Washington tool

Wellness App MHMDA Risk Checker

Wellness apps sit squarely inside the Washington My Health My Data Act (Chapter 19.373 RCW). Fitness trackers, sleep apps, nutrition logs, mood journals, meditation platforms, weight-management tools, and AI health coaches all collect or infer consumer health data the moment they touch steps, sleep, mood, diet, weight, symptoms, medication, or goals. Most operators do not know they are in scope. This tool scores the exposure under RCW 19.373.020, the consumer-health-data definition under RCW 19.373.010, and the per-se CPA pathway under RCW 19.373.090, and recommends a compliance package.

This is a triage tool, not legal advice. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. For period, fertility, or reproductive-tracking apps, use the reproductive-health data risk checker instead; that category gets its own analysis.

Answer the questions below. The tool returns a risk score, the top compliance flags, and a recommended package tier.

1Washington users

Do you have Washington users right now?

Per RCW 19.373.010, a "consumer" includes a Washington resident OR a natural person whose consumer health data is collected in Washington. A single Washington user can trigger the statute.

Yes, I have Washington users No, no Washington users Unclear (no geo-blocking, no user-state tracking)

2App category

What is the primary app category?

Used to weight the inherent sensitivity of the data flow. For period, fertility, or reproductive-tracking apps, see the reproductive-health data risk checker instead.

App category Select a category Fitness or activity tracking (steps, workouts, heart rate) Nutrition, diet, or food logging Sleep tracking or sleep coaching Mood, journaling, or mental-wellness adjacent Health coaching or behavior change (AI or human) Meditation or mindfulness Weight loss or weight management Other wellness (specify in mailto)

3Data collected

Which categories of data does the app collect?

Per RCW 19.373.010, consumer health data is broad. Steps, sleep, mood, diet, weight, symptoms, medication, and stated goals all plausibly count when associated with a wellness or health context.

Steps, activity, heart rate Sleep duration, stages, or quality Mood, stress, anxiety, journaling Diet, calories, food logs Weight, body composition, BMI Cycle data (see reproductive-health checker) Symptoms or self-reported conditions Medication, supplements, dosage Goals or interventions (sleep target, weight target)

4Inferences generated

Does the app generate inferences about health status from these inputs?

Per RCW 19.373.010, "consumer health data" expressly includes inferences derived from any of the listed categories. A wellness score, a "your sleep is poor" verdict, or a "you may be at risk for X" message is an inference.

Yes, the app infers health status, risk, or conditions No, only displays raw data the user entered

5Analytics SDKs

Are third-party analytics SDKs installed (Google Analytics, Mixpanel, Amplitude, Firebase, etc.)?

SDKs are processors under RCW 19.373.060 and need flow-down contract terms. Many analytics SDKs also receive inferred health context if they log event names like "sleep_score_low" or "mood_recorded_anxious."

Yes, analytics SDKs are installed No analytics SDKs

6Ad pixels

Are ad pixels installed (Meta Pixel, TikTok Pixel, Google Ads, etc.) on the web app or marketing site?

Ad pixels frequently combine with location data near healthcare facilities and trigger the geofence concerns under RCW 19.373.080. Any pixel that targets healthcare-adjacent audiences raises a categorical-ban question.

Yes, ad pixels are installed No ad pixels

7AI model use

Does the app use an AI model on user data?

Third-party AI APIs (OpenAI, Anthropic, Google, etc.) are processors under RCW 19.373.060 when consumer health data is sent for inference. Vendor DPA terms and zero-retention configurations matter.

None In-house model (no third-party inference call) Third-party API (OpenAI, Anthropic, Google, etc.)

8Sharing with outside parties

Is consumer health data shared with coaches, employers, insurers, advertisers, or vendors?

Per RCW 19.373.030, sharing requires a SEPARATE consent distinct from the collection consent. Per RCW 19.373.070, sale requires a nine-element written authorization.

Yes, I share with one or more of these No sharing outside processors I directly control

9Privacy policy URL

What is the privacy policy URL (optional)?

Per RCW 19.373.020, a regulated entity must publish a separate Consumer Health Data Privacy Policy with a prominent homepage link. If you only have a generic policy, the gap is flagged below.

Privacy policy URL

Yes, a SEPARATE Consumer Health Data Privacy Policy exists Only a generic privacy policy No published privacy policy

Score MHMDA risk

How the score is calculated

The score weighs the elements that drive MHMDA exposure for a wellness app. Weights total 100 points.

• Washington nexus (any WA users or unclear targeting): up to 18 points.
• App category sensitivity (mood, mental-wellness, and weight-management score higher): up to 12 points.
• Data categories collected (sleep, mood, weight, symptoms, medication score higher than steps alone): up to 18 points.
• Inferences generated: up to 10 points. Any health inference triggers the consumer-health-data definition.
• Processor and vendor footprint (analytics SDKs, ad pixels, third-party AI): up to 16 points. Each is a processor under RCW 19.373.060.
• Sharing without two-layer consent: up to 12 points. Sharing requires a separate consent under RCW 19.373.030.
• Privacy policy gap (generic-only or missing): up to 14 points. The separate-policy rule is the most-violated requirement under RCW 19.373.020.

The four verdict bands are 80 to 100 (Significant exposure), 60 to 79 (Material gaps), 30 to 59 (Mostly compliant), and 0 to 29 (Compliant or out of scope).

What I deliver

I work fixed-fee on three wellness-app tiers. Pick the one that matches the score band and your timeline.

• $499 MHMDA scope memo. I read the app's data flow and the current policy, give a written scope determination (in-scope / borderline / out-of-scope), and list the priority gaps. Right starting point when the data flow is unclear or the team needs a written answer to decide whether to invest in remediation.
• $900 MHMDA review. I deliver the scope memo plus a redlined separate Consumer Health Data Privacy Policy and the two-layer consent language for collection and sharing. Right tier when the in-scope determination is clear and the work is policy and consent.
• $1,500 MHMDA wellness package. I deliver the scope memo, the standalone health-data policy, the consent flows, the processor and vendor DPA addenda, and a written remediation plan for analytics SDKs and ad pixels. Right tier when the score is in the Significant exposure band or when the app uses third-party AI and adtech.

Authority notes

Statutory citations come from RCW 19.373.010 (consumer, consumer health data, regulated entity, geofence), RCW 19.373.020 (separate policy with homepage link), RCW 19.373.030 (two-layer consent), RCW 19.373.040 (consumer rights), RCW 19.373.050 (data security), RCW 19.373.060 (processor flow-down), RCW 19.373.070 (nine-element sale authorization), RCW 19.373.080 (2,000-foot geofence prohibition), RCW 19.373.090 (per-se CPA pathway), and RCW 19.373.100 (exemptions).

For broader scope analysis, see my MHMDA Scope Analyzer. For background on Washington MHMDA, see my Washington My Health My Data Act resource. For other Washington tools, see my Washington Business Law Resources hub.