Washington My Health My Data Act: 2026 Compliance Guide
If your app collects anything that hints at a person's physical or mental health — a fitness tracker reading, a symptom search, a meditation session, a fertility log — Washington State has a privacy law that almost certainly applies to you, even if you've never heard of it and your nearest server is a thousand miles from Seattle. The Washington My Health My Data Act (MHMDA) went into force in March 2024, and it does something almost no other US privacy law does: it lets ordinary consumers sue you directly when you get it wrong.
This guide is for SaaS founders, indie developers, marketers, and product managers who suspect their app might handle "consumer health data" and want to know what compliance actually looks like in 2026. We'll cover who the law applies to, the surprisingly broad definition of consumer health data, the consent and authorization rules, the geofencing ban, and a practical compliance checklist you can work through this week.
What Is the Washington My Health My Data Act?
The Washington My Health My Data Act, codified at RCW 19.373, is a state privacy law focused entirely on health-related personal information. It was passed in 2023 in response to a specific concern: most general privacy laws (and HIPAA itself) leave huge gaps when it comes to consumer health data collected by apps, websites, and connected devices. A period tracker, a sleep app, an online pharmacy, and a search engine indexing health queries are all generally outside HIPAA's scope, yet they handle some of the most sensitive information a person ever shares.
The MHMDA closes that gap. It imposes consent, transparency, sale-authorization, geofencing, and security requirements on a broad class of "regulated entities" that handle Washington consumers' health data. Compliance for most regulated entities began on March 31, 2024, with small businesses given an additional three months until June 30, 2024. The geofencing ban took effect even earlier, on July 23, 2023.
Who Does the MHMDA Apply To?
The law uses two terms — "regulated entity" and "small business" — but both must satisfy the same threshold test, and both must comply with the same substantive obligations. There is no revenue or user-count threshold below which the law simply does not apply.
A regulated entity is any legal entity that (a) conducts business in Washington or produces or provides products or services targeted to consumers in Washington, and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data. Government agencies and contracted service providers acting on a regulated entity's behalf are excluded.
The "Doing Business in Washington" Test
The threshold is intentionally broad. If your SaaS has Washington-based users — or even targets them through marketing, app store listings, or geo-relevant content — you likely fall within scope. There is no minimum number of Washington consumers required, and a single covered interaction can be enough to trigger obligations.
Small Business Carve-Out
The MHMDA defines a "small business" as one that satisfies both of the following:
- Collects, processes, sells, or shares the consumer health data of fewer than 100,000 consumers in a calendar year, and
- Either derives less than 50% of gross revenue from collection, processing, selling, or sharing of consumer health data, or processes data of fewer than 25,000 consumers.
Small businesses got a three-month extension on the original effective date, but they are otherwise subject to every requirement in the Act. There is no permanent exemption — only a head-start grace period that has long since expired.
What Counts as "Consumer Health Data"?
This is the part most teams underestimate. The Act defines consumer health data as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The phrase "health status" is then explicitly broadened to include, among other things:
- Individual health conditions, treatments, diseases, or diagnoses
- Social, psychological, behavioral, and medical interventions
- Health-related surgeries or procedures
- Use or purchase of prescribed medications
- Bodily functions, vital signs, symptoms, or measurements
- Diagnoses or diagnostic testing, treatment, or medication
- Gender-affirming care information
- Reproductive or sexual health information
- Biometric data linked to health
- Genetic data
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies
- Data that identifies a consumer seeking health care services
- Any information derived or extrapolated from non-health information that is used by a regulated entity to associate or identify a consumer with the data above
That last bullet is the sleeper. Inferred or derived health data — for example, a wellness score generated from step counts, or an ad audience segment built from purchase history that suggests a chronic condition — is in scope even when none of the underlying inputs were obviously "health" data. If you run analytics or personalization, you should assume some derived signals will trip this definition.
Core Compliance Requirements
The MHMDA is organized around a familiar privacy structure — notice, consent, rights, security — but several rules are stricter than what consumer privacy laws like the CCPA or VCDPA require. The major obligations are summarized below.
| Requirement | What It Means in Practice |
|---|---|
| Stand-alone Consumer Health Data Privacy Policy | You must publish a separate privacy notice (linked from your homepage) listing the categories of consumer health data collected, sources, purposes, third parties, and consumer rights. It cannot be buried inside your general privacy policy. |
| Affirmative consent before collection or sharing | Opt-in consent is required for any collection or sharing that is not strictly necessary to provide the consumer-requested product or service. |
| Separate, written authorization to sell | Sales of consumer health data require a separate signed authorization, valid for one year, listing specific data, purchaser, and purpose. |
| Consumer rights | Right to confirm, access, withdraw consent, and request deletion — with downstream propagation to processors, contractors, and affiliates. |
| Data minimization & security | Only collect what you need, restrict internal access, and apply reasonable administrative, technical, and physical safeguards. |
| Processor contracts | Vendors handling consumer health data on your behalf must be bound by contracts that limit their use of the data. |
| Geofencing prohibition | No geofences within 2,000 feet of any in-person health care provider for tracking, data collection, or targeted messaging. |
Consent vs. Authorization
The MHMDA carefully distinguishes between consent (used for collection and sharing beyond what is necessary) and authorization (used specifically for sales). The two are not interchangeable. Authorization must be a stand-alone, plain-language, signed document that names the specific data, the purchasing party, and the purpose, and that is revocable by the consumer at any time. Bundling authorization into a long terms-of-service is not compliant. If you currently rely on a single click-through consent flow for everything, that is a structure you need to redesign.
The Geofencing Ban Around Health Facilities
One of the MHMDA's most distinctive provisions is an outright ban on geofencing around in-person health care facilities. The Act defines a geofence as technology that uses GPS, cell-tower, Wi-Fi, or other location data to create a virtual boundary up to 2,000 feet from the perimeter of a physical location, or to locate a consumer within such a boundary.
It is unlawful for any person to implement such a geofence around an entity that provides in-person health care services where the geofence is used to (1) identify or track consumers seeking health care, (2) collect consumer health data, or (3) send notifications, messages, or advertisements related to the consumer's health data or health care. This applies even if you are not a "regulated entity" under the rest of the Act — the geofencing prohibition is broad.
If your platform offers location-based ad targeting or push notifications, your ad ops and SDK partners need to confirm that no targeting layer is using clinic, hospital, pharmacy, or specialist proximity as a signal.
Consumer Rights Under the MHMDA
Consumers in Washington have four core rights with respect to their consumer health data:
- Right to confirm whether a regulated entity is collecting, sharing, or selling their consumer health data.
- Right to access a list of all third parties and affiliates with whom the regulated entity has shared or sold the data, with active contact information for each.
- Right to withdraw consent from collection and sharing.
- Right to delete their consumer health data, with the obligation flowing through to processors, contractors, affiliates, and any third parties who received the data.
The deletion right is notable for its downstream reach. Unlike a simple "delete my account" button, the MHMDA expects you to notify and obtain deletion confirmation from third parties to whom you transmitted the data. Build a vendor inventory before you receive your first request — you cannot improvise this in the 30-day response window.
Why MHMDA Has Teeth: The Private Right of Action
Most US state privacy laws are enforced only by attorneys general. The MHMDA is different. A violation of the Act is a per se violation of the Washington Consumer Protection Act, which means consumers can sue directly without having to prove a separate unfair or deceptive practice. The Washington Attorney General can also bring enforcement actions. Civil suits can include actual damages, injunctive relief, and attorneys' fees, and Washington courts are authorized to award treble damages up to $25,000 in CPA cases.
Per-consumer damages add up quickly when a privacy issue affects thousands or millions of users. Class-action plaintiffs' firms have historically been the primary driver of biometric privacy litigation under Illinois's BIPA — and the same playbook is widely expected to be applied to MHMDA. For more on how private rights of action shape compliance budgets, see our companion guide on BIPA compliance for SaaS.
How MHMDA Differs From HIPAA
A common misconception is that any health-related data law overlaps neatly with HIPAA. It does not. HIPAA only covers Protected Health Information (PHI) handled by covered entities (most providers, plans, and clearinghouses) and their business associates. Most consumer apps are not covered entities. The MHMDA fills the gap by regulating the same kinds of information when handled by the consumer-facing companies HIPAA does not reach. If you are a HIPAA business associate, your existing HIPAA-compliant practices will satisfy many MHMDA requirements — but not all of them, particularly around the stand-alone privacy policy and the sale authorization. Our HIPAA compliance checklist is a useful sister read for teams figuring out which framework applies where.
