Washington educational resource · Ch. 19.373 RCW
If your app, website, SaaS product, or AI tool touches Washington consumers and processes anything that could be construed as consumer health data, the My Health My Data Act applies, and the cost of getting it wrong is high. Not being HIPAA-covered does not mean you are unregulated. MHMDA violations are per se Consumer Protection Act violations, with one-way attorney's fees and no pre-suit notice. This is the live compliance and dispute surface, not the press releases.
I am Sergei Tokmakov, a California-licensed tech and business attorney (CA Bar #279869) with Washington admission pending. These Washington pages are educational. On MHMDA I can do issue spotting, privacy-policy and consent-UX review, data-flow and processor-contract analysis, and compliance planning under California license. Washington court filings, Washington litigation, and holding out as Washington counsel wait for admission or local-counsel coordination.
I am Sergei Tokmakov, licensed in California and Washington. I can advise on Washington MHMDA compliance and disputes directly.
Issue spotting, privacy-policy and consent review, data-flow and vendor analysis, compliance planning, demand-letter strategy.
Flat-fee written review under California license. MHMDA review here is regulatory advisory work, not Washington representation.
Washington court appearances and litigation filings go through Washington-admitted counsel until my admission is granted.
Terms.Law AI Legal Analyst
Custom legal issue-spotting system built and curated by Sergei Tokmakov, a California-licensed tech and business attorney.
This is not a generic support chatbot. The Health Data Risk Analyst is a custom legal issue-spotting workflow built around the MHMDA frameworks, document patterns, risk factors, and service packages I use as a California-licensed tech and business attorney. It asks targeted follow-up questions, identifies likely legal issues, flags missing documents, and suggests a practical next step for attorney review.
What you get: a risk snapshot, a flagged-issues list, a document checklist, and a practical next step. The analyst does not replace legal advice or create an attorney-client relationship. Its purpose is to help you organize the facts, understand likely risk areas, and decide whether a written attorney review, contract redline, demand letter, or strategy session is the right next step.
If you target Washington consumers and touch anything that identifies or infers physical or mental health status, you are likely inside Chapter 19.373 RCW. A Washington office is not required, targeting is. Here are the situations I see most often.
Direct-to-consumer wellness, fitness, sleep, or period and fertility apps are outside HIPAA but squarely inside MHMDA when Washington users are touched. The usual gap is a single combined privacy policy with no standalone Consumer Health Data Privacy Policy.
Mental-health questionnaire data from Washington users is consumer health data. With a bundled consent flow and no homepage policy link, you can have per se CPA exposure before any consumer is harmed or any AG inquires.
Reproductive, sexual-health, and gender-affirming data sit in the most sensitive tier. The sale-of-data authorization under RCW 19.373.070 needs all nine elements, and geofencing near clinics is a flat prohibition under RCW 19.373.080.
An AI or ML model that infers health status from purchasing patterns, search history, or location is generating consumer health data. The definition reaches inferences, which is where most operators discover they are inside the Act.
Analytics SDKs, marketing pixels, and processor relationships are a common leak. A processor that strays outside its binding instructions converts into a regulated entity for that data under RCW 19.373.060, and a marketing pixel may not qualify for the HIPAA carve-out.
Key highlight
HIPAA reaches only covered entities and their business associates. Wellness apps, consumer fitness trackers, direct-to-consumer mental-health apps, period and fertility apps, sleep apps, AI symptom checkers, and general apps that infer health from non-medical signals are not HIPAA-covered. MHMDA fills that gap. The exemption at RCW 19.373.100 is data-specific, not entity-blanket: a HIPAA-covered hospital is exempt for its PHI but not for the marketing pixels on its public website.
The work splits into operator-side compliance review and consumer-side dispute response. Read the "best for" line before picking. I evaluate everything under California license first, as regulatory advisory work, not Washington representation.
Written Attorney Review
Best forYou are not sure whether MHMDA reaches you, which documents matter, or whether a redline, demand letter, or strategy session is the right next step.
Contract Drafting or Redline
Best forYou already know the document you need reviewed, drafted, or revised: a standalone Consumer Health Data Privacy Policy, a consent flow, or a processor or vendor contract.
MHMDA compliance memo
Best forOperators who want a structured written memo: $499 scope memo, $900 memo plus DPA and vendor language, or $1,500 memo plus a drafted standalone Consumer Health Data Privacy Policy.
