The Washington My Health My Data Act (“MHMDA”) represents a fundamental shift in the regulation of health-related personal data in the United States. Enacted in 2023 and codified at Chapter 19.373 of the Revised Code of Washington, the statute was designed to close perceived gaps in federal health privacy law—most notably the limited scope of the Health Insurance Portability and Accountability Act (HIPAA)—by extending robust protections to health data collected by entities that fall outside the traditional healthcare ecosystem. The Washington legislature expressly recognized that information relating to an individual’s physical or mental health, or attempts to obtain healthcare services, is among the most sensitive categories of personal data and warrants heightened protection regardless of the identity of the data collector .
The Act applies broadly to any legal entity that conducts business in Washington or targets products or services to Washington consumers and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. Unlike many other state privacy laws, the MHMDA does not exempt nonprofit organizations and can reach out‑of‑state entities when consumer health data is collected or processed in Washington. For businesses operating nationally or globally, this expansive territorial and substantive scope makes Washington compliance a critical component of any broader U.S. privacy strategy .
From a compliance perspective, the MHMDA is notable for three structural features. First, it is an opt‑in, consent‑driven regime that reverses the default assumptions underlying many commercial data practices. Second, it defines “consumer health data” extremely broadly, including inferred data derived from non‑health information. Third, it creates both regulatory enforcement authority and an unusually broad private right of action, significantly increasing litigation risk. Each of these features has direct implications for how businesses must design their data governance programs.
Who and What the Act Regulates
Regulated Entities and Consumers
The MHMDA applies to “regulated entities,” defined as any legal entity that conducts business in Washington or produces or provides products or services targeted to Washington consumers and that determines the purposes and means of collecting, processing, sharing, or selling consumer health data. Government agencies and tribal entities are generally excluded, but private entities of all sizes—including small businesses—are within scope, with only limited timing relief for smaller organizations .
The term “consumer” is also broader than under many other privacy laws. It includes not only Washington residents, but also any natural person whose consumer health data is collected or processed in Washington, subject to specific statutory exceptions. Individuals acting in an employment context are excluded, but consumers may be identified through online identifiers such as cookies, IP addresses, or device identifiers when acting in an individual or household capacity .
For businesses, these definitions mean that MHMDA obligations may attach even in the absence of a traditional customer relationship or physical presence in the state. Online services, mobile applications, advertisers, and analytics providers must therefore assess whether their data flows create a Washington nexus.
The Expansive Definition of Consumer Health Data
At the center of the Act is its definition of “consumer health data.” The statute covers personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. The non‑exclusive list of examples includes information about health conditions, diagnosis, treatment, genetic data, reproductive and sexual health, gender‑affirming care, and precise location data that could reasonably indicate an attempt to acquire health services or supplies .
Critically, the definition also encompasses data derived from non‑health information if it can be used to infer health status. For example, inferences drawn from purchase histories, browsing behavior, or location patterns may constitute consumer health data if they reveal or predict health‑related activities. This derivative aspect significantly expands the compliance perimeter and requires organizations to evaluate not only what data they collect directly, but also what they infer through analytics and profiling.
Core Compliance Obligations Under the MHMDA
Consumer Health Data Privacy Policy
A foundational compliance requirement is the publication of a standalone Consumer Health Data Privacy Policy. Regulated entities must prominently link this policy from their website homepage and, where applicable, from mobile application download pages and in‑app settings. The policy must be limited to the disclosures required by the Act and may not include unrelated marketing or general privacy information .
The policy must clearly describe the categories of consumer health data collected, the sources of that data, the purposes for which it is used, the categories of data shared, the specific affiliates and categories of third parties with whom it is shared, and how consumers may exercise their rights under the Act. If a business later seeks to collect new categories of consumer health data or use existing data for new purposes, it must update the policy and obtain fresh affirmative consent before proceeding.
From a risk management perspective, the Consumer Health Data Privacy Policy operates as both a transparency mechanism and a substantive boundary on permissible processing. Practices that fall outside the four corners of the policy expose the organization to statutory violations.
Consent‑Based Collection and Use
The MHMDA establishes an opt‑in model for consumer health data processing. Except where collection or use of the data is strictly necessary to provide a product or service expressly requested by the consumer, a regulated entity must obtain the consumer’s affirmative consent before collecting or using consumer health data. Consent must be informed, specific, and freely given, and it may not be obtained through deceptive design patterns or bundled disclosures .
Affirmative consent requests must clearly disclose the categories of data involved, the purposes of collection or use, the categories of recipients, and the means by which consent may be withdrawn. Businesses must also implement processes to honor withdrawals of consent and may not discriminate against consumers for exercising their rights.
