health data that is shared; (iv) a list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) how a consumer can exercise the rights provided in RCW 19.373.040. (b) A regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage." Subsections (c)-(d) require affirmative consent before adding categories or new purposes; (e) makes processor contracts inconsistent with the policy a violation.

Consent, sale, and the geofence prohibition (RCW 19.373.030, .060, .070, .080)

RCW 19.373.030 imposes a two-layer consent regime. A regulated entity may not collect consumer health data except with consent for a specified purpose, or where collection is necessary to provide a requested product or service. It may not share consumer health data except with separate consent distinct from the collection consent, or where sharing is necessary to provide the requested product or service. The authorization request must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. Discrimination against consumers who exercise these rights is prohibited. A unified privacy-policy acceptance is insufficient; two consents are required. Generic CCPA, CPRA, or Connecticut Data Privacy Act consent flows fail on this point.

RCW 19.373.060 regulates the processor relationship and was previously unquoted in the underlying authority map. Operative text: "(1)(a)(i) Except as provided in subsection (2) of this section, beginning March 31, 2024, a processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or the small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity or the small business. (ii) A processor may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract with the regulated entity or the small business. (b) A processor shall assist the regulated entity or the small business by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the regulated entity's and the small business's obligations under this chapter. (c) If a processor fails to adhere to the regulated entity's or the small business's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity or the small business, the processor is considered a regulated entity or a small business with regard to such data and is subject to all the requirements of this chapter with regard to such data. (2) A small business must comply with this section beginning June 30, 2024." MHMDA processor contracts are not interchangeable with GDPR DPAs or CCPA service-provider agreements; a processor that strays outside instructions converts into a regulated entity for the data at issue.

RCW 19.373.070 governs the sale of consumer health data, borrowing the architecture of a HIPAA authorization of disclosure. Beginning March 31, 2024, it is unlawful to sell or offer to sell consumer health data without valid authorization. Required nine elements: (1) specific identification of the data; (2) name and contact details of the seller; (3) name and contact details of the buyer; (4) description of the purpose, including how data will be gathered and used; (5) a statement that "provision of goods or services may not be conditioned on" signing; (6) revocation right and instructions; (7) notice that purchased data may be subject to further redisclosure; (8) expiration one year from signature; and (9) consumer signature and date. The authorization is invalid if expired, missing any element, revoked, combined with other documents, or conditioning service on signing.

RCW 19.373.080 is the geofence prohibition: "It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services." The 2,000-foot perimeter sits in the definitions at RCW 19.373.010. Session-law source 2023 c 191 s 10. The 2023 c 191 enacting law took effect July 23, 2023 under the default rule and s 10 contains no delayed-compliance language; confirm against the session law before relying on a pre-July-23, 2023 conduct date.

The separate consumer health data privacy policy (RCW 19.373.040, .050)

The policy required by RCW 19.373.020 is a standalone document, not a section inside a general privacy policy. It must be prominently linked from the homepage: a footer link that survives mobile collapse or a dedicated link at page chrome level. Bundling MHMDA disclosures into the general privacy policy is the most common failure pattern on operator-side reviews.

RCW 19.373.040 confers the rights the policy must explain: confirmation of whether the entity is collecting, sharing, or selling consumer health data, with access and a list of all third parties plus contact info; withdrawal of consent for collection and sharing; deletion, with downstream notification to affiliates, processors, contractors, and third parties. Response window: 45 days plus one 45-day extension. Archived data deletion may be delayed up to six months. An appeal process must produce a written decision within 45 days.

RCW 19.373.050 imposes data security obligations with a reasonable-care anchor: "(a) Restrict access to consumer health data by the employees, processors, and contractors of the regulated entity or the small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent. (b) Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy a reasonable standard of care within the regulated entity's or the small business's industry." The consent-tethered access-restriction prong is more granular than role-based access policies usually deliver.

Why MHMDA changes the privacy posture for SaaS, wellness apps, and AI tools

RCW 19.373.090 is the architecturally most consequential section: "The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW." That sentence converts every MHMDA violation into a per se Washington CPA violation. A plaintiff does not need to plead public-interest impact under Washington's Hangman Ridge / RCW 19.86.093 framework; .090 supplies it by declaration. The plaintiff still pleads injury and causation, but the first three CPA elements are handed over. Combined with discretionary treble damages capped at $25,000, the one-way fee shift, and the four-year SOL under RCW 19.86.120, MHMDA is the highest-leverage state health-privacy statute in the United States. If your app collects mental-health questionnaire data from Washington users and your policy is one combined document with no standalone Consumer Health Data Privacy Policy and no homepage link, you have per se CPA exposure even before any consumer is harmed or any AG inquires.

What HIPAA does not cover that MHMDA does. HIPAA reaches only covered entities (health plans, clearinghouses, providers transmitting health information electronically in HIPAA transactions) and their business associates. Wellness apps outside a covered-entity offering, consumer fitness trackers, direct-to-consumer mental-health apps, period and fertility apps, sleep apps, AI symptom checkers, and general-purpose apps that infer health from non-medical signals are not HIPAA-covered. MHMDA fills the gap. The exemption at RCW 19.373.100 is data-specific, not entity-blanket: a HIPAA-covered hospital is exempt for its PHI but not for marketing-pixel data on its public website. The exemption burden is on the entity claiming it.