Consumer side. If your consumer health data was misused, an MHMDA-grounded demand letter asserts the specific subsection violated, identifies the per se CPA hook under RCW 19.373.090, and quantifies exposure (actual damages, discretionary trebling capped at $25,000, one-way fee shift under RCW 19.86.090). A single attorney-drafted Demand Letter is $575 on USPS certified mail (signature requested) plus email.
Everything below is the detailed legal analysis. It is collapsed so the page stays scannable. Expand any section for the operative text, citations, and how I apply each subsection in practice.
The Act's reach is broader than most operators assume. Washington's My Health My Data Act can reach out-of-state companies if they conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of collecting, processing, sharing, or selling consumer health data. A Washington office or customer base is not required. "Consumer health data" reaches anything reasonably linkable to a consumer that identifies physical or mental health status, sweeping in wellness apps, fitness trackers, mental-health apps, period and fertility apps, sleep apps, and AI tools that infer health from non-medical signals.
If any answer is unclear, the matter merits a written review. The Act has been operative against regulated entities since March 31, 2024 and against small businesses since June 30, 2024.
The finding at RCW 19.373.005 will drive liberal construction in close cases: "The legislature finds that the people of Washington regard their privacy as a fundamental right and an essential element of their individual freedom." The stated legislative tools include heightened disclosures and consent, deletion rights, a ban on selling consumer health data without valid authorization signed by the consumer, and a ban on geofencing health care facilities.
The definitions at RCW 19.373.010 are bedrock. "Consumer" means (a) a Washington resident or (b) a natural person whose consumer health data is collected in Washington. A non-resident whose data is collected in Washington is also a consumer. "Consumer health data" means personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including inferences. "Regulated entity" means any legal entity that (a) conducts business in Washington or produces or provides products or services targeted to consumers in Washington, and (b) alone or jointly determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
"Small business" means a regulated entity that satisfies one or both of: (a) fewer than 100,000 consumers during a calendar year, or (b) less than 50 percent of gross revenue from consumer health data. "Sell" means exchange for monetary or other valuable consideration, with carve-outs for mergers, acquisitions, bankruptcies, and processor arrangements. "Geofence" is "a virtual boundary that is 2,000 feet or less from the perimeter of the physical location," using GPS, cell tower, cellular data, RFID, Wifi, or any other spatial or location detection.
Two takeaways. First, jurisdictional reach goes beyond Washington-domiciled companies: a Texas SaaS marketing a sleep app to Washington downloaders may be covered if it targets Washington consumers and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. Second, the definition reaches inferences; an AI model inferring health status from purchasing patterns, search history, or location is generating consumer health data.
RCW 19.373.020 is the privacy policy section and the most overlooked compliance gap: "Except as provided in subsection (2) of this section, beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) the categories of sources from which the consumer health data is collected; (iii) the categories of consumer health data that is shared; (iv) a list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) how a consumer can exercise the rights provided in RCW 19.373.040. (b) A regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage." Subsections (c)-(d) require affirmative consent before adding categories or new purposes; (e) makes processor contracts inconsistent with the policy a violation.
RCW 19.373.030 imposes a two-layer consent regime. A regulated entity may not collect consumer health data except with consent for a specified purpose, or where collection is necessary to provide a requested product or service. It may not share consumer health data except with separate consent distinct from the collection consent, or where sharing is necessary to provide the requested product or service. The authorization request must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. Discrimination against consumers who exercise these rights is prohibited. A unified privacy-policy acceptance is insufficient; two consents are required. Generic CCPA, CPRA, or Connecticut Data Privacy Act consent flows fail on this point.
RCW 19.373.060 regulates the processor relationship and was previously unquoted in the underlying authority map. Operative text: "(1)(a)(i) Except as provided in subsection (2) of this section, beginning March 31, 2024, a processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or the small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity or the small business. (ii) A processor may process consumer health data only in a manner that is consistent with the binding instructions set forth in the contract with the regulated entity or the small business. (b) A processor shall assist the regulated entity or the small business by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the regulated entity's and the small business's obligations under this chapter. (c) If a processor fails to adhere to the regulated entity's or the small business's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity or the small business, the processor is considered a regulated entity or a small business with regard to such data and is subject to all the requirements of this chapter with regard to such data. (2) A small business must comply with this section beginning June 30, 2024." MHMDA processor contracts are not interchangeable with GDPR DPAs or CCPA service-provider agreements; a processor that strays outside instructions converts into a regulated entity for the data at issue.
