Free triage tool

Mental Health SaaS MHMDA Gap Checker: Where Does Your Product Sit Against Chapter 19.373 RCW?

If you run a therapy app, mood tracker, journaling app, substance-use platform, AI mental health chatbot, behavioral health SaaS, or peer-support product, this triage answers three things in under three minutes: how MHMDA reaches your data, where the highest-risk gaps usually sit, and which package tier matches the work. It is a triage tool, not legal advice. I built it to mirror the questions I ask on a paid review under California license.

Answer the questions below. The tool returns an MHMDA risk score, a gap list keyed to Chapter 19.373 RCW, and a recommended next step.

1Product type

Which type of mental health product is closest to yours?

Used to scope vendor and AI defaults; refine in the recommendation step if you straddle categories.

2HIPAA posture

What is your HIPAA status?

The exemption at RCW 19.373.100 is data-specific, not entity-blanket. Even covered entities have MHMDA-reachable surfaces.

3Consumer health data categories

Which data categories does the product collect (mark all that apply)?

RCW 19.373.010 reaches mental health status, mood, symptoms, treatment-seeking, journal entries, and inferences expressly.

4Third-party SDKs and vendors

Which third-party tools receive product data (mark all that apply)?

Each one that touches consumer health data is a sharing event under RCW 19.373.030 and a processor relationship under RCW 19.373.060.

5AI features

Does the product use AI features that touch consumer health data?

Examples: chatbot replies, journal summarization, mood prediction, crisis detection, content moderation, recommendation.

6Provider portal

Is there a clinician-facing or provider-facing portal?

If yes, the portal is usually HIPAA-covered while the consumer-facing surface is MHMDA-covered.

7Operational deletion

Does deletion actually reach analytics, AI artifacts, and vendor systems?

RCW 19.373.040 requires an operational workflow, not just policy text. Soft-delete in the primary database is not compliant.

8Separate Consumer Health Data Privacy Policy

Do you publish a separate Consumer Health Data Privacy Policy prominently linked from the homepage?

RCW 19.373.020 requires a standalone document distinct from the general privacy policy.

9Two-layer consent

Is consent two-layer (collection + separate sharing) at signup?

RCW 19.373.030 requires affirmative consent for collection plus a separate, distinct consent for sharing.

How the score is calculated

The risk score weighs the gaps that most often produce per se CPA exposure under RCW 19.373.090. Higher score means lower compliance maturity (more risk). Bands: 0-25 (Low: targeted tightening), 26-50 (Moderate: documented gap-closing pass), 51-75 (High: substantial rewrite and processor remediation), 76-100 (Critical: rebuild policy, consent, vendor mapping, and deletion workflow).

Authority notes

Statutory citations come from RCW 19.373.010 (definitions), .020 (separate Consumer Health Data Privacy Policy), .030 (two-layer consent), .040 (consumer rights and operational deletion), .050 (security), .060 (processor contracts), .080 (geofence), .090 (per se CPA bridge), and .100 (exemptions).

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing here creates an attorney-client relationship or is Washington legal advice.