Washington Health Data Protection Requirements: How to Comply with the My Health My Data Act

Consumer Health Data Privacy Policy

What your policy must disclose

A consumer health data privacy policy must clearly state the categories of consumer health data you collect, why you collect it, the sources of that data, what categories you share, and the categories of third parties and specific affiliates with whom you share it. You must also explain how consumers can exercise their rights under the Act. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Homepage link and change control

You must publish a prominent link to your consumer health data privacy policy on your homepage. If you plan to collect, use, or share any new categories of health data—or use existing data for new purposes—you must disclose those changes and first obtain the consumer’s affirmative consent. The Attorney General’s FAQ clarifies that this must be a separate, distinct homepage link. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

• Post a standalone, plainly labeled “Consumer Health Data Privacy Policy” link on the homepage.
• Map all consumer health data flows so your disclosures stay accurate and current.
• Embed clear instructions for submitting requests to exercise rights.

Affirmative Consent for Data Use

Opt-in before collection and sharing

Outside what is strictly necessary to deliver a requested product or service, you may collect or share consumer health data only with the consumer’s prior, affirmative, opt-in consent. Consent for sharing must be separate and distinct from consent to collect, and your request must disclose categories of data, specific purposes, the categories of entities receiving data, and how to withdraw consent. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Sale requires a separate valid authorization

If you sell consumer health data, you must first obtain a written, plain-language “valid authorization” that is separate from any other consent. It must specify the data being sold, identify buyer and seller, state the purpose, describe revocation rights, and expire one year after signing. Provide a copy to the consumer and retain authorizations for six years. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Consumer Health Data Rights

Access, control, and health data deletion rights

Consumers have the right to confirm whether you collect, share, or sell their consumer health data; to access that data; and to obtain a list of all third parties and affiliates with whom you have shared or sold it, plus contact details. They can withdraw consent and request deletion across your systems, including backups (with up to six months to complete backup deletions). You must also pass deletion requests to affiliates, processors, contractors, and other third parties. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Timelines, frequency, and appeals

Provide responses free of charge up to twice per year, within 45 days (one 45‑day extension permitted when reasonably necessary). You must offer a conspicuous internal appeal process and, upon denial, direct consumers to contact the Washington Attorney General. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Processor Contract Obligations

Data processor agreements

Processors may handle consumer health data only under a binding contract that sets processing instructions and limits processor actions to those instructions. Processors must assist you in meeting your obligations under the Act. If a processor acts outside your instructions, it becomes a regulated entity for that data and assumes full compliance obligations. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

• Define purpose, data types, permitted operations, retention, and deletion.
• Require assistance with access, deletion, and other consumer requests.
• Flow down confidentiality and security requirements to any sub‑processors.

Industry-Standard Data Security Practices

Reasonable standard of care

You must restrict access to consumer health data to personnel and service providers who need it and implement administrative, technical, and physical safeguards that meet the reasonable standard of care in your industry. Safeguards must be appropriate to the volume and nature of the data you process. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

• Adopt least‑privilege access, MFA, encryption in transit/at rest, and audit logging.
• Apply secure SDLC, vendor risk management, and incident response testing.
• Review controls regularly to match changes in systems, threats, and data use.

Geofencing Prohibition Compliance

Scope of the geofencing prohibition

It is unlawful to implement a geofence around an entity that provides in‑person health care services when used to identify or track visitors, collect consumer health data, or send notifications, messages, or advertisements related to consumer health data or health care services. A “geofence” is a virtual boundary 2,000 feet or less from a facility’s perimeter. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Operational controls

• Disable SDKs, pixels, or ad tools configured for location triggers near health care facilities.
• Contractually prohibit vendors from location‑based ads or data collection within restricted zones.
• Audit marketing and mobile app code for proximity‑based features that could violate the geofencing prohibition.

Compliance Deadlines and Enforcement

MHMDA compliance deadlines

• Geofencing prohibition (Section 10): All persons must comply beginning July 23, 2023. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy))
• Core obligations (Sections 4–9), including privacy policy, consent, rights, security, processors, and sale authorization:
  • Regulated entities (not small businesses): March 31, 2024. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy))
  • Small businesses: June 30, 2024. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy))

Enforcement and penalties

Any violation of the Act is a per se violation of Washington’s Consumer Protection Act (CPA). The CPA is enforceable by the Attorney General and via a private right of action; courts may award actual damages, attorneys’ fees, and up to treble damages (capped at $25,000). Civil penalties for CPA violations can reach $7,500 per violation in state enforcement actions. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

Conclusion

To comply with Washington’s My Health My Data Act, build a precise consumer health data privacy policy, obtain opt‑in consent for any non‑essential collection or sharing, honor robust access and deletion rights, memorialize processor duties in strong data processor agreements, implement safeguards meeting a reasonable standard of care, and eliminate prohibited geofencing practices. Align your program to the MHMDA compliance deadlines and CPA enforcement framework to reduce legal risk and build trust.

FAQs

What is required in a consumer health data privacy policy?

Your policy must disclose the categories of consumer health data collected, purposes of collection and use, sources, categories shared, the categories of third parties and specific affiliates receiving data, and how consumers can exercise their rights; it must also be linked prominently on your homepage. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

How does affirmative consent affect health data sharing?

You may share consumer health data only with prior, affirmative, opt‑in consent that is separate from consent to collect; your request must specify data categories, purposes, categories of recipients, and how consumers can withdraw consent. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

What rights do consumers have under the MHMDA?

Consumers can confirm and access their data, obtain a list of third parties and affiliates who received or purchased it, withdraw consent, and exercise health data deletion rights across your systems and vendors. You generally must respond within 45 days and offer an appeal process. ([app.leg.wa.gov](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true))

When must regulated entities comply with the geofencing prohibition?

The geofencing prohibition applies to all persons beginning July 23, 2023, and remains in force alongside the Act’s other requirements. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy))