Washington tool

AI Health Tool MHMDA Analyzer

Run your AI health tool against Washington MHMDA (Ch. 19.373 RCW). The analyzer scores MHMDA scope risk on the inference prong, vendor and processor risk under , training-data risk, and the overall MHMDA risk profile, then recommends a compliance package tier. Triage tool, not legal advice. Confirm operative statutory text before relying on any output.

Answer the ten questions below. The tool returns a regulated-entity determination, sub-scores for inference risk, vendor risk, and training-data risk, the top compliance gaps, and a recommended package tier.

1Health, wellness, symptom, mental-health, fertility, or medication questions

Does your AI tool answer health, wellness, symptom, mental-health, fertility, sleep, or medication questions?

If the tool ever returns substantive output about these topics, the AI is operating in MHMDA's named-category space under RCW 19.373.010.

2Inferring health status

Does your AI infer health status (mood, recovery, symptom, risk score, mental-health flag) from ordinary inputs?

RCW 19.373.010 reaches information "derived or extrapolated from non-health information." An inferred mood, sleep quality, or risk score is consumer health data.

3Prompt storage

Are user prompts stored beyond the active session?

Stored prompts that include health content are collected consumer health data under RCW 19.373.030.

4Training-data use

Are prompts used to train models (in-house or via vendor default)?

Training on submitted consumer health data is a sharing event under RCW 19.373.030(1)(b) and requires a separate consent.

5Third-party AI APIs

Does your application send prompts to third-party AI APIs (OpenAI, Anthropic, Azure OpenAI, etc.)?

External AI vendors are processors under RCW 19.373.060. A binding processor contract with the right elements is required.

6Logs and analytics

Are logs or event payloads sent to analytics SDKs that may observe prompt content or inferred-health classifications?

Mixpanel, Amplitude, GA4, Sentry, and similar SDKs receiving health-adjacent payloads create a sharing event that the consent UX and standalone policy must address.

7Washington users

Are Washington users accepted?

RCW 19.373.010 reaches Washington residents and any consumer whose data is collected in Washington. Targeting Washington is also enough.

8Standalone Consumer Health Data Privacy Policy

Do you maintain a separate Consumer Health Data Privacy Policy prominently linked from the homepage?

RCW 19.373.020 requires the standalone policy as a distinct document; bundling into a general policy is the most common compliance gap.

9Consent before collection

Do you obtain affirmative consent for collection before processing prompts?

RCW 19.373.030 requires affirmative consent for collection; browse-wrap or generic terms acceptance is not enough.

10Separate sharing consent

Do you obtain a separate consent for sharing with model providers, analytics, or handoff partners?

RCW 19.373.030(1)(b) requires a sharing consent distinct from the collection consent; bundling fails the test.

How the score is calculated

The risk score is a weighted composite of four sub-scores. Scope risk (inference prong) carries 30 points: does the tool answer health questions, infer health status, and reach Washington users. AI inference risk carries 25 points: stored prompts, inferred classifications, named consumer-health categories. Vendor and processor risk carries 25 points: third-party AI API use, processor addendum status, analytics SDK exposure. Training-data risk carries 20 points: whether prompts may be used to train models and whether a separate sharing consent has been obtained.

Verdict bands: 75 to 100 (Significant exposure, material remediation required), 55 to 74 (Material gaps, compliance program needs documented upgrade), 30 to 54 (Mostly compliant, discrete gaps), 0 to 29 (Compliant or out of scope on current inputs).

Authority notes

Statutory citations from RCW 19.373.010 (definitions and inference prong), RCW 19.373.020 (standalone privacy policy), RCW 19.373.030 (collection and sharing consents), RCW 19.373.040 (consumer rights), RCW 19.373.050 (security), RCW 19.373.060 (processor contracts), RCW 19.373.080 (geofence), RCW 19.373.090 (per se CPA bridge).

For background, see my MHMDA for AI Health Tools cluster hub and the existing MHMDA Scope Analyzer and Privacy Policy Gap Checker.