RCW 19.373.070 governs the sale of consumer health data, borrowing the architecture of a HIPAA authorization of disclosure. Beginning March 31, 2024, it is unlawful to sell or offer to sell consumer health data without valid authorization. Required nine elements: (1) specific identification of the data; (2) name and contact details of the seller; (3) name and contact details of the buyer; (4) description of the purpose, including how data will be gathered and used; (5) a statement that "provision of goods or services may not be conditioned on" signing; (6) revocation right and instructions; (7) notice that purchased data may be subject to further redisclosure; (8) expiration one year from signature; and (9) consumer signature and date. The authorization is invalid if expired, missing any element, revoked, combined with other documents, or conditioning service on signing.
RCW 19.373.080 is the geofence prohibition: "It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services." The 2,000-foot perimeter sits in the definitions at RCW 19.373.010. Session-law source 2023 c 191 s 10. The 2023 c 191 enacting law took effect July 23, 2023 under the default rule and s 10 contains no delayed-compliance language; confirm against the session law before relying on a pre-July-23, 2023 conduct date.
The policy required by RCW 19.373.020 is a standalone document, not a section inside a general privacy policy. It must be prominently linked from the homepage: a footer link that survives mobile collapse or a dedicated link at page chrome level. Bundling MHMDA disclosures into the general privacy policy is the most common failure pattern on operator-side reviews.
RCW 19.373.040 confers the rights the policy must explain: confirmation of whether the entity is collecting, sharing, or selling consumer health data, with access and a list of all third parties plus contact info; withdrawal of consent for collection and sharing; deletion, with downstream notification to affiliates, processors, contractors, and third parties. Response window: 45 days plus one 45-day extension. Archived data deletion may be delayed up to six months. An appeal process must produce a written decision within 45 days.
RCW 19.373.050 imposes data security obligations with a reasonable-care anchor: "(a) Restrict access to consumer health data by the employees, processors, and contractors of the regulated entity or the small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent. (b) Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy a reasonable standard of care within the regulated entity's or the small business's industry." The consent-tethered access-restriction prong is more granular than role-based access policies usually deliver.
RCW 19.373.090 is the architecturally most consequential section: "The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW." That sentence converts every MHMDA violation into a per se Washington CPA violation. A plaintiff does not need to plead public-interest impact under Washington's Hangman Ridge / RCW 19.86.093 framework; .090 supplies it by declaration. The plaintiff still pleads injury and causation, but the first three CPA elements are handed over. Combined with discretionary treble damages capped at $25,000, the one-way fee shift, and the four-year SOL under RCW 19.86.120, MHMDA is the highest-leverage state health-privacy statute in the United States. If your app collects mental-health questionnaire data from Washington users and your policy is one combined document with no standalone Consumer Health Data Privacy Policy and no homepage link, you have per se CPA exposure even before any consumer is harmed or any AG inquires.
RCW 19.373.090 preserves AG enforcement under Chapter 19.86 RCW (civil penalties, injunctive relief, restitution). AG and private CPA paths are parallel; an entity that draws an AG inquiry is also exposed to private litigation on the same facts.
Exemptions at RCW 19.373.100 are narrower than they look. Excluded categories: PHI under HIPAA (with related data under Ch. 70.02 RCW and 42 CFR Part 2); GLBA; FCRA; FERPA; public-health activities under 45 CFR 164.512; deidentified data meeting 45 CFR Part 164; and processing necessary to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious or deceptive activities. Exemption burden is on the entity claiming it, and exemptions are data-specific, not entity-blanket. A hospital is HIPAA-covered for PHI in treatment, payment, and operations, but its website's advertising pixels on a "find a doctor" page collect data that is not PHI and not exempt.
The work splits into compliance review and dispute response. Operator-side checkpoints:
For SaaS, wellness, and AI operators. Privacy policy review, consent UX review, and data-flow audit against MHMDA's specific requirements. Output is a written attorney evaluation identifying gaps, severity ranking, and remediation steps. Where an AG inquiry has arrived, the engagement extends to response drafting and privilege posture. The primary CTA on this page is calibrated to this path.
For Washington consumers whose data was misused. An MHMDA-grounded demand letter asserting the specific subsection violated, identifying the per se CPA hook under RCW 19.373.090, and quantifying exposure (actual damages, discretionary trebling capped at $25,000, one-way fee shift under RCW 19.86.090). For the CPA framework, see my Washington Consumer Protection Act hub. Consumer-side demand letter is $575 for a single attorney-drafted letter on USPS certified mail (signature requested) plus email.
Operator side: current consumer health data privacy policy URL plus date-stamped capture; homepage screenshot showing the policy link on desktop and mobile; consent UX screenshots (account flow, consent banner, sharing toggles); data inventory of consumer health data categories; processor and sub-processor list; current DPA template; any sale-of-data or partnership arrangement; any AG inquiry letter plus conduct timeline; breach-notification history under Chapter 19.255 RCW.
Consumer side: account screenshots showing signup consent; the entity's privacy policy as it appeared at signup (Wayback Machine if revised); results of any DSAR; app-permissions screenshots; evidence of sale or sharing; prior complaint correspondence; for a geofence claim, device location records and screenshots of ads near or after visiting a healthcare facility.
Hire counsel when one or more is true: an AG inquiry letter has arrived; a breach notification trigger fired and consumer health data is implicated; a geofence audit against the 2,000-foot perimeter is overdue; a consent UX redesign needs review against RCW 19.373.030 before launch; the product is about to launch in Washington; the product touches mental-health, reproductive, gender-affirming, biometric, or sleep data; or deal diligence is asking about MHMDA posture. Less likely to need engagement when no Washington customers are touched, no consumer health data is collected, flows sit entirely within a documented HIPAA-covered relationship, or the issue is structurally a processor-contract question.
Personal note. MHMDA is the kind of law I actually like working on. Narrow enough to be tractable, broad enough to catch real problems, and the separate-policy requirement is a clean compliance hook. I review the privacy policy, consent UX, data flows, and processor contracts, then tell you whether you need a written privacy policy review or a more urgent AG-response posture. On the consumer side, the per se CPA hook makes the demand-letter math straightforward when the documentary record is solid.
Before paying for a written evaluation, run the reach-and-policy questions against your own product. If you can answer yes to most of these, MHMDA may apply to your product and a written review is worth the cost.
In an MHMDA matter, leverage and risk rise or fall on a small set of factual anchors. The facts that matter most are (1) the presence of any Washington consumers (residence, collection in Washington, or targeting), since absent that the Act does not reach you at all, (2) whether the data falls into the broad consumer-health-data definition, especially inferences drawn by AI or ML from non-medical signals (this is where most operators discover they are inside the Act), (3) whether a separate Consumer Health Data Privacy Policy exists, is prominently linked from the homepage, and matches actual data flows, (4) the consent UX posture (one bundle versus separate affirmative consents for collection and sharing), and (5) whether geofencing or location-based ads are used within 2,000 feet of any in-person healthcare facility, since RCW 19.373.080 is a flat prohibition.
When you send an MHMDA matter for written evaluation, the documents below let me apply the statute to your product rather than to a generic SaaS template.
An MHMDA engagement is not a generic privacy audit. It is calibrated to the Act's specific compliance hooks and the per se CPA bridge under RCW 19.373.090. The work typically emphasizes the following.
If you want a preliminary read before paying for the Written Attorney Review, you can ask the AI Legal Analyst about your MHMDA matter. The AI will ask MHMDA-specific triage questions (Washington reach, consumer health data definition including inferences, separate-policy posture, consent UX, geofence exposure), point to the relevant subsections of Chapter 19.373 RCW, and tell you whether the matter looks like a $240 written attorney review candidate, a $499 MHMDA scope memo candidate (operator side), a $575 demand letter candidate (consumer side), or a different path entirely. It will not give you a final legal opinion, that is what the Written Attorney Review is for, but it will help you scope your facts before you send them.
MHMDA is the kind of regulatory matter I actually like to review. The separate-privacy-policy requirement under RCW 19.373.040 is the most-missed compliance point I see in practice. If you collect anything that could be consumer health data and you are serving Washington users, send your current privacy policy, your consent UX screenshots, and a brief product description. I review under California license, so MHMDA review on this page is regulatory advisory work, not Washington representation.
Statutory sources retrieved from app.leg.wa.gov: RCW 19.373.005, .010, .020, .030, .040, .050, .060, .070, .080, .090, .100.
The primary statutes and operative remedies cited here were pulled from app.leg.wa.gov current text. The RCW 19.373.080 effective date relies on the default rule for 2023 c 191 s 10 (July 23, 2023) and should be confirmed against the session-law PDF before relying on a pre-July-23, 2023 conduct date. Washington Attorney General MHMDA guidance, Washington court-rule pleading standards (CR 8 / CR 12), and the discovery-rule application to RCW 19.86.120 should be checked against the current source before relying on them in a live matter. I cite primary sources throughout and link to leg.wa.gov so readers can verify the operative text directly.
Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text and any case citations before relying on them in a live matter. Related: Washington SaaS Terms Guide; Washington Data Breach Notification Guide; Washington Consumer Protection Act hub.