Building an MHMDA-Compliant Privacy Policy
The Act requires a separate Consumer Health Data Privacy Policy, distinct from your main privacy policy and prominently linked from your homepage. It must include, at minimum, the categories of consumer health data collected, the categories of sources, the purposes of collection, the categories of third parties and affiliates with whom data is shared, the categories of consumer health data sold, and a clear explanation of how to exercise rights. Plain language is a statutory requirement — vague or generic statements will not survive enforcement.
If you currently use a generator to draft your main privacy policy, you can use the same approach for this stand-alone notice. Our privacy policy generator produces a baseline you can extend with the MHMDA-specific disclosures. Pair it with the mobile and platform-specific guidance in our mobile app privacy policy guide if your product ships through the app stores.
MHMDA Compliance Checklist
Use this checklist to scope a first compliance pass. Most teams can complete the policy work in a focused two-week sprint; vendor and product changes typically take longer.
- Inventory every place the product collects, derives, or shares anything that could touch on physical or mental health, fitness, reproductive activity, location near medical facilities, or biometrics.
- Determine whether your business meets the MHMDA threshold (almost every consumer-facing US company does).
- Re-architect your consent flows so collection and sharing beyond strict necessity are gated by affirmative opt-in.
- Stop relying on bundled consent for sales — design a separate, signed authorization flow if you sell consumer health data.
- Audit ad targeting and SDK partners for any geofencing within 2,000 feet of medical facilities; remove such targeting entirely.
- Publish a stand-alone Consumer Health Data Privacy Policy linked from the homepage.
- Build a 45-day rights response workflow (the Act allows a 45-day initial response, with one 45-day extension where reasonably necessary).
- Review every vendor contract that touches health data and add MHMDA-aligned restrictions on use, retention, sub-processing, and deletion.
- Document retention schedules — collect what you need, keep it only as long as you need it.
- Train customer support and engineering on how to spot, route, and fulfill rights requests.
If your product also handles non-health personal data covered by other US state privacy laws, integrate this work with your broader data breach notification and consumer-rights program rather than running parallel processes.
Beyond Washington: Other States Are Watching
Nevada and Connecticut have already passed their own consumer health data laws modeled in large part on MHMDA, with Connecticut's amendments to the Connecticut Data Privacy Act in particular adopting similar definitions. Maryland's Online Data Privacy Act, effective in 2025, also includes heightened protections for consumer health data. Designing your stack around the strictest of these — currently MHMDA — means you will likely be well-positioned for the broader patchwork without per-state retrofits. The Washington Attorney General's MHMDA guidance remains the best plain-language summary for non-lawyers, and the FTC's Health Breach Notification Rule is a useful reference for adjacent obligations on health apps that experience security incidents.
Frequently Asked Questions
Does MHMDA apply if my company is based outside Washington?
Yes. The Act applies to any entity that conducts business in Washington or that provides products or services targeted at Washington consumers. There is no minimum number of Washington consumers required and no in-state physical presence test, so most consumer-facing US apps fall within scope.
Is fitness tracker data really "consumer health data"?
Almost certainly. The statutory definition explicitly includes bodily functions, vital signs, symptoms, and measurements, as well as data extrapolated to identify health status. Step counts, heart rate, sleep stages, and weight readings will be in scope, and inferred wellness scores will be too.
Does the small business carve-out exempt me from compliance?
No. The carve-out only delayed the original effective date by three months — it did not create an ongoing exemption. Small businesses must comply with every substantive requirement in the Act.
Can I bury the consumer health data privacy policy inside my main privacy policy?
No. The MHMDA explicitly requires a stand-alone Consumer Health Data Privacy Policy, linked separately and prominently from the homepage. A merged document is not compliant.
Are there fines for MHMDA violations?
The MHMDA is enforced through the Washington Consumer Protection Act, which authorizes injunctive relief, actual damages, attorneys' fees, and treble damages of up to $25,000 per violation in qualifying CPA cases. Consumers can also bring suit directly, which is the most significant enforcement risk for most companies.
Does HIPAA compliance automatically mean MHMDA compliance?
No. HIPAA-covered PHI is exempt from the MHMDA, but most consumer apps are not HIPAA-covered. Even if you are a HIPAA business associate, the MHMDA imposes additional requirements — particularly the stand-alone privacy policy and the sale authorization — that HIPAA does not.
What about consumer health data we collected before March 2024?
The Act's transparency, rights, and deletion obligations apply to consumer health data already in your possession, not only data collected after the effective date. Build your access and deletion workflows to cover historical records, including backups within reason.
This article is for informational purposes only and is not legal advice. Consult a qualified attorney for your specific situation.