For many organizations, this consent regime requires a fundamental redesign of product flows, user interfaces, and backend data pipelines. Practices that are routine under general consumer privacy laws—such as passive collection or implied consent—are often impermissible when applied to consumer health data.
Sharing and Selling Consumer Health Data
The Act draws a sharp distinction between “sharing” and “selling” consumer health data, and each activity is subject to distinct consent requirements. Sharing consumer health data with third parties generally requires affirmative consent unless the sharing is necessary to provide a product or service requested by the consumer. Routine disclosures for advertising, analytics, or cross‑context behavioral tracking therefore typically require opt‑in consent .
Selling consumer health data is subject to even stricter rules. A regulated entity may not sell or offer to sell such data without obtaining a separate, written, and revocable authorization from the consumer. The authorization must include detailed disclosures and comply with formal statutory requirements. Unlike general consent, valid authorization is transaction‑specific and time‑bounded, significantly limiting secondary monetization strategies .
Consumer Rights and Organizational Response Obligations
The MHMDA grants consumers a suite of rights designed to give them meaningful control over their health data. These include the right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data; the right to access that data; the right to obtain a list of third parties and affiliates that received it; the right to delete the data; and the right to withdraw consent .
Regulated entities must respond to verified consumer requests without undue delay and generally within 45 days, with a limited ability to extend the response period when reasonably necessary. If a request is denied, the consumer must be informed of the denial and provided with a clear appeals process. Requests must be honored free of charge up to the statutorily permitted frequency.
The deletion right is particularly demanding. Upon a valid request, businesses must delete consumer health data from their active systems and instruct all affiliates, processors, contractors, and other third parties to do the same. Where deletion from archived or backup systems is technically infeasible in the short term, final deletion must still be completed within a defined period following authentication of the request .
Data Security and Processor Obligations
Beyond consent and consumer rights, the MHMDA requires regulated entities to implement reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of consumer health data processed. While the statute does not prescribe specific security controls, it establishes a clear expectation that organizations take proactive steps to protect health data against unauthorized access, disclosure, or misuse .
Contracts with processors must also include specific terms governing the processing of consumer health data, including obligations to process data only on documented instructions, implement appropriate security measures, and assist the regulated entity in responding to consumer rights requests. Existing vendor agreements often require substantial revision to meet these statutory standards.
Geofencing Restrictions
One of the most publicized and novel aspects of the MHMDA is its prohibition on certain uses of geofencing technology. The Act makes it unlawful for any person to implement a geofence around a facility that provides in‑person healthcare services when the geofence is used to identify or track consumers seeking health care, collect consumer health data, or send messages or advertisements related to health data or health care services .
A “geofence” is defined as a virtual boundary that uses spatial or location detection technology and is 2,000 feet or less from the perimeter of the physical location. These restrictions took effect earlier than many other provisions of the Act and apply regardless of whether the entity is otherwise subject to the MHMDA’s broader requirements. As a result, location‑based advertising and analytics practices must be carefully reviewed to avoid inadvertent violations.
Enforcement, Litigation Risk, and Penalties
Enforcement of the MHMDA occurs through both public and private mechanisms. Any violation of the Act constitutes a per se unfair or deceptive act under the Washington Consumer Protection Act, exposing regulated entities to enforcement by the Washington Attorney General. More significantly for many businesses, the Act creates a broad private right of action that allows consumers to bring suit for violations without a requirement to demonstrate specific harm or a prior opportunity to cure .
This private enforcement model is among the most expansive of any U.S. state privacy law. It potentially enables class action litigation based on alleged technical violations of notice, consent, or rights‑handling obligations. Statutory damages, attorneys’ fees, and injunctive relief can significantly amplify exposure, particularly for organizations with high‑volume consumer interactions.
Building a Practical Compliance Program
Effective compliance with the Washington My Health My Data Act requires more than policy updates. Organizations should begin with a detailed data mapping exercise focused on identifying all sources of consumer health data, including inferred data. From there, businesses should assess whether existing collection, use, sharing, and monetization activities are supported by valid affirmative consent or authorization.
Operationally, compliance often involves coordinated updates to privacy notices, consent management mechanisms, consumer request workflows, vendor contracts, and information security controls. Given the Act’s breadth and enforcement risk, many organizations are integrating MHMDA compliance into broader U.S. state privacy governance frameworks while preserving the heightened protections required for health data.
Conclusion
The Washington My Health My Data Act sets a new benchmark for health data privacy in the United States. Its expansive scope, prescriptive consent requirements, and strong enforcement mechanisms demand careful attention from any business that collects or processes health‑related data connected to Washington. By approaching compliance strategically and proactively, organizations can not only reduce legal risk but also demonstrate a commitment to protecting some of the most sensitive information entrusted to them.