MHMDA Business Compliance (Washington)

Complying with Washington's My Health My Data Act (MHMDA), chapter 19.373 RCW, means meeting six core duties: publish a separate consumer health data privacy policy, obtain consent before collecting or sharing consumer health data, obtain a separate signed authorization before selling it, honor consumer rights requests, restrict employee and processor access, and follow the geofencing ban. These duties live in RCW 19.373.020 through 19.373.080.

As of 2026, every covered organization is past its compliance deadline: most regulated entities since March 31, 2024, and small businesses since June 30, 2024. The reason MHMDA tops compliance priority lists is enforcement. Under RCW 19.373.090, every violation is a per se violation of the Washington Consumer Protection Act (chapter 19.86 RCW), so a business faces both Attorney General action and private lawsuits, including class actions, under RCW 19.86.090.

Jurisdiction scope: This covers Washington's My Health My Data Act (chapter 19.373 RCW). It is general legal information, not legal advice.

The compliance timeline and who must comply

MHMDA's deadlines depend on entity type, and as of 2026 all have passed. The geofencing restriction now at RCW 19.373.080 took effect July 23, 2023 and applies to any person. Regulated entities that are not small businesses had to comply with the core duties in RCW 19.373.020 through 19.373.070 by March 31, 2024. Small businesses had until June 30, 2024.

Coverage is broad because there is no threshold. Under RCW 19.373.010, a regulated entity is any legal entity that conducts business in Washington or targets Washington consumers and that determines the purpose and means of collecting, processing, sharing, or selling consumer health data. No minimum revenue or consumer count applies, so a small out-of-state app that handles Washington consumers' health data is in scope.

The small business subcategory in RCW 19.373.010 affects timing, not whether the law applies. A small business is a regulated entity that, during a year, processes the consumer health data of fewer than 100,000 consumers, or derives less than half its revenue from such processing while handling data for fewer than 25,000 consumers. RCW 19.373.100 then layers exemptions, including HIPAA protected health information and certain GLBA and FCRA data, which businesses should map at the data level. The full picture of who is covered is in the What is MHMDA? guide.

Duty 1: the separate consumer health data privacy policy

RCW 19.373.020 requires every regulated entity and small business to maintain a consumer health data privacy policy, and this policy must be separate. It cannot be folded into the general website privacy notice, and the statute requires a link to it on the entity's homepage.

The policy must disclose specific items. Under RCW 19.373.020, it must state the categories of consumer health data collected and the purpose for collection, including how the data will be used; the categories of sources from which the data is collected; the categories of consumer health data that are shared; and a list of the categories of third parties and the specific affiliates with whom the data is shared. It must also explain how a consumer can exercise the rights in RCW 19.373.040.

The Act also imposes a consistency rule. A regulated entity may not collect, use, or share categories of consumer health data, or for purposes, not disclosed in the policy, and it may not contract with a processor in a manner inconsistent with the policy. So the policy is not boilerplate; it operationally constrains what the business can do.

Duty 2: consent to collect and a separate consent to share

Consent is the gate under RCW 19.373.030. A regulated entity may not collect any consumer health data except with consent, or to the extent necessary to provide a product or service the consumer has requested. Likewise, it may not share consumer health data except with consent or to that same necessity standard.

The critical detail is that the two consents are distinct. The consent to share must be separate and distinct from the consent obtained to collect the data. A single combined "I agree" does not satisfy the statute; collecting and sharing each need their own affirmative opt-in.

Consent itself is strictly defined in RCW 19.373.010. It must be a clear affirmative act that is freely given, specific, informed, opt-in, voluntary, and unambiguous. It cannot be obtained through broad terms of use, a consumer hovering over or closing content, or any deceptive design or dark pattern. The disclosure that precedes a sharing consent must spell out the categories shared, the purpose, the recipients, and how to withdraw.

Duty 3: separate authorization to sell

Selling consumer health data triggers a higher bar than consent. Under RCW 19.373.070, a regulated entity may not sell or offer to sell consumer health data without first obtaining a "valid authorization" from the consumer, and that authorization is a distinct, detailed, signed document, separate from any consent to collect or share.

RCW 19.373.070 lists what the authorization must contain. It must specify the consumer health data to be sold; name the seller and the purchaser; describe the purpose of the sale, including how the data will be gathered and used by the purchaser; state that the provision of goods or services may not be conditioned on the consumer signing it; state that the consumer may revoke it at any time and how; and warn that the data sold may be subject to redisclosure and may no longer be protected by the section. It must also include an expiration date no later than one year from signing, and the consumer's signature and date.

