What is the Washington My Health My Data Act?
The Washington My Health My Data Act (MHMDA) is a comprehensive privacy law enacted in 2023. Its purpose is to safeguard a broad category of sensitive information defined as “consumer health data”, which is not fully covered by the federal Health Insurance Portability and Accountability Act (HIPAA).
The law was passed in response to growing privacy concerns, particularly after the U.S. Supreme Court’s decision to overturn Roe v. Wade, with a clear focus on protecting data related to reproductive and gender-affirming healthcare.
MHMDA applies to any “regulated entity” that:
- Conducts business in Washington State or targets products or services to Washington consumers.
- Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.
The definition of “consumer health data” is expansive. It includes information that identifies a consumer’s past, present, or future physical or mental health status. This extends beyond traditional medical records to cover data from fitness trackers, period-tracking apps, online searches, and even location information that could reveal a health condition.
The law also applies to small businesses, which are subject to the same requirements but had a slightly delayed compliance deadline.
Enforcement is led by the Washington State Attorney General, and the law provides a private right of action, allowing consumers to bring lawsuits directly against organizations.
What are the requirements for the Washington My Health My Data Act?
Compliance with MHMDA requires a proactive, transparent approach to data collection and processing. The key obligations fall under transparency, consent, and consumer rights.
Prerequisites and Actionable Steps:
1. Create a Standalone Privacy Policy
Regulated entities must publish a dedicated Consumer Health Data Privacy Policy on their homepage. This policy cannot be bundled with a general privacy policy and must clearly disclose:
- Categories of consumer health data collected.
- The purposes for which the data is used.
- Categories of third parties and affiliates with whom the data is shared.
- Instructions for consumers on how to exercise their rights.
2. Obtain Explicit Consent
- Collection and Sharing: Separate, affirmative, and unambiguous consent is required before collecting or sharing consumer health data. The consent request must specify the data categories, purposes, and recipients.
- Sale: Selling consumer health data is heavily restricted. It requires a separate, signed authorization from the consumer, valid for one year, and cannot be a condition of providing goods or services.
3. Establish Consumer Rights
Organizations must implement processes to support:
- Right to Access – Consumers can confirm whether their health data is being collected, shared, or sold.
- Right to Delete – Consumers can request deletion of their health data, including from backups and archives.
- Right to Withdraw Consent – Consumers can revoke consent at any time.
4. Prohibit Geofencing
It is illegal to use a geofence (defined as a virtual boundary of 2,000 feet or less) around facilities providing in-person healthcare services when used to:
- Identify or track consumers seeking services.
- Collect consumer health data.
- Deliver ads or messages related to healthcare services.
Why should you be MHMDA compliant?
Compliance is both a legal requirement and a strategic advantage.
Mitigate Financial Penalties
Violations are considered a per se breach of the Washington Consumer Protection Act. Fines can reach up to $7,500 per violation, creating substantial risk given the broad definition of consumer health data.
Avoid Private Lawsuits
The private right of action exposes organizations to direct lawsuits from consumers, including the potential for costly class actions.
Protect Reputation and Trust
In a market where consumers are highly sensitive to privacy issues, a violation can cause serious reputational harm. Demonstrating compliance builds consumer trust and strengthens brand credibility.
Enhance Data Security
MHMDA pushes organizations to adopt stricter data governance, access controls, and cybersecurity measures — improving overall resilience against breaches and cyberattacks.
How to achieve compliance?
To achieve compliance with the Washington My Health My Data Act (MHMDA), organizations should update their privacy policies to include a standalone Consumer Health Data Privacy Policy, implement robust technical and administrative measures to protect consumer health data, and establish clear procedures for fulfilling consumer rights such as access, deletion, and withdrawal of consent. Employee training on MHMDA obligations and conducting regular compliance audits are also essential to ensure ongoing adherence.
The Centraleyes platform provides a comprehensive assessment tool for MHMDA, enabling organizations to track compliance progress, identify gaps, manage consent, map across different privacy laws, and access actionable guidance aligned with the regulation’s requirements. Contact us for more information.
Read more:
