Washington educational resource

Washington Substance Use App MHMDA Compliance: When 42 CFR Part 2 Helps and When It Does Not

Substance use disorder apps include sobriety trackers, recovery community platforms, peer-support apps, medication-assisted treatment support tools, harm-reduction information apps, and the SUD modules inside broader mental health products. The exemption at RCW 19.373.100 carves out PHI under HIPAA and related data under 42 CFR Part 2 (substance use disorder records from federally assisted programs). That helps clinical-program apps; it does not help consumer-facing SUD products. Confirm the exemption posture against the actual operating model before relying on it.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW; the 42 CFR Part 2 reference at RCW 19.373.100 should be confirmed against the current text of 42 CFR Part 2 before relying on it in a specific matter.

Three SUD app architectures and the MHMDA posture

Architecture A: Consumer-facing sobriety tracker, no clinical relationship. Examples: day-counter, urge logger, trigger journal, recovery peer chat. No 42 CFR Part 2 program. MHMDA applies to all of the data. The exemption analysis is brief and unhelpful.

Architecture B: SaaS that supports a federally assisted Part 2 program. The operator is a contractor or business associate of a Part 2 program. The data carve-out at RCW 19.373.100 may apply to data inside the Part 2 relationship. MHMDA still reaches the marketing pixels on the public site, the pre-program intake, the recovery community module that sits outside the Part 2 record, and any analytics on those surfaces.

Architecture C: Hybrid SUD platform with clinical and community modules. The hardest category. The Part 2 exemption applies field-by-field, not entity-wide. Self-guided modules, peer community content, in-app journaling, and pre-intake assessments are MHMDA-covered. The product needs separate consent flows and a separate Consumer Health Data Privacy Policy for the MHMDA-covered surface.

SUD data is the highest-sensitivity category outside HIPAA. Substance use disorder status carries stigma, employment risk, custody risk, immigration risk, and insurance risk. Marketing pixels and ad-platform sharing on SUD apps draw the most aggressive attention from privacy advocates, regulators, and class-action plaintiffs. The CPA per se bridge at RCW 19.373.090 turns any MHMDA gap into actual damages plus discretionary trebling capped at $25,000 plus one-way fees, without the plaintiff having to plead public-interest impact.

MHMDA compliance stack for SUD apps

Separate Consumer Health Data Privacy Policy under RCW 19.373.020 that clearly describes the SUD data categories, the 42 CFR Part 2 carve-out if it applies, and the data that sits outside the Part 2 relationship.
Two-layer consent under RCW 19.373.030 at signup. Sharing consent should be granular per vendor category (analytics, attribution, AI features) and should not be bundled with the Part 2 release of information.
Operational deletion under RCW 19.373.040 with documented handling of any Part 2 retention obligations. Where Part 2 requires retention for a defined period, document the exception in the deletion workflow.
Reasonable-care security under RCW 19.373.050. Access restrictions on engineering and support team views are especially important on SUD content given employment and custody risk.
MHMDA-compliant processor contracts under RCW 19.373.060 with every SDK vendor that receives SUD content.
No marketing pixels firing from URLs that disclose SUD status. Conversion events should be funneled through a server-side mechanism that strips SUD context before any third-party platform sees the request.
Geofence audit under RCW 19.373.080: methadone clinics, detox centers, inpatient SUD programs, MAT providers, and AA / NA meeting venues are all in-person healthcare facilities for the 2,000-foot prohibition where treatment is provided.

What to send for a written review

Brief operating-model description: consumer-facing only, Part 2 program support, or hybrid; which licensed providers if any.
Current privacy policy, Consumer Health Data Privacy Policy if separate, and any Part 2 Notice of Privacy Practices.
Signup, consent, and intake screens; the homepage with the policy link on desktop and mobile.
Vendor map: analytics, attribution, session replay, ad pixels, CRM, AI features, customer support tooling.
AI feature description if any (recommendation engine, peer-matching, content moderation).
Deletion workflow and any Part 2 retention rules that override deletion.

Sergei's practical note

SUD apps are the category where the 42 CFR Part 2 carve-out at RCW 19.373.100 gets misread most often. The carve-out applies to data inside the Part 2 relationship, not to the operator's whole business. Marketing pixels, pre-intake assessments, peer community content, and any analytics on the public website are MHMDA-covered even when the clinical record is exempt. The fix is the standard MHMDA stack: separate Consumer Health Data Privacy Policy, two-layer consent, MHMDA-compliant processor contracts, operational deletion, and an honest data map that says which fields sit inside the Part 2 carve-out and which do not. I review under California license. This is regulatory advisory work, not Washington representation.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Need this handled end to end? The $2,500 Healthcare SaaS Legal Package

A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this package · $2,500

See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing here creates an attorney-client relationship or is Washington legal advice.