Washington
What Is MHMDA? WA My Health My Data Act
Washington's My Health My Data Act (MHMDA), codified at chapter 19.373 RCW, is a consumer health data privacy law that protects sensitive health information falling outside HIPAA. Enacted as House Bill 1155 and signed by Governor Jay Inslee on April 27, 2023, it gives Washington consumers rights over their "consumer health data" and, unlike almost every other state privacy law, lets individuals sue over violations.
As of 2026, MHMDA is fully in force. Most regulated entities had to comply by March 31, 2024, small businesses by June 30, 2024, and the geofencing ban took effect July 23, 2023. Its headline feature is enforcement: under RCW 19.373.090, a violation is a per se violation of the Washington Consumer Protection Act (chapter 19.86 RCW), which the Attorney General enforces and which carries a private right of action.
Jurisdiction scope: This covers Washington's My Health My Data Act (chapter 19.373 RCW). It is general legal information, not legal advice.
What MHMDA is: statute, enactment, and effective dates
The My Health My Data Act is Washington's standalone consumer health data privacy law. It is codified at chapter 19.373 of the Revised Code of Washington and was enacted during the 2023 regular session as House Bill 1155, a measure championed by the Attorney General's office and sponsored by Representative Vandana Slatter and Senator Manka Dhingra. Governor Jay Inslee signed HB 1155 into law on April 27, 2023.
MHMDA is not a comprehensive privacy law in the mold of California's CCPA or Virginia's VCDPA. It is narrower in subject and broader in reach: it regulates one category of information, consumer health data, but it does so without the revenue or volume thresholds that limit comprehensive statutes. According to the Washington Attorney General, it is the first privacy-focused law in the country built to protect personal health data that sits outside the scope of HIPAA.
The Act phases in by entity type. Section 10 of the Act, the geofencing restriction now at RCW 19.373.080, took effect July 23, 2023. Regulated entities that are not small businesses had to comply with the core duties (sections 4 through 9) beginning March 31, 2024. Small businesses had until June 30, 2024. As of 2026, all of those dates have passed, so every category of covered organization is fully subject to the law.
For the broader picture of how MHMDA fits alongside Washington's other data rules, see the Washington data privacy laws parent page.
The broad "consumer health data" definition
The defined term that makes MHMDA so far-reaching is "consumer health data," set out in RCW 19.373.010. The statute defines it as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.
That core definition is then expanded by a long, nonexclusive list of categories. It includes individual health conditions, treatments, diseases, or diagnoses; social, psychological, behavioral, and medical interventions; health-related surgeries or procedures; use or purchase of prescribed medication; bodily functions, vital signs, and symptoms; diagnoses or diagnostic testing; reproductive or sexual health information; and gender-affirming care information.
The definition reaches further still. It covers biometric data and genetic data, precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies, and data that identifies a consumer seeking health care services. It also covers any information that a regulated entity or its processor, or any third party, derives or extrapolates from other data to associate a consumer with health status.
This breadth is the point. Where HIPAA reaches only "protected health information" held by covered entities such as providers, plans, and clearinghouses, MHMDA reaches the same kinds of facts wherever they live: in a period-tracking app, a fitness platform, a web analytics log, an advertising profile, or a data broker's file. The data does not have to come from a doctor to be protected.
Who is a regulated entity: no threshold
MHMDA's applicability is unusually wide because it has no size threshold. RCW 19.373.010 defines a "regulated entity" as any legal entity that conducts business in Washington, or that produces or provides products or services targeted to consumers in Washington, and that, alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
There is no minimum revenue figure and no minimum number of consumers. A comprehensive privacy law typically applies only above a revenue floor or a data-volume count, so a small company can escape it entirely. MHMDA has neither gate at the "regulated entity" level. If a business touches Washington consumers' health data and controls how that data is used, it is in scope.
The Act does carve out a "small business" subcategory, but only for timing and certain obligations, not to remove coverage. Under RCW 19.373.010, a small business is a regulated entity that during a calendar year collects, processes, shares, or sells the consumer health data of fewer than 100,000 consumers, or that derives less than half of its gross revenue from collecting, processing, sharing, or selling consumer health data and controls the data of fewer than 25,000 consumers. Small businesses got the later June 30, 2024 compliance date, but they are still bound by the law.
Government agencies and tribal nations are excluded from the "regulated entity" definition, and RCW 19.373.100 adds exemptions, including for protected health information processed by a HIPAA covered entity or business associate, certain GLBA and FCRA data, and information governed by other listed federal frameworks. Those are data-level and entity-level carve-outs that businesses must map carefully rather than assume.
The geofencing ban
One of MHMDA's most distinctive provisions is its outright ban on certain geofencing, in RCW 19.373.080. The statute makes it unlawful for any person to implement a geofence around an entity that provides in-person health care services where the geofence is used to do any of three things.