The recordkeeping duty is heavy. Both the seller and the purchaser must retain a copy of the signed valid authorization for six years from the date of its signature or the date the authorization was last in effect, whichever is later. Because the authorization expires after one year and cannot be a condition of service, MHMDA effectively makes selling consumer health data a deliberate, documented, opt-in transaction rather than a default.

Duty 4: honoring consumer rights requests

Under RCW 19.373.040, regulated entities must build a process to receive and fulfill consumer requests to confirm, access, withdraw consent, and delete. The entity must provide one or more secure and reliable methods for submitting requests that account for how consumers interact with it, secure verification, and accessibility, and it cannot force a consumer to create a new account to make a request.

The response timeline is 45 days, extendable once by another 45 days when reasonably necessary with notice to the consumer. Information must generally be provided free of charge up to twice per year per consumer. A refusal must be explained within the window, with appeal instructions, and the entity must maintain a documented appeal process that responds within 45 days and routes a still-denied consumer to the Attorney General.

The deletion duty is especially demanding because it reaches downstream. Under RCW 19.373.040, on a deletion request the entity must delete the data from its records, including archived and backup systems on a limited timeline, and must notify all affiliates, processors, contractors, and third parties that received the data so they delete it too. The consumer-facing detail is covered in the MHMDA consumer rights guide.

Duty 5: access controls, processors, and data security

MHMDA imposes internal-handling duties. Under RCW 19.373.050, a regulated entity must restrict access to consumer health data by its employees, processors, and contractors to what is necessary to provide a product or service the consumer requested, or as the consumer has consented to. The same section requires the entity to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and availability of consumer health data, appropriate to its volume and nature.

Processor relationships are governed by RCW 19.373.060. A processor may process consumer health data only pursuant to a binding contract with the regulated entity and only in a manner consistent with that entity's instructions. A processor that exceeds the entity's instructions, or fails to adhere to the contract, becomes a regulated entity itself with respect to that data, which raises the stakes for vendor management.

Together these duties mean a compliant program needs role-based access limits, documented security controls, and tightly scoped processor contracts. A loosely supervised vendor can convert into a regulated entity and create liability on both sides.

Duty 6: the geofencing prohibition

RCW 19.373.080 is a flat prohibition that applies to any person, not just regulated entities, which is why it carried the earliest July 23, 2023 compliance date. It is unlawful to implement a geofence around an entity that provides in-person health care services where the geofence is used to identify or track consumers seeking health care services, to collect consumer health data from them, or to send them notifications, messages, or advertisements related to their consumer health data or health care services.

A geofence, defined in RCW 19.373.010, is location-detection technology that creates a virtual boundary 2,000 feet or less from the perimeter of a physical location, or that locates a consumer within that boundary. Because the prohibition is absolute for the listed purposes, there is no consent path: a business cannot lawfully run geofenced health-facility tracking or advertising even if a consumer agreed.

For advertising and analytics teams, this means auditing any location-based targeting that could touch clinics, pharmacies, mental health providers, reproductive health facilities, or gender-affirming care providers. The risk is not theoretical, because geofencing near health facilities has been a focus of regulatory attention nationally.

Litigation risk: the private right of action

The dominant compliance driver under MHMDA is its enforcement model. RCW 19.373.090 declares that a violation of the chapter is a violation of the Washington Consumer Protection Act, chapter 19.86 RCW. The Washington Attorney General has confirmed that this makes any MHMDA violation a per se Consumer Protection Act violation, enforced by the Attorney General as well as through private action.

The private action runs through RCW 19.86.090, which lets an injured person sue for actual damages, allows the court to award up to three times the actual damages subject to a statutory cap, and permits recovery of costs and reasonable attorney fees. The fee-shifting and treble-damages structure, combined with class action availability, is what makes MHMDA a litigation risk and not merely a regulatory one.

This guide does not predict outcomes or recommend whether to sue or settle any matter. As of 2026, the prudent posture for any business that touches Washington consumers' health data is to treat the six duties above as live obligations and to document compliance, given that both the state and private plaintiffs can enforce them.

Related guides

• Washington data privacy laws parent hub
• What is MHMDA?
• MHMDA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources