Washington tool

Washington MHMDA Privacy Policy Gap Checker

Most consumer-health-data privacy policies I see are a generic privacy policy with a sentence about health data dropped in. That is not the separate Consumer Health Data Privacy Policy that requires. This checker walks the disclosure elements in , the consumer-rights mechanism in , the consent rules in , and the data-security baseline in , and returns a gap list with statutory citations.

Answer the nine questions below. The tool returns a compliance score and a gap list keyed to RCW 19.373.020, .030, .040, and .050.

1Do you publish a privacy policy?

What kind of privacy policy do you currently publish?

Per , a regulated entity must maintain a consumer-health-data privacy policy. A single combined policy that buries health data in a general document usually does not satisfy the separate-policy requirement.

2Homepage link to the policy

How is the policy linked from your homepage?

Per , the consumer-health-data policy must be prominently published with a link on the homepage. A footer-only link on a long homepage may not be prominent enough.

3Categories of consumer health data collected

Does the policy disclose the categories of data collected?

Per , the policy must disclose categories of consumer health data collected and the purpose for which the data is collected, including how the data is used.

4Sources of consumer health data

Does the policy disclose the sources of consumer health data?

Per , the policy must disclose the categories of sources from which the data is collected (directly from the consumer, from third parties, from inference).

5Purposes for collecting

Does the policy disclose the purposes for collecting consumer health data?

Per , the policy must disclose how the data is used. New purposes require fresh affirmative consent under .

6Sharing parties and purposes

Does the policy disclose categories of third parties with whom data is shared and the purpose of sharing?

Per , the policy must disclose categories shared and a list of third parties and specific affiliates with whom data is shared.

7Consumer rights mechanism

Which consumer rights are described and enabled?

Per , consumers have the right to confirm/access data (with third-party recipient list), withdraw consent, and request deletion. Responses are due in 45 days with one 45-day extension permitted. An appeal process is required.

8Consent flow type

Is the consent flow opt-in?

Per , you may not collect except with consumer consent or where necessary to provide a requested product or service. Sharing requires a SEPARATE consent distinct from the collection consent. Notice-only banners and browse-wrap do not satisfy.

9Last reviewed

When was the policy last reviewed?

A policy that has not been reviewed in over a year usually drifts out of step with product changes and new data flows. A documented annual review is the practical baseline.

How the score is calculated

The score weighs the most-violated MHMDA policy elements. Weights total 100 points.

The four verdict bands are 80 to 100 (Strong: minor language tightening), 60 to 79 (Moderate: a documented gap-closing pass needed), 40 to 59 (Weak: substantial rewrite needed), and 0 to 39 (Poor: rebuild the policy from a compliant template).

Authority notes

Statutory citations come from RCW 19.373.020 (privacy policy and homepage link, disclosure elements), RCW 19.373.030 (separate consents for collection and sharing), RCW 19.373.040 (consumer rights and 45-day response window), and RCW 19.373.050 (data security). For sale of consumer health data, see RCW 19.373.070. For per-se CPA exposure on any violation, see RCW 19.373.090.

For background on Washington MHMDA, see my Washington My Health My Data Act resource. The companion MHMDA Scope Analyzer determines whether you are in scope.