Those three prohibited uses are: to identify or track consumers seeking health care services; to collect consumer health data from consumers; or to send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. A "geofence" is defined in RCW 19.373.010 as technology that uses location detection to establish a virtual boundary around a physical location, or to locate a consumer within that boundary, that is 2,000 feet or less from the perimeter of the location.
The geofencing ban is notable for two reasons. First, it applies to any person, not just to regulated entities, which is why it carried the earliest compliance date of July 23, 2023. Second, it is a flat prohibition rather than a consent-based rule: there is no version of geofencing a clinic, abortion provider, or mental health facility for these tracking and marketing purposes that the consumer can authorize away.
The private right of action: MHMDA's centerpiece
The feature that sets MHMDA apart from nearly every other US privacy law is private enforcement. RCW 19.373.090 provides that a violation of the chapter is a violation of the Washington Consumer Protection Act, chapter 19.86 RCW. The Consumer Protection Act, in turn, carries a long-standing private right of action under RCW 19.86.090, which lets an injured person sue, and recover actual damages, treble damages up to a statutory cap, costs, and attorney fees.
The Washington Attorney General has confirmed this reading. The AG's materials state that any violation of the Act is a per se violation of the Consumer Protection Act, which is "enforced by the Attorney General as well as through private action." So MHMDA has two enforcement channels running at once: state enforcement by the Attorney General, and private lawsuits, including the possibility of class actions, brought by consumers.
Most comprehensive state privacy laws deliberately exclude private suits and reserve enforcement to the attorney general. MHMDA does the opposite. For businesses, that means litigation exposure on top of regulatory risk, and it is the central reason MHMDA is treated as a high-risk compliance obligation. The MHMDA business compliance guide covers that exposure in depth.
MHMDA vs. HIPAA and comprehensive privacy laws
MHMDA is best understood by contrast with the two regimes around it: HIPAA, and comprehensive state privacy laws like California's CCPA.
| Feature | Washington MHMDA | HIPAA | CCPA / comprehensive laws |
|---|---|---|---|
| What it covers | Consumer health data, broadly defined | Protected health information held by covered entities | All personal data above thresholds |
| Who is covered | Any entity handling WA consumer health data; no threshold | Providers, plans, clearinghouses, business associates | Businesses above revenue or volume thresholds |
| Health data outside the clinic | Covered (apps, sites, brokers, ads) | Not covered | Often covered only as "sensitive data" |
| Geofencing health facilities | Banned (RCW 19.373.080) | Not addressed | Generally not addressed |
| Private right of action | Yes, via the Consumer Protection Act | No | Limited (CCPA, breaches only) |
The key gap MHMDA fills is the health data that HIPAA never touches. When a consumer enters symptoms into a wellness app, searches a clinic, or has their location logged near a provider, HIPAA usually does not apply because the app or advertiser is not a covered entity. MHMDA steps into that gap.
Against comprehensive laws, MHMDA is narrower in subject but stricter in two respects: it has no threshold to escape coverage, and it allows private suits. The state data privacy law comparison page covers the broader multistate picture, and California's CCPA is the standard comprehensive-law reference point.
What MHMDA means in practice
As of 2026, MHMDA's practical effect has been to push a wide range of consumer-facing companies, well beyond traditional health care, to rethink how they handle anything that could be health data. Advertising technology, analytics tracking, location data, and the sharing of app data with third parties all draw scrutiny under the Act because consumer health data is defined so broadly.
The combination of a no-threshold definition, a broad data definition, and a private right of action is what gives MHMDA its weight. A single tracking pixel that captures health-related browsing, or a data flow that shares health-adjacent information without consent, can become the basis for a Consumer Protection Act claim.
For consumers, MHMDA created rights that did not previously exist for non-HIPAA health data: the right to know whether an entity collects, shares, or sells their consumer health data, to withdraw consent, and to have that data deleted. Those rights are covered in the MHMDA consumer rights guide.
Related guides
- Washington data privacy laws parent hub
- MHMDA consumer rights
- MHMDA business compliance
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Chapter 19.373 RCW: My Health My Data Act (Full Chapter)(app.leg.wa.gov).gov
- RCW 19.373.010: Definitions (consumer health data, regulated entity, geofence)(app.leg.wa.gov).gov
- RCW 19.373.080: Geofence restrictions(app.leg.wa.gov).gov
- RCW 19.373.090: Application of consumer protection act(app.leg.wa.gov).gov
- RCW 19.373.100: Exemptions(app.leg.wa.gov).gov
- Washington State HB 1155 (2023): My Health My Data Act(app.leg.wa.gov).gov
- RCW 19.86.090: Consumer Protection Act private right of action(app.leg.wa.gov).gov
- Washington Attorney General: Protecting Washingtonians' Personal Health Data and Privacy(atg.wa.gov).gov