Enforcement and exemptions (RCW 19.373.090, .100)

RCW 19.373.090 preserves AG enforcement under Chapter 19.86 RCW (civil penalties, injunctive relief, restitution). AG and private CPA paths are parallel; an entity that draws an AG inquiry is also exposed to private litigation on the same facts.

Exemptions at RCW 19.373.100 are narrower than they look. Excluded categories: PHI under HIPAA (with related data under Ch. 70.02 RCW and 42 CFR Part 2); GLBA; FCRA; FERPA; public-health activities under 45 CFR 164.512; deidentified data meeting 45 CFR Part 164; and processing necessary to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious or deceptive activities. Exemption burden is on the entity claiming it, and exemptions are data-specific, not entity-blanket. A hospital is HIPAA-covered for PHI in treatment, payment, and operations, but its website's advertising pixels on a "find a doctor" page collect data that is not PHI and not exempt.

What I review when you send me an MHMDA matter

The work splits into compliance review and dispute response. Operator-side checkpoints:

Privacy policy against RCW 19.373.020. Standalone document, prominently linked from the homepage in a way that survives mobile collapse? Five substantive disclosures including the specific-affiliates list? Matches actual data flows?
Consent UX against RCW 19.373.030. Affirmative consent for collection separate from affirmative consent for sharing? Categories, purposes, recipients, and withdrawal disclosed? Unbundled from general terms acceptance?
Data flow audit. What consumer health data the product touches (including inferences), where it flows, and whether the flow matches the policy.
Sale and authorization under RCW 19.373.070. Valid authorization with all nine elements?
Geofence audit under RCW 19.373.080. Mapping campaign geofences against healthcare-facility addresses with a 2,000-foot buffer.
Processor contract review under RCW 19.373.060. Binding-instruction and reasonable-assistance language present? Permitted purposes narrowed precisely?
AG inquiry response. Response window and privilege posture for internal compliance documents matter immediately. Defending a private CPA claim premised on a per se MHMDA violation looks different from an ordinary CPA matter because the public-interest battlefield is gone.

Two service paths

For SaaS, wellness, and AI operators. Privacy policy review, consent UX review, and data-flow audit against MHMDA's specific requirements. Output is a written attorney evaluation identifying gaps, severity ranking, and remediation steps. Where an AG inquiry has arrived, the engagement extends to response drafting and privilege posture. The primary CTA on this page is calibrated to this path.

For Washington consumers whose data was misused. An MHMDA-grounded demand letter asserting the specific subsection violated, identifying the per se CPA hook under RCW 19.373.090, and quantifying exposure (actual damages, discretionary trebling capped at $25,000, one-way fee shift under RCW 19.86.090). For the CPA framework, see my Washington Consumer Protection Act hub. Consumer-side demand letter is $575 for a single attorney-drafted letter on USPS certified mail (signature requested) plus email.

Documents to gather

Operator side: current consumer health data privacy policy URL plus date-stamped capture; homepage screenshot showing the policy link on desktop and mobile; consent UX screenshots (account flow, consent banner, sharing toggles); data inventory of consumer health data categories; processor and sub-processor list; current DPA template; any sale-of-data or partnership arrangement; any AG inquiry letter plus conduct timeline; breach-notification history under Chapter 19.255 RCW.

Consumer side: account screenshots showing signup consent; the entity's privacy policy as it appeared at signup (Wayback Machine if revised); results of any DSAR; app-permissions screenshots; evidence of sale or sharing; prior complaint correspondence; for a geofence claim, device location records and screenshots of ads near or after visiting a healthcare facility.

When this becomes worth hiring an attorney

Hire counsel when one or more is true: an AG inquiry letter has arrived; a breach notification trigger fired and consumer health data is implicated; a geofence audit against the 2,000-foot perimeter is overdue; a consent UX redesign needs review against RCW 19.373.030 before launch; the product is about to launch in Washington; the product touches mental-health, reproductive, gender-affirming, biometric, or sleep data; or deal diligence is asking about MHMDA posture. Less likely to need engagement when no Washington customers are touched, no consumer health data is collected, flows sit entirely within a documented HIPAA-covered relationship, or the issue is structurally a processor-contract question.

Personal note. MHMDA is the kind of law I actually like working on. Narrow enough to be tractable, broad enough to catch real problems, and the separate-policy requirement is a clean compliance hook. I review the privacy policy, consent UX, data flows, and processor contracts, then tell you whether you need a $349 privacy policy review or a more urgent AG-response posture. On the consumer side, the per se CPA hook makes the demand-letter math straightforward when the documentary record is solid.

Do I have a compliance issue?

Before paying for a written evaluation, run the reach-and-policy questions against your own product. If you can answer yes to most of these, MHMDA may apply to your product and a written review is worth the cost.

Do you conduct business in Washington, or do you target products or services to Washington consumers? A Washington office is not required; targeting is.
Do you (alone or jointly) determine the purposes and means of processing consumer health data? If you only process under another regulated entity's binding instructions, your obligations look different.
Do you process data that plausibly counts as consumer health data: biometric, mental-health, reproductive or sexual-health, fitness, sleep, precise location near a healthcare facility, or any inference that puts a consumer in a health-related category?
Do you maintain a SEPARATE Consumer Health Data Privacy Policy, prominently linked from your homepage in a way that survives mobile collapse, distinct from your general privacy policy? Bundling MHMDA into a general policy is the single most common compliance gap.
Is your consent opt-in (affirmative, unbundled, with a separate consent for sharing), as RCW 19.373.030 requires, rather than implied through a unified terms acceptance?

What facts matter most in an MHMDA matter?

In an MHMDA matter, leverage and risk rise or fall on a small set of factual anchors. The facts that matter most are (1) the presence of any Washington consumers (residence, collection in Washington, or targeting), since absent that the Act does not reach you at all, (2) whether the data falls into the broad consumer-health-data definition, especially inferences drawn by AI or ML from non-medical signals (this is where most operators discover they are inside the Act), (3) whether a separate Consumer Health Data Privacy Policy exists, is prominently linked from the homepage, and matches actual data flows, (4) the consent UX posture (one bundle versus separate affirmative consents for collection and sharing), and (5) whether geofencing or location-based ads are used within 2,000 feet of any in-person healthcare facility, since RCW 19.373.080 is a flat prohibition.

Documents to upload for a $125 written evaluation

When you send an MHMDA matter for written evaluation, the documents below let me apply the statute to your product rather than to a generic SaaS template.

Current Consumer Health Data Privacy Policy URL plus a date-stamped capture.
Homepage screenshot showing the policy link on desktop and on mobile (after any collapse or hamburger menu).
Consent UX screenshots: account creation flow, consent banner, sharing toggles, and any withdrawal mechanism.
Data inventory of consumer health data categories collected, processed, shared, or sold, including inferences.
Processor and sub-processor list, plus the current DPA or processor-contract template.
Any sale-of-data or partnership arrangement that touches consumer health data.
Any Washington Attorney General inquiry letter plus the conduct timeline that preceded it.
Breach-notification history under Chapter 19.255 RCW where consumer health data was implicated.
For geofence questions, the advertising-platform geofence configuration and a map of the targeted area relative to healthcare-facility addresses.
Brief product description: what the product does, what data it collects, which Washington-resident users (or Washington collection points) it touches.

What an MHMDA compliance review or demand letter would emphasize

An MHMDA engagement is not a generic privacy audit. It is calibrated to the Act's specific compliance hooks and the per se CPA bridge under RCW 19.373.090. The work typically emphasizes the following.

The separate-policy requirement under RCW 19.373.020: standalone document, five substantive disclosures including specific affiliates, prominent homepage link that survives mobile collapse.
The two-layer consent regime under RCW 19.373.030: affirmative consent for collection plus a separate, distinct consent for sharing, unbundled from general terms acceptance.
The sale-of-data authorization under RCW 19.373.070: all nine elements present, signed by the consumer, with a one-year expiration and revocation mechanism.
The 2,000-foot geofence prohibition under RCW 19.373.080 mapped against actual ad-platform configurations.
The per se CPA bridge under RCW 19.373.090: any MHMDA violation is per se a CPA violation, so the entity faces actual damages, discretionary trebling capped at $25,000, and one-way fees without the plaintiff having to plead public interest separately.

What the AI Legal Analyst can analyze before you hire me

If you want a preliminary read before paying for the $125 written evaluation, you can ask the AI Legal Analyst (chatbox bottom-right) about your MHMDA matter. The AI will ask MHMDA-specific triage questions (Washington reach, consumer health data definition including inferences, separate-policy posture, consent UX, geofence exposure), point to the relevant subsections of Chapter 19.373 RCW, and tell you whether the matter looks like a $125 written evaluation candidate, a $499 MHMDA scope memo candidate (operator side), a $575 demand letter candidate (consumer side), or a different path entirely. It will not give you a final legal opinion, that is what the $125 written evaluation is for, but it will help you scope your facts before you send them.

Sergei's practical note

MHMDA is the kind of regulatory matter I actually like to review. The separate-privacy-policy requirement under RCW 19.373.040 is the most-missed compliance point I see in practice. If you collect anything that could be consumer health data and you are serving Washington users, send your current privacy policy, your consent UX screenshots, and a brief product description. I review under California license, so MHMDA review on this page is regulatory advisory work, not Washington representation.

Primary sources

Statutory sources retrieved 2026-05-18 from app.leg.wa.gov: RCW 19.373.005, .010, .020, .030, .040, .050, .060, .070, .080, .090, .100.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text and any case citations before relying on them in a live matter. Related: Washington SaaS Terms Guide; Washington Data Breach Notification Guide; Washington Consumer Protection Act hub.