Washington My Health My Data Act · Ch. 19.373 RCW
The My Health My Data Act reaches far past hospitals and HIPAA. If your product collects or infers anything about a person's health, including wellness, mental health, reproductive status, or even precise location near a clinic, Washington may treat that as regulated consumer health data. I built this short self-assessment to estimate your exposure, flag the documents you are likely missing, and point you to a practical next step.
I am Sergei Tokmakov, a California-licensed technology and business attorney, CA Bar #279869, with Washington admission pending. These Washington pages are educational. I can help today with issue spotting, document review, privacy-policy and consent drafting, vendor and SDK contract strategy, and California or federal-side compliance work. Anything requiring a Washington-admitted lawyer, such as Washington court filings or appearing as counsel of record in Washington, would be handled by Washington-admitted counsel or through a local-counsel arrangement.
I am Sergei Tokmakov, licensed in California and Washington. I can advise on Washington My Health My Data Act compliance and related contract and privacy matters directly.
Issue spotting, document review, privacy-policy and consent drafting, vendor and SDK contract review.
This tool is general legal information and an educational self-assessment, not legal advice, and using it does not create an attorney-client relationship.
Washington court appearances, Washington litigation filings, and Washington legal representation.
Answer eight short questions about your product. I score your consumer-health-data risk from 0 to 100 across four levels, show you what moved the result, list the documents you are likely missing, and recommend a practical next step. Nothing you enter is sent anywhere until you choose to send it to me.
The My Health My Data Act was written specifically to reach health-related data that HIPAA does not cover: wellness apps, mental-health and fertility apps, fitness and nutrition trackers, and the data brokers and advertising tools behind them. Telling yourself "I am not a covered entity" does not get you out of it. If you handle data that reveals or infers a person's health, you should assume Washington's rules may apply until you confirm otherwise.
This is the issue-spotting workflow. It walks you through the same questions I would ask in a first review, then gives you a score, the factors behind it, your document gaps, and the right next step. Every result carries the educational-self-assessment disclaimer and the Washington admission-pending note.
Short, plain-language background. Expand a section for more detail. Specific statutory deadlines, fee caps, and effective dates are general references; I confirm the operative numbers against the current statute before relying on them in any advice.
The My Health My Data Act is codified at Ch. 19.373 RCW. It is a consumer-health-data privacy law, not a healthcare-provider law. It was written to cover health-related data that falls outside HIPAA, including data held by app developers, wellness and mental-health products, advertising technology vendors, and data brokers. The core idea is that "consumer health data" is broad: it includes information that identifies a consumer's past, present, or future physical or mental health status, and information from which health status can be inferred.
HIPAA applies to covered entities like providers and health plans and their business associates. Most consumer apps are neither. The My Health My Data Act was designed precisely to reach that gap. So a wellness, fitness, fertility, or mental-health app that is well outside HIPAA can still be squarely within the Act. The practical takeaway: if your product reveals or infers health status about a Washington consumer, assume the Act may apply and confirm scope before assuming you are exempt.
The Act sets expectations around three documents most apps get wrong. First, a separate consumer-health-data privacy policy that is distinct from a general privacy policy and prominently linked. Second, consent to collect consumer health data that is separate from a blanket terms-of-service acceptance. Third, a distinct authorization before selling consumer health data. The exact wording, prominence, and timing requirements are specific, so I confirm them against the current statute text when I draft or review these documents rather than relying on a summary.
The Act includes a separate restriction on geofencing around facilities that provide health services, used to identify, track, or send messages to consumers based on their proximity. If your product collects precise geolocation, this is a distinct risk area on top of the general consumer-health-data rules, which is why precise location is weighted in the assessment above.
The My Health My Data Act is enforced through the Washington Consumer Protection Act (Ch. 19.86 RCW). A violation of the Act can be treated as a violation of the CPA, which opens the door to enforcement by the Washington Attorney General and, significantly, a private right of action with the CPA's remedies. That CPA overlay is what turns a privacy gap into real litigation and penalty exposure, so it is the part I weigh most heavily when I assess a product. The specific remedies, penalty figures, and any safe-harbor or cure provisions are statutory details I confirm against the current text before quoting them.