Washington tool

Washington MHMDA Scope Analyzer

My Health My Data Act (Chapter 19.373 RCW) is the most aggressive U.S. state health-privacy statute. It reaches wellness apps, fertility trackers, mental-health adjacent platforms, AI assistants that infer health, and almost every adtech vendor that collects location near healthcare facilities. Most operators do not know they are in scope. This tool walks the regulated-entity definition under RCW 19.373.020, the consumer-health-data definition under RCW 19.373.010, and the per-se CPA exposure under RCW 19.373.090, and returns a risk score and the top compliance gaps.

This is a triage tool, not legal advice. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. MHMDA reaches out-of-state companies if they conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of processing consumer health data.

1Washington users

Do you have any Washington users right now?

Yes, I have Washington users No, no Washington users Not sure (no geo-blocking, no user-state tracking)

2Targeting Washington consumers

Do you target products or services to Washington consumers?

Yes, I target Washington consumers Partially (national audience including Washington) No, I do not target Washington

3Data plausibly counts as consumer health data

Which of these data categories do you collect?

Biometric data (fingerprint, face, voice, gait) Mental-health information (mood, therapy, anxiety, sleep) Reproductive or pregnancy data Gender-affirming care data Fitness or wellness data (steps, heart rate, sleep) Health-condition or diagnosis data Location near healthcare facilities Inferences about health from other data None of the above

4Purpose and means determination

Do you control the purposes and means of processing?

Yes, I am the controller No, I am only a processor Mixed: controller for some flows, processor for others

5Sale or sharing

Do you sell or share consumer health data?

Yes, I sell or share data No, I do not sell or share Not sure (need to map data flows)

6Separate Consumer Health Data Privacy Policy

Do you have a separate Consumer Health Data Privacy Policy?

Yes, a separate Consumer Health Data Privacy Policy Generic privacy policy only No published privacy policy at all

7Homepage link to the separate policy

Is the separate policy prominently linked from your homepage?

Yes, prominently linked on the homepage No, not linked on the homepage Not applicable (no separate policy exists)

8Opt-in consent for collection

Do you obtain opt-in consent for collection?

Yes, affirmative opt-in consent Notice only (browse-wrap or banner) No, no consent flow at all

9Geofencing around healthcare facilities

Do you use geofencing around healthcare facilities?

Yes, we use geofences near healthcare facilities No geofencing near healthcare facilities Not sure (need to audit ad targeting and SDKs)

How the score is calculated

The score weighs the elements that drive MHMDA exposure. Weights total 100 points.

Washington targeting (any WA users + targeting WA consumers): up to 20 points.
Health-data category collected: up to 25 points. Reproductive, gender-affirming, mental health, and biometric data score at the top.
Separate Consumer Health Data Privacy Policy missing or generic-only: up to 20 points. The separate-policy rule is the most-violated requirement.
Consent gap (notice-only, no consent, no two-layer separation for sharing): up to 15 points.
Geofence violation: up to 15 points. The 2,000-foot prohibition under RCW 19.373.080 is categorical.
Sale or sharing without compliant authorization: up to 5 points. RCW 19.373.070's nine-element authorization is rarely fully implemented.

The four verdict bands are 80 to 100 (Significant exposure), 60 to 79 (Material gaps), 30 to 59 (Mostly compliant), and 0 to 29 (Compliant or out of scope).

Authority notes

Statutory citations come from RCW 19.373.010 (consumer, consumer health data, regulated entity, geofence), RCW 19.373.020 (privacy policy with homepage link), RCW 19.373.030 (separate consents for collection and sharing), RCW 19.373.040 (consumer rights: access, deletion, withdraw consent), RCW 19.373.050 (data security), RCW 19.373.060 (processor flow-down obligations), RCW 19.373.070 (nine-element sale authorization), RCW 19.373.080 (2,000-foot geofence prohibition), RCW 19.373.090 (per-se CPA pathway under Chapter 19.86 RCW), and RCW 19.373.100 (exemptions, including HIPAA PHI, GLBA, FCRA, FERPA).

For background on Washington MHMDA, see my Washington My Health My Data Act resource. For other Washington tools, see my Washington Business Law Resources hub.

Washington MHMDA Scope Analyzer

Regulated-entity determination

Top compliance gaps

Per-se CPA exposure (RCW 19.373.090)

Recommended next step

How the score is calculated

